1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
|
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# This test is designed for testing the new VRF strict_mode functionality.
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
# identifies the "init" network namespace which is often called root network
# namespace.
INIT_NETNS_NAME="init"
PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
TESTS="init testns mix"
log_test()
{
local rc=$1
local expected=$2
local msg="$3"
if [ ${rc} -eq ${expected} ]; then
nsuccess=$((nsuccess+1))
printf "\n TEST: %-60s [ OK ]\n" "${msg}"
else
ret=1
nfail=$((nfail+1))
printf "\n TEST: %-60s [FAIL]\n" "${msg}"
if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
echo
echo "hit enter to continue, 'q' to quit"
read a
[ "$a" = "q" ] && exit 1
fi
fi
}
print_log_test_results()
{
if [ "$TESTS" != "none" ]; then
printf "\nTests passed: %3d\n" ${nsuccess}
printf "Tests failed: %3d\n" ${nfail}
fi
}
log_section()
{
echo
echo "################################################################################"
echo "TEST SECTION: $*"
echo "################################################################################"
}
ip_expand_args()
{
local nsname=$1
local nsarg=""
if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then
nsarg="-netns ${nsname}"
fi
echo "${nsarg}"
}
vrf_count()
{
local nsname=$1
local nsarg="$(ip_expand_args ${nsname})"
ip ${nsarg} -o link show type vrf | wc -l
}
count_vrf_by_table_id()
{
local nsname=$1
local tableid=$2
local nsarg="$(ip_expand_args ${nsname})"
ip ${nsarg} -d -o link show type vrf | grep "table ${tableid}" | wc -l
}
add_vrf()
{
local nsname=$1
local vrfname=$2
local vrftable=$3
local nsarg="$(ip_expand_args ${nsname})"
ip ${nsarg} link add ${vrfname} type vrf table ${vrftable} &>/dev/null
}
add_vrf_and_check()
{
local nsname=$1
local vrfname=$2
local vrftable=$3
local cnt
local rc
add_vrf ${nsname} ${vrfname} ${vrftable}; rc=$?
cnt=$(count_vrf_by_table_id ${nsname} ${vrftable})
log_test ${rc} 0 "${nsname}: add vrf ${vrfname}, ${cnt} vrfs for table ${vrftable}"
}
add_vrf_and_check_fail()
{
local nsname=$1
local vrfname=$2
local vrftable=$3
local cnt
local rc
add_vrf ${nsname} ${vrfname} ${vrftable}; rc=$?
cnt=$(count_vrf_by_table_id ${nsname} ${vrftable})
log_test ${rc} 2 "${nsname}: CANNOT add vrf ${vrfname}, ${cnt} vrfs for table ${vrftable}"
}
del_vrf_and_check()
{
local nsname=$1
local vrfname=$2
local nsarg="$(ip_expand_args ${nsname})"
ip ${nsarg} link del ${vrfname}
log_test $? 0 "${nsname}: remove vrf ${vrfname}"
}
config_vrf_and_check()
{
local nsname=$1
local addr=$2
local vrfname=$3
local nsarg="$(ip_expand_args ${nsname})"
ip ${nsarg} link set dev ${vrfname} up && \
ip ${nsarg} addr add ${addr} dev ${vrfname}
log_test $? 0 "${nsname}: vrf ${vrfname} up, addr ${addr}"
}
read_strict_mode()
{
local nsname=$1
local rval
local rc=0
local nsexec=""
if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then
# a custom network namespace is provided
nsexec="ip netns exec ${nsname}"
fi
rval="$(${nsexec} bash -c "cat /proc/sys/net/vrf/strict_mode" | \
grep -E "^[0-1]$")" &> /dev/null
if [ $? -ne 0 ]; then
# set errors
rval=255
rc=1
fi
# on success, rval can be only 0 or 1; on error, rval is equal to 255
echo ${rval}
return ${rc}
}
read_strict_mode_compare_and_check()
{
local nsname=$1
local expected=$2
local res
res="$(read_strict_mode ${nsname})"
log_test ${res} ${expected} "${nsname}: check strict_mode=${res}"
}
set_strict_mode()
{
local nsname=$1
local val=$2
local nsexec=""
if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then
# a custom network namespace is provided
nsexec="ip netns exec ${nsname}"
fi
${nsexec} bash -c "echo ${val} >/proc/sys/net/vrf/strict_mode" &>/dev/null
}
enable_strict_mode()
{
local nsname=$1
set_strict_mode ${nsname} 1
}
disable_strict_mode()
{
local nsname=$1
set_strict_mode ${nsname} 0
}
disable_strict_mode_and_check()
{
local nsname=$1
disable_strict_mode ${nsname}
log_test $? 0 "${nsname}: disable strict_mode (=0)"
}
