1*053f45beSAndroid Build Coastguard Worker#!/bin/bash 2*053f45beSAndroid Build Coastguard Worker# SPDX-License-Identifier: GPL-2.0 3*053f45beSAndroid Build Coastguard Worker# 4*053f45beSAndroid Build Coastguard Worker# Various combinations of VRF with xfrms and qdisc. 5*053f45beSAndroid Build Coastguard Worker 6*053f45beSAndroid Build Coastguard Worker# Kselftest framework requirement - SKIP code is 4. 7*053f45beSAndroid Build Coastguard Workerksft_skip=4 8*053f45beSAndroid Build Coastguard Worker 9*053f45beSAndroid Build Coastguard WorkerPAUSE_ON_FAIL=no 10*053f45beSAndroid Build Coastguard WorkerVERBOSE=0 11*053f45beSAndroid Build Coastguard Workerret=0 12*053f45beSAndroid Build Coastguard Worker 13*053f45beSAndroid Build Coastguard WorkerHOST1_4=192.168.1.1 14*053f45beSAndroid Build Coastguard WorkerHOST2_4=192.168.1.2 15*053f45beSAndroid Build Coastguard WorkerHOST1_6=2001:db8:1::1 16*053f45beSAndroid Build Coastguard WorkerHOST2_6=2001:db8:1::2 17*053f45beSAndroid Build Coastguard Worker 18*053f45beSAndroid Build Coastguard WorkerXFRM1_4=10.0.1.1 19*053f45beSAndroid Build Coastguard WorkerXFRM2_4=10.0.1.2 20*053f45beSAndroid Build Coastguard WorkerXFRM1_6=fc00:1000::1 21*053f45beSAndroid Build Coastguard WorkerXFRM2_6=fc00:1000::2 22*053f45beSAndroid Build Coastguard WorkerIF_ID=123 23*053f45beSAndroid Build Coastguard Worker 24*053f45beSAndroid Build Coastguard WorkerVRF=red 25*053f45beSAndroid Build Coastguard WorkerTABLE=300 26*053f45beSAndroid Build Coastguard Worker 27*053f45beSAndroid Build Coastguard WorkerAUTH_1=0xd94fcfea65fddf21dc6e0d24a0253508 28*053f45beSAndroid Build Coastguard WorkerAUTH_2=0xdc6e0d24a0253508d94fcfea65fddf21 29*053f45beSAndroid Build Coastguard WorkerENC_1=0xfc46c20f8048be9725930ff3fb07ac2a91f0347dffeacf62 30*053f45beSAndroid Build Coastguard WorkerENC_2=0x3fb07ac2a91f0347dffeacf62fc46c20f8048be9725930ff 31*053f45beSAndroid Build Coastguard WorkerSPI_1=0x02122b77 32*053f45beSAndroid Build Coastguard WorkerSPI_2=0x2b770212 33*053f45beSAndroid Build Coastguard Worker 34*053f45beSAndroid Build Coastguard Workerwhich ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 35*053f45beSAndroid Build Coastguard Worker 36*053f45beSAndroid Build Coastguard Worker################################################################################ 37*053f45beSAndroid Build Coastguard Worker# 38*053f45beSAndroid Build Coastguard Workerlog_test() 39*053f45beSAndroid Build Coastguard Worker{ 40*053f45beSAndroid Build Coastguard Worker local rc=$1 41*053f45beSAndroid Build Coastguard Worker local expected=$2 42*053f45beSAndroid Build Coastguard Worker local msg="$3" 43*053f45beSAndroid Build Coastguard Worker 44*053f45beSAndroid Build Coastguard Worker if [ ${rc} -eq ${expected} ]; then 45*053f45beSAndroid Build Coastguard Worker printf "TEST: %-60s [ OK ]\n" "${msg}" 46*053f45beSAndroid Build Coastguard Worker nsuccess=$((nsuccess+1)) 47*053f45beSAndroid Build Coastguard Worker else 48*053f45beSAndroid Build Coastguard Worker ret=1 49*053f45beSAndroid Build Coastguard Worker nfail=$((nfail+1)) 50*053f45beSAndroid Build Coastguard Worker printf "TEST: %-60s [FAIL]\n" "${msg}" 51*053f45beSAndroid Build Coastguard Worker if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 52*053f45beSAndroid Build Coastguard Worker echo 53*053f45beSAndroid Build Coastguard Worker echo "hit enter to continue, 'q' to quit" 54*053f45beSAndroid Build Coastguard Worker read a 55*053f45beSAndroid Build Coastguard Worker [ "$a" = "q" ] && exit 1 56*053f45beSAndroid Build Coastguard Worker fi 57*053f45beSAndroid Build Coastguard Worker fi 58*053f45beSAndroid Build Coastguard Worker} 59*053f45beSAndroid Build Coastguard Worker 60*053f45beSAndroid Build Coastguard Workerrun_cmd_host1() 61*053f45beSAndroid Build Coastguard Worker{ 62*053f45beSAndroid Build Coastguard Worker local cmd="$*" 63*053f45beSAndroid Build Coastguard Worker local out 64*053f45beSAndroid Build Coastguard Worker local rc 65*053f45beSAndroid Build Coastguard Worker 66*053f45beSAndroid Build Coastguard Worker if [ "$VERBOSE" = "1" ]; then 67*053f45beSAndroid Build Coastguard Worker printf " COMMAND: $cmd\n" 68*053f45beSAndroid Build Coastguard Worker fi 69*053f45beSAndroid Build Coastguard Worker 70*053f45beSAndroid Build Coastguard Worker out=$(eval ip netns exec host1 $cmd 2>&1) 71*053f45beSAndroid Build Coastguard Worker rc=$? 