summaryrefslogtreecommitdiffstats
path: root/tools/testing/selftests/net/vrf_strict_mode_test.sh
blob: 18b982d611def3dc0fcbd09f5b4611172ea761ff (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

# This test is designed for testing the new VRF strict_mode functionality.

ret=0

# identifies the "init" network namespace which is often called root network
# namespace.
INIT_NETNS_NAME="init"

PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}

log_test()
{
	local rc=$1
	local expected=$2
	local msg="$3"

	if [ ${rc} -eq ${expected} ]; then
		nsuccess=$((nsuccess+1))
		printf "\n    TEST: %-60s  [ OK ]\n" "${msg}"
	else
		ret=1
		nfail=$((nfail+1))
		printf "\n    TEST: %-60s  [FAIL]\n" "${msg}"
		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
			echo
			echo "hit enter to continue, 'q' to quit"
			read a
			[ "$a" = "q" ] && exit 1
		fi
	fi
}

print_log_test_results()
{
	if [ "$TESTS" != "none" ]; then
		printf "\nTests passed: %3d\n" ${nsuccess}
		printf "Tests failed: %3d\n"   ${nfail}
	fi
}

log_section()
{
	echo
	echo "################################################################################"
	echo "TEST SECTION: $*"
	echo "################################################################################"
}

ip_expand_args()
{
	local nsname=$1
	local nsarg=""

	if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then
		nsarg="-netns ${nsname}"
	fi

	echo "${nsarg}"
}

vrf_count()
{
	local nsname=$1
	local nsarg="$(ip_expand_args ${nsname})"

	ip ${nsarg} -o link show type vrf | wc -l
}

count_vrf_by_table_id()
{
	local nsname=$1
	local tableid=$2
	local nsarg="$(ip_expand_args ${nsname})"

	ip ${nsarg} -d -o link show type vrf | grep "table ${tableid}" | wc -l
}

add_vrf()
{
	local nsname=$1
	local vrfname=$2
	local vrftable=$3
	local nsarg="$(ip_expand_args ${nsname})"

	ip ${nsarg} link add ${vrfname} type vrf table ${vrftable} &>/dev/null
}

add_vrf_and_check()
{
	local nsname=$1
	local vrfname=$2
	local vrftable=$3
	local cnt
	local rc

	add_vrf ${nsname} ${vrfname} ${vrftable}; rc=$?

	cnt=$(count_vrf_by_table_id ${nsname} ${vrftable})

	log_test ${rc} 0 "${nsname}: add vrf ${vrfname}, ${cnt} vrfs for table ${vrftable}"
}

add_vrf_and_check_fail()
{
	local nsname=$1
	local vrfname=$2
	local vrftable=$3
	local cnt
	local rc

	add_vrf ${nsname} ${vrfname} ${vrftable}; rc=$?

	cnt=$(count_vrf_by_table_id ${nsname} ${vrftable})

	log_test ${rc} 2 "${nsname}: CANNOT add vrf ${vrfname}, ${cnt} vrfs for table ${vrftable}"
}

del_vrf_and_check()
{
	local nsname=$1
	local vrfname=$2
	local nsarg="$(ip_expand_args ${nsname})"

	ip ${nsarg} link del ${vrfname}
	log_test $? 0 "${nsname}: remove vrf ${vrfname}"
}

config_vrf_and_check()
{
	local nsname=$1
	local addr=$2
	local vrfname=$3
	local nsarg="$(ip_expand_args ${nsname})"

	ip ${nsarg} link set dev ${vrfname} up && \
		ip ${nsarg} addr add ${addr} dev ${vrfname}
	log_test $? 0 "${nsname}: vrf ${vrfname} up, addr ${addr}"
}

read_strict_mode()
{
	local nsname=$1
	local rval
	local rc=0
	local nsexec=""

	if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then
		# a custom network namespace is provided
		nsexec="ip netns exec ${nsname}"
	fi

	rval="$(${nsexec} bash -c "cat /proc/sys/net/vrf/strict_mode" | \
		grep -E "^[0-1]$")" &> /dev/null
	if [ $? -ne 0 ]; then
		# set errors
		rval=255
		rc=1
	fi

	# on success, rval can be only 0 or 1; on error, rval is equal to 255
	echo ${rval}
	return ${rc}
}

read_strict_mode_compare_and_check()
{
	local nsname=$1
	local expected=$2
	local res

	res="$(read_strict_mode ${nsname})"
	log_test ${res} ${expected} "${nsname}: check strict_mode=${res}"
}

set_strict_mode()
{
	local nsname=$1
	local val=$2
	local nsexec=""

	if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then
		# a custom network namespace is provided
		nsexec="ip netns exec ${nsname}"
	fi