enable_strict_mode_and_check()
{
local nsname=$1
enable_strict_mode ${nsname}
log_test $? 0 "${nsname}: enable strict_mode (=1)"
}
enable_strict_mode_and_check_fail()
{
local nsname=$1
enable_strict_mode ${nsname}
log_test $? 1 "${nsname}: CANNOT enable strict_mode"
}
strict_mode_check_default()
{
local nsname=$1
local strictmode
local vrfcnt
vrfcnt=$(vrf_count ${nsname})
strictmode=$(read_strict_mode ${nsname})
log_test ${strictmode} 0 "${nsname}: strict_mode=0 by default, ${vrfcnt} vrfs"
}
setup()
{
modprobe vrf
ip netns add testns
ip netns exec testns ip link set lo up
}
cleanup()
{
ip netns del testns 2>/dev/null
ip link del vrf100 2>/dev/null
ip link del vrf101 2>/dev/null
ip link del vrf102 2>/dev/null
echo 0 >/proc/sys/net/vrf/strict_mode 2>/dev/null
}
vrf_strict_mode_tests_init()
{
log_section "VRF strict_mode test on init network namespace"
vrf_strict_mode_check_support init
strict_mode_check_default init
add_vrf_and_check init vrf100 100
config_vrf_and_check init 172.16.100.1/24 vrf100
enable_strict_mode_and_check init
add_vrf_and_check_fail init vrf101 100
disable_strict_mode_and_check init
add_vrf_and_check init vrf101 100
config_vrf_and_check init 172.16.101.1/24 vrf101
enable_strict_mode_and_check_fail init
del_vrf_and_check init vrf101
enable_strict_mode_and_check init
add_vrf_and_check init vrf102 102
config_vrf_and_check init 172.16.102.1/24 vrf102
# the strict_modle is enabled in the init
}
vrf_strict_mode_tests_testns()
{
log_section "VRF strict_mode test on testns network namespace"
vrf_strict_mode_check_support testns
strict_mode_check_default testns
enable_strict_mode_and_check testns
add_vrf_and_check testns vrf100 100
config_vrf_and_check testns 10.0.100.1/24 vrf100
add_vrf_and_check_fail testns vrf101 100
add_vrf_and_check_fail testns vrf102 100
add_vrf_and_check testns vrf200 200
disable_strict_mode_and_check testns
add_vrf_and_check testns vrf101 100
add_vrf_and_check testns vrf102 100
#the strict_mode is disabled in the testns
}
vrf_strict_mode_tests_mix()
{
log_section "VRF strict_mode test mixing init and testns network namespaces"
read_strict_mode_compare_and_check init 1
read_strict_mode_compare_and_check testns 0
del_vrf_and_check testns vrf101
del_vrf_and_check testns vrf102
disable_strict_mode_and_check init
enable_strict_mode_and_check testns
enable_strict_mode_and_check init
enable_strict_mode_and_check init
disable_strict_mode_and_check testns
disable_strict_mode_and_check testns
read_strict_mode_compare_and_check init 1
read_strict_mode_compare_and_check testns 0
}
################################################################################
# usage
usage()
{
cat <<EOF
usage: ${0##*/} OPTS
-t <test> Test(s) to run (default: all)
(options: $TESTS)
EOF
}
################################################################################
# main
while getopts ":t:h" opt; do
case $opt in
t) TESTS=$OPTARG;;
h) usage; exit 0;;
*) usage; exit 1;;
esac
done
vrf_strict_mode_check_support()
{
local nsname=$1
local output
local rc
output="$(lsmod | grep '^vrf' | awk '{print $1}')"
if [ -z "${output}" ]; then
modinfo vrf || return $?
fi
# we do not care about the value of the strict_mode; we only check if
# the strict_mode parameter is available or not.
read_strict_mode ${nsname} &>/dev/null; rc=$?
log_test ${rc} 0 "${nsname}: net.vrf.strict_mode is available"
return ${rc}
}
if [ "$(id -u)" -ne 0 ];then
echo "SKIP: Need root privileges"
exit $ksft_skip
fi
if [ ! -x "$(command -v ip)" ]; then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
modprobe vrf &>/dev/null
if [ ! -e /proc/sys/net/vrf/strict_mode ]; then
echo "SKIP: vrf sysctl does not exist"
exit $ksft_skip
fi
cleanup &> /dev/null
setup
for t in $TESTS
do
case $t in
vrf_strict_mode_tests_init|init) vrf_strict_mode_tests_init;;
vrf_strict_mode_tests_testns|testns) vrf_strict_mode_tests_testns;;
vrf_strict_mode_tests_mix|mix) vrf_strict_mode_tests_mix;;
help) echo "Test names: $TESTS"; exit 0;;
esac
done
cleanup
print_log_test_results
exit $ret
|