72*053f45beSAndroid Build Coastguard Worker if [ "$VERBOSE" = "1" ]; then 73*053f45beSAndroid Build Coastguard Worker if [ -n "$out" ]; then 74*053f45beSAndroid Build Coastguard Worker echo 75*053f45beSAndroid Build Coastguard Worker echo " $out" 76*053f45beSAndroid Build Coastguard Worker fi 77*053f45beSAndroid Build Coastguard Worker echo 78*053f45beSAndroid Build Coastguard Worker fi 79*053f45beSAndroid Build Coastguard Worker 80*053f45beSAndroid Build Coastguard Worker return $rc 81*053f45beSAndroid Build Coastguard Worker} 82*053f45beSAndroid Build Coastguard Worker 83*053f45beSAndroid Build Coastguard Worker################################################################################ 84*053f45beSAndroid Build Coastguard Worker# create namespaces for hosts and sws 85*053f45beSAndroid Build Coastguard Worker 86*053f45beSAndroid Build Coastguard Workercreate_vrf() 87*053f45beSAndroid Build Coastguard Worker{ 88*053f45beSAndroid Build Coastguard Worker local ns=$1 89*053f45beSAndroid Build Coastguard Worker local vrf=$2 90*053f45beSAndroid Build Coastguard Worker local table=$3 91*053f45beSAndroid Build Coastguard Worker 92*053f45beSAndroid Build Coastguard Worker if [ -n "${ns}" ]; then 93*053f45beSAndroid Build Coastguard Worker ns="-netns ${ns}" 94*053f45beSAndroid Build Coastguard Worker fi 95*053f45beSAndroid Build Coastguard Worker 96*053f45beSAndroid Build Coastguard Worker ip ${ns} link add ${vrf} type vrf table ${table} 97*053f45beSAndroid Build Coastguard Worker ip ${ns} link set ${vrf} up 98*053f45beSAndroid Build Coastguard Worker ip ${ns} route add vrf ${vrf} unreachable default metric 8192 99*053f45beSAndroid Build Coastguard Worker ip ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 100*053f45beSAndroid Build Coastguard Worker 101*053f45beSAndroid Build Coastguard Worker ip ${ns} addr add 127.0.0.1/8 dev ${vrf} 102*053f45beSAndroid Build Coastguard Worker ip ${ns} -6 addr add ::1 dev ${vrf} nodad 103*053f45beSAndroid Build Coastguard Worker 104*053f45beSAndroid Build Coastguard Worker ip ${ns} ru del pref 0 105*053f45beSAndroid Build Coastguard Worker ip ${ns} ru add pref 32765 from all lookup local 106*053f45beSAndroid Build Coastguard Worker ip ${ns} -6 ru del pref 0 107*053f45beSAndroid Build Coastguard Worker ip ${ns} -6 ru add pref 32765 from all lookup local 108*053f45beSAndroid Build Coastguard Worker} 109*053f45beSAndroid Build Coastguard Worker 110*053f45beSAndroid Build Coastguard Workercreate_ns() 111*053f45beSAndroid Build Coastguard Worker{ 112*053f45beSAndroid Build Coastguard Worker local ns=$1 113*053f45beSAndroid Build Coastguard Worker local addr=$2 114*053f45beSAndroid Build Coastguard Worker local addr6=$3 115*053f45beSAndroid Build Coastguard Worker 116*053f45beSAndroid Build Coastguard Worker [ -z "${addr}" ] && addr="-" 117*053f45beSAndroid Build Coastguard Worker [ -z "${addr6}" ] && addr6="-" 118*053f45beSAndroid Build Coastguard Worker 119*053f45beSAndroid Build Coastguard Worker ip netns add ${ns} 120*053f45beSAndroid Build Coastguard Worker 121*053f45beSAndroid Build Coastguard Worker ip -netns ${ns} link set lo up 122*053f45beSAndroid Build Coastguard Worker if [ "${addr}" != "-" ]; then 123*053f45beSAndroid Build Coastguard Worker ip -netns ${ns} addr add dev lo ${addr} 124*053f45beSAndroid Build Coastguard Worker fi 125*053f45beSAndroid Build Coastguard Worker if [ "${addr6}" != "-" ]; then 126*053f45beSAndroid Build Coastguard