	${nsexec} bash -c "echo ${val} >/proc/sys/net/vrf/strict_mode" &>/dev/null
}

enable_strict_mode()
{
	local nsname=$1

	set_strict_mode ${nsname} 1
}

disable_strict_mode()
{
	local nsname=$1

	set_strict_mode ${nsname} 0
}

disable_strict_mode_and_check()
{
	local nsname=$1

	disable_strict_mode ${nsname}
	log_test $? 0 "${nsname}: disable strict_mode (=0)"
}

enable_strict_mode_and_check()
{
	local nsname=$1

	enable_strict_mode ${nsname}
	log_test $? 0 "${nsname}: enable strict_mode (=1)"
}

enable_strict_mode_and_check_fail()
{
	local nsname=$1

	enable_strict_mode ${nsname}
	log_test $? 1 "${nsname}: CANNOT enable strict_mode"
}

strict_mode_check_default()
{
	local nsname=$1
	local strictmode
	local vrfcnt

	vrfcnt=$(vrf_count ${nsname})
	strictmode=$(read_strict_mode ${nsname})
	log_test ${strictmode} 0 "${nsname}: strict_mode=0 by default, ${vrfcnt} vrfs"
}

setup()
{
	modprobe vrf

	ip netns add testns
	ip netns exec testns ip link set lo up
}

cleanup()
{
	ip netns del testns 2>/dev/null

	ip link del vrf100 2>/dev/null
	ip link del vrf101 2>/dev/null
	ip link del vrf102 2>/dev/null

	echo 0 >/proc/sys/net/vrf/strict_mode 2>/dev/null
}

vrf_strict_mode_tests_init()
{
	vrf_strict_mode_check_support init

	strict_mode_check_default init

	add_vrf_and_check init vrf100 100
	config_vrf_and_check init 172.16.100.1/24 vrf100

	enable_strict_mode_and_check init

	add_vrf_and_check_fail init vrf101 100

	disable_strict_mode_and_check init

	add_vrf_and_check init vrf101 100
	config_vrf_and_check init 172.16.101.1/24 vrf101

	enable_strict_mode_and_check_fail init

	del_vrf_and_check init vrf101

	enable_strict_mode_and_check init

	add_vrf_and_check init vrf102 102
	config_vrf_and_check init 172.16.102.1/24 vrf102

	# the strict_modle is enabled in the init
}

vrf_strict_mode_tests_testns()
{
	vrf_strict_mode_check_support testns

	strict_mode_check_default testns

	enable_strict_mode_and_check testns

	add_vrf_and_check testns vrf100 100
	config_vrf_and_check testns 10.0.100.1/24 vrf100

	add_vrf_and_check_fail testns vrf101 100

	add_vrf_and_check_fail testns vrf102 100

	add_vrf_and_check testns vrf200 200

	disable_strict_mode_and_check testns

	add_vrf_and_check testns vrf101 100

	add_vrf_and_check testns vrf102 100

	#the strict_mode is disabled in the testns
}

vrf_strict_mode_tests_mix()
{
	read_strict_mode_compare_and_check init 1

	read_strict_mode_compare_and_check testns 0

	del_vrf_and_check testns vrf101

	del_vrf_and_check testns vrf102

	disable_strict_mode_and_check init

	enable_strict_mode_and_check testns

	enable_strict_mode_and_check init
	enable_strict_mode_and_check init

	disable_strict_mode_and_check testns
	disable_strict_mode_and_check testns

	read_strict_mode_compare_and_check init 1

	read_strict_mode_compare_and_check testns 0
}

vrf_strict_mode_tests()
{
	log_section "VRF strict_mode test on init network namespace"
	vrf_strict_mode_tests_init

	log_section "VRF strict_mode test on testns network namespace"
	vrf_strict_mode_tests_testns

	log_section "VRF strict_mode test mixing init and testns network namespaces"
	vrf_strict_mode_tests_mix
}

vrf_strict_mode_check_support()
{
	local nsname=$1
	local output
	local rc

	output="$(lsmod | grep '^vrf' | awk '{print $1}')"
	if [ -z "${output}" ]; then
		modinfo vrf || return $?
	fi

	# we do not care about the value of the strict_mode; we only check if
	# the strict_mode parameter is available or not.
	read_strict_mode ${nsname} &>/dev/null; rc=$?
	log_test ${rc} 0 "${nsname}: net.vrf.strict_mode is available"

	return ${rc}
}

if [ "$(id -u)" -ne 0 ];then
	echo "SKIP: Need root privileges"
	exit 0
fi

if [ ! -x "$(command -v ip)" ]; then
	echo "SKIP: Could not run test without ip tool"
	exit 0
fi

modprobe vrf &>/dev/null
if [ ! -e /proc/sys/net/vrf/strict_mode ]; then
	echo "SKIP: vrf sysctl does not exist"
	exit 0
fi

cleanup &> /dev/null

setup
vrf_strict_mode_tests
cleanup

print_log_test_results

exit $ret