Worker ip -netns ${ns} -6 addr add dev lo ${addr6} 127*053f45beSAndroid Build Coastguard Worker fi 128*053f45beSAndroid Build Coastguard Worker 129*053f45beSAndroid Build Coastguard Worker ip -netns ${ns} ro add unreachable default metric 8192 130*053f45beSAndroid Build Coastguard Worker ip -netns ${ns} -6 ro add unreachable default metric 8192 131*053f45beSAndroid Build Coastguard Worker 132*053f45beSAndroid Build Coastguard Worker ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 133*053f45beSAndroid Build Coastguard Worker ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 134*053f45beSAndroid Build Coastguard Worker ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 135*053f45beSAndroid Build Coastguard Worker ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 136*053f45beSAndroid Build Coastguard Worker ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0 137*053f45beSAndroid Build Coastguard Worker} 138*053f45beSAndroid Build Coastguard Worker 139*053f45beSAndroid Build Coastguard Worker# create veth pair to connect namespaces and apply addresses. 140*053f45beSAndroid Build Coastguard Workerconnect_ns() 141*053f45beSAndroid Build Coastguard Worker{ 142*053f45beSAndroid Build Coastguard Worker local ns1=$1 143*053f45beSAndroid Build Coastguard Worker local ns1_dev=$2 144*053f45beSAndroid Build Coastguard Worker local ns1_addr=$3 145*053f45beSAndroid Build Coastguard Worker local ns1_addr6=$4 146*053f45beSAndroid Build Coastguard Worker local ns2=$5 147*053f45beSAndroid Build Coastguard Worker local ns2_dev=$6 148*053f45beSAndroid Build Coastguard Worker local ns2_addr=$7 149*053f45beSAndroid Build Coastguard Worker local ns2_addr6=$8 150*053f45beSAndroid Build Coastguard Worker local ns1arg 151*053f45beSAndroid Build Coastguard Worker local ns2arg 152*053f45beSAndroid Build Coastguard Worker 153*053f45beSAndroid Build Coastguard Worker if [ -n "${ns1}" ]; then 154*053f45beSAndroid Build Coastguard Worker ns1arg="-netns ${ns1}" 155*053f45beSAndroid Build Coastguard Worker fi 156*053f45beSAndroid Build Coastguard Worker if [ -n "${ns2}" ]; then 157*053f45beSAndroid Build Coastguard Worker ns2arg="-netns ${ns2}" 158*053f45beSAndroid Build Coastguard Worker fi 159*053f45beSAndroid Build Coastguard Worker 160*053f45beSAndroid Build Coastguard Worker ip ${ns1arg} li add ${ns1_dev} type veth peer name tmp 161*053f45beSAndroid Build Coastguard Worker ip ${ns1arg} li set ${ns1_dev} up 162*053f45beSAndroid Build Coastguard Worker ip ${ns1arg} li set tmp netns ${ns2} name ${ns2_dev} 163*053f45beSAndroid Build Coastguard Worker ip ${ns2arg} li set ${ns2_dev} up 164*053f45beSAndroid Build Coastguard Worker 165*053f45beSAndroid Build Coastguard Worker if [ "${ns1_addr}" != "-" ]; then 166*053f45beSAndroid Build Coastguard Worker ip ${ns1arg} addr add dev ${ns1_dev} ${ns1_addr} 167*053f45beSAndroid Build Coastguard Worker ip ${ns2arg} addr add dev ${ns2_dev} ${ns2_addr} 168*053f45beSAndroid Build Coastguard Worker fi 169*053f45beSAndroid Build Coastguard Worker 170*053f45beSAndroid Build Coastguard Worker if [ "${ns1_addr6}" != "-" ]; then 171*053f45beSAndroid Build Coastguard Worker ip ${ns1arg} addr add dev ${ns1_dev} ${ns1_addr6} nodad 172*053f45beSAndroid Build Coastguard Worker ip ${ns2arg} addr add dev ${ns2_dev} ${ns2_addr6} nodad 173*053f45beSAndroid Build Coastguard Worker fi 174*053f45beSAndroid Build Coastguard Worker} 175*053f45beSAndroid Build Coastguard Worker 176*053f45beSAndroid Build Coastguard Worker################################################################################ 177*053f45beSAndroid Build Coastguard Worker 178*053f45beSAndroid Build Coastguard Workercleanup() 179*053f45beSAndroid Build Coastguard Worker{ 180*053f45beSAndroid Build Coastguard Worker ip netns del host1 181*053f45beSAndroid Build Coastguard Worker ip netns del host2 182*053f45beSAndroid Build Coastguard Worker} 183*053f45beSAndroid Build Coastguard Worker 184*053f45beSAndroid Build Coastguard Workersetup() 185*053f45beSAndroid Build Coastguard Worker{ 186*053f45beSAndroid Build Coastguard Worker create_ns "host1" 187*053f45beSAndroid Build Coastguard Worker create_ns "host2" 188*053f45beSAndroid Build Coastguard Worker 189*053f45beSAndroid Build Coastguard Worker connect_ns "host1" eth0 ${HOST1_4}/24 ${HOST1_6}/64 \ 190*053f45beSAndroid Build Coastguard Worker "host2" eth0 ${HOST2_4}/24 ${HOST2_6}/64 191*053f45beSAndroid Build Coastguard Worker 192*053f45beSAndroid Build Coastguard Worker create_vrf "host1" ${VRF} ${TABLE} 193*053f45beSAndroid Build Coastguard Worker ip -netns host1 link set dev eth0 master ${VRF} 194*053f45beSAndroid Build Coastguard Worker} 195*053f45beSAndroid Build Coastguard Worker 196*053f45beSAndroid Build Coastguard Workercleanup_xfrm() 197*053f45beSAndroid Build Coastguard Worker{ 198*053f45beSAndroid Build Coastguard Worker for ns in host1 host2 199*053f45beSAndroid Build Coastguard Worker do 200*053f45beSAndroid Build Coastguard Worker for x in state policy 201*053f45beSAndroid Build Coastguard Worker do 202*053f45beSAndroid Build Coastguard Worker ip -netns ${ns} xfrm ${x} flush 203*053f45beSAndroid Build Coastguard Worker ip -6 -netns ${ns} xfrm ${x} flush 204*053f45beSAndroid Build Coastguard Worker done 205*053f45beSAndroid Build Coastguard Worker done 206*053f45beSAndroid Build Coastguard Worker} 207*053f45beSAndroid Build Coastguard Worker 208*053f45beSAndroid Build Coastguard Workersetup_xfrm() 209*053f45beSAndroid Build Coastguard Worker{ 210*053f45beSAndroid Build Coastguard Worker local h1_4=$1 211*053f45beSAndroid Build Coastguard Worker local h2_4=$2 212*053f45beSAndroid Build Coastguard Worker local h1_6=$3 213*053f45beSAndroid Build Coastguard Worker local h2_6=$4 214*053f45beSAndroid Build Coastguard Worker local devarg="$5" 215*053f45beSAndroid Build Coastguard Worker 216*053f45beSAndroid Build Coastguard Worker # 217*053f45beSAndroid Build Coastguard Worker # policy 218*053f45beSAndroid Build Coastguard Worker # 219*053f45beSAndroid Build Coastguard Worker 220*053f45beSAndroid Build Coastguard Worker # host1 - IPv4 out 221*053f45beSAndroid Build Coastguard Worker ip -netns host1 xfrm policy add \ 222*053f45beSAndroid Build Coastguard Worker src ${h1_4} dst ${h2_4} ${devarg} dir out \ 223*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST1_4} dst ${HOST2_4} proto esp mode tunnel 224*053f45beSAndroid Build Coastguard Worker 225*053f45beSAndroid Build Coastguard Worker # host2 - IPv4 in 226*053f45beSAndroid Build Coastguard Worker ip -netns host2 xfrm policy add \ 227*053f45beSAndroid Build Coastguard Worker src ${h1_4} dst ${h2_4} dir in \ 228*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST1_4} dst ${HOST2_4} proto esp mode tunnel 229*053f45beSAndroid Build Coastguard Worker 230*053f45beSAndroid Build Coastguard Worker # host1 - IPv4 in 231*053f45beSAndroid Build Coastguard Worker ip -netns host1 xfrm policy add \ 232*053f45beSAndroid Build Coastguard Worker src ${h2_4} dst ${h1_4} ${devarg} dir in \ 233*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST2_4} dst ${HOST1_4} proto esp mode tunnel 234*053f45beSAndroid Build Coastguard Worker 235*053f45beSAndroid Build Coastguard Worker # host2 - IPv4 out 236*053f45beSAndroid Build Coastguard Worker ip -netns host2 xfrm policy add \ 237*053f45beSAndroid Build Coastguard Worker src ${h2_4} dst ${h1_4} dir out \ 238*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST2_4} dst ${HOST1_4} proto esp mode tunnel 239*053f45beSAndroid Build Coastguard Worker 240*053f45beSAndroid Build Coastguard Worker 241*053f45beSAndroid Build Coastguard Worker # host1 - IPv6 out 242*053f45beSAndroid Build Coastguard Worker ip -6 -netns host1 xfrm policy add \ 243*053f45beSAndroid Build Coastguard Worker src ${h1_6} dst ${h2_6} ${devarg} dir out \ 244*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST1_6} dst ${HOST2_6} proto esp mode tunnel 245*053f45beSAndroid Build Coastguard Worker 246*053f45beSAndroid Build Coastguard Worker # host2 - IPv6 in 247*053f45beSAndroid Build Coastguard Worker ip -6 -netns host2 xfrm policy add \ 248*053f45beSAndroid Build Coastguard Worker src ${h1_6} dst ${h2_6} dir in \ 249*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST1_6} dst ${HOST2_6} proto esp mode tunnel 250*053f45beSAndroid Build Coastguard Worker 251*053f45beSAndroid Build Coastguard Worker # host1 - IPv6 in 252*053f45beSAndroid Build Coastguard Worker ip -6 -netns host1 xfrm policy add \ 253*053f45beSAndroid Build Coastguard Worker src ${h2_6} dst ${h1_6} ${devarg} dir in \ 254*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST2_6} dst ${HOST1_6} proto esp mode tunnel 255*053f45beSAndroid Build Coastguard Worker 256*053f45beSAndroid Build Coastguard Worker # host2 - IPv6 out 257*053f45beSAndroid Build Coastguard Worker ip -6 -netns host2 xfrm policy add \ 258*053f45beSAndroid Build Coastguard Worker src ${h2_6} dst ${h1_6} dir out \ 259*053f45beSAndroid Build Coastguard Worker tmpl src ${HOST2_6} dst ${HOST1_6} proto esp mode tunnel 260*053f45beSAndroid Build Coastguard Worker 261*053f45beSAndroid Build Coastguard Worker # 262*053f45beSAndroid Build Coastguard Worker # state 263*053f45beSAndroid Build Coastguard Worker # 264*053f45beSAndroid Build Coastguard Worker ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ 265*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_1} reqid 0 mode tunnel \ 266*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 267*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ 268*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_1} \ 269*053f45beSAndroid Build Coastguard Worker sel src ${h1_4} dst ${h2_4} ${devarg} 270*053f45beSAndroid Build Coastguard Worker 271*053f45beSAndroid Build Coastguard Worker ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ 272*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_1} reqid 0 mode tunnel \ 273*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 274*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ 275*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_1} \ 276*053f45beSAndroid Build Coastguard Worker sel src ${h1_4} dst ${h2_4} 277*053f45beSAndroid Build Coastguard Worker 278*053f45beSAndroid Build Coastguard Worker 279*053f45beSAndroid Build Coastguard Worker ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ 280*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_2} reqid 0 mode tunnel \ 281*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 282*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ 283*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_2} \ 284*053f45beSAndroid Build Coastguard Worker sel src ${h2_4} dst ${h1_4} ${devarg} 285*053f45beSAndroid Build Coastguard Worker 286*053f45beSAndroid Build Coastguard Worker ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ 287*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_2} reqid 0 mode tunnel \ 288*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 289*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ 290*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_2} \ 291*053f45beSAndroid Build Coastguard Worker sel src ${h2_4} dst ${h1_4} 292*053f45beSAndroid Build Coastguard Worker 293*053f45beSAndroid Build Coastguard Worker 294*053f45beSAndroid Build Coastguard Worker ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ 295*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_1} reqid 0 mode tunnel \ 296*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 297*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ 298*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_1} \ 299*053f45beSAndroid Build Coastguard Worker sel src ${h1_6} dst ${h2_6} ${devarg} 300*053f45beSAndroid Build Coastguard Worker 301*053f45beSAndroid Build Coastguard Worker ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ 302*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_1} reqid 0 mode tunnel \ 303*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 304*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ 305*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_1} \ 306*053f45beSAndroid Build Coastguard Worker sel src ${h1_6} dst ${h2_6} 307*053f45beSAndroid Build Coastguard Worker 308*053f45beSAndroid Build Coastguard Worker 309*053f45beSAndroid Build Coastguard Worker ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ 310*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_2} reqid 0 mode tunnel \ 311*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 312*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ 313*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_2} \ 314*053f45beSAndroid Build Coastguard Worker sel src ${h2_6} dst ${h1_6} ${devarg} 315*053f45beSAndroid Build Coastguard Worker 316*053f45beSAndroid Build Coastguard Worker ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ 317*053f45beSAndroid Build Coastguard Worker proto esp spi ${SPI_2} reqid 0 mode tunnel \ 318*053f45beSAndroid Build Coastguard Worker replay-window 4 replay-oseq 0x4 \ 319*053f45beSAndroid Build Coastguard Worker auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ 320*053f45beSAndroid Build Coastguard Worker enc 'cbc(des3_ede)' ${ENC_2} \ 321*053f45beSAndroid Build Coastguard Worker sel src ${h2_6} dst ${h1_6} 322*053f45beSAndroid Build Coastguard Worker} 323*053f45beSAndroid Build Coastguard Worker 324*053f45beSAndroid Build Coastguard Workercleanup_xfrm_dev() 325*053f45beSAndroid Build Coastguard Worker{ 326*053f45beSAndroid Build Coastguard Worker ip -netns host1 li del xfrm0 327*053f45beSAndroid Build Coastguard Worker ip -netns host2 addr del ${XFRM2_4}/24 dev eth0 328*053f45beSAndroid Build Coastguard Worker ip -netns host2 addr del ${XFRM2_6}/64 dev eth0 329*053f45beSAndroid Build Coastguard Worker} 330*053f45beSAndroid Build Coastguard Worker 331*053f45beSAndroid Build Coastguard Workersetup_xfrm_dev() 332*053f45beSAndroid Build Coastguard Worker{ 333*053f45beSAndroid Build Coastguard Worker local vrfarg="vrf ${VRF}" 334*053f45beSAndroid Build Coastguard Worker 335*053f45beSAndroid Build Coastguard Worker ip -netns host1 li add type xfrm dev eth0 if_id ${IF_ID} 336*053f45beSAndroid Build Coastguard Worker ip -netns host1 li set xfrm0 ${vrfarg} up 337*053f45beSAndroid Build Coastguard Worker ip -netns host1 addr add ${XFRM1_4}/24 dev xfrm0 338*053f45beSAndroid Build Coastguard Worker ip -netns host1 addr add ${XFRM1_6}/64 dev xfrm0 339*053f45beSAndroid Build Coastguard Worker 340*053f45beSAndroid Build Coastguard Worker ip -netns host2 addr add ${XFRM2_4}/24 dev eth0 341*053f45beSAndroid Build Coastguard Worker ip -netns host2 addr add ${XFRM2_6}/64 dev eth0 342*053f45beSAndroid Build Coastguard Worker 343*053f45beSAndroid Build Coastguard Worker setup_xfrm ${XFRM1_4} ${XFRM2_4} ${XFRM1_6} ${XFRM2_6} "if_id ${IF_ID}" 344*053f45beSAndroid Build Coastguard Worker} 345*053f45beSAndroid Build Coastguard Worker 346*053f45beSAndroid Build Coastguard Workerrun_tests() 347*053f45beSAndroid Build Coastguard Worker{ 348*053f45beSAndroid Build Coastguard Worker cleanup_xfrm 349*053f45beSAndroid Build Coastguard Worker 350*053f45beSAndroid Build Coastguard Worker # no IPsec 351*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4} 352*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv4 no xfrm policy" 353*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6} 354*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv6 no xfrm policy" 355*053f45beSAndroid Build Coastguard Worker 356*053f45beSAndroid Build Coastguard Worker # xfrm without VRF in sel 357*053f45beSAndroid Build Coastguard Worker setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} 358*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4} 359*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv4 xfrm policy based on address" 360*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6} 361*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv6 xfrm policy based on address" 362*053f45beSAndroid Build Coastguard Worker cleanup_xfrm 363*053f45beSAndroid Build Coastguard Worker 364*053f45beSAndroid Build Coastguard Worker # xfrm with VRF in sel 365*053f45beSAndroid Build Coastguard Worker # Known failure: ipv4 resets the flow oif after the lookup. Fix is 366*053f45beSAndroid Build Coastguard Worker # not straightforward. 367*053f45beSAndroid Build Coastguard Worker # setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} "dev ${VRF}" 368*053f45beSAndroid Build Coastguard Worker # run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4} 369*053f45beSAndroid Build Coastguard Worker # log_test $? 0 "IPv4 xfrm policy with VRF in selector" 370*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6} 371*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv6 xfrm policy with VRF in selector" 372*053f45beSAndroid Build Coastguard Worker cleanup_xfrm 373*053f45beSAndroid Build Coastguard Worker 374*053f45beSAndroid Build Coastguard Worker # xfrm with enslaved device in sel 375*053f45beSAndroid Build Coastguard Worker # Known failures: combined with the above, __xfrm{4,6}_selector_match 376*053f45beSAndroid Build Coastguard Worker # needs to consider both l3mdev and enslaved device index. 377*053f45beSAndroid Build Coastguard Worker # setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} "dev eth0" 378*053f45beSAndroid Build Coastguard Worker # run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4} 379*053f45beSAndroid Build Coastguard Worker # log_test $? 0 "IPv4 xfrm policy with enslaved device in selector" 380*053f45beSAndroid Build Coastguard Worker # run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6} 381*053f45beSAndroid Build Coastguard Worker # log_test $? 0 "IPv6 xfrm policy with enslaved device in selector" 382*053f45beSAndroid Build Coastguard Worker # cleanup_xfrm 383*053f45beSAndroid Build Coastguard Worker 384*053f45beSAndroid Build Coastguard Worker # xfrm device 385*053f45beSAndroid Build Coastguard Worker setup_xfrm_dev 386*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${XFRM2_4} 387*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv4 xfrm policy with xfrm device" 388*053f45beSAndroid Build Coastguard Worker run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${XFRM2_6} 389*053f45beSAndroid Build Coastguard Worker log_test $? 0 "IPv6 xfrm policy with xfrm device" 390*053f45beSAndroid Build Coastguard Worker cleanup_xfrm_dev 391*053f45beSAndroid Build Coastguard Worker} 392*053f45beSAndroid Build Coastguard Worker 393*053f45beSAndroid Build Coastguard Worker################################################################################ 394*053f45beSAndroid Build Coastguard Worker# usage 395*053f45beSAndroid Build Coastguard Worker 396*053f45beSAndroid Build Coastguard Workerusage() 397*053f45beSAndroid Build Coastguard Worker{ 398*053f45beSAndroid Build Coastguard Worker cat <<EOF 399*053f45beSAndroid Build Coastguard Workerusage: ${0##*/} OPTS 400*053f45beSAndroid Build Coastguard Worker 401*053f45beSAndroid Build Coastguard Worker -p Pause on fail 402*053f45beSAndroid Build Coastguard Worker -v verbose mode (show commands and output) 403*053f45beSAndroid Build Coastguard Worker 404*053f45beSAndroid Build Coastguard Workerdone 405*053f45beSAndroid Build Coastguard WorkerEOF 406*053f45beSAndroid Build Coastguard Worker} 407*053f45beSAndroid Build Coastguard Worker 408*053f45beSAndroid Build Coastguard Worker################################################################################ 409*053f45beSAndroid Build Coastguard Worker# main 410*053f45beSAndroid Build Coastguard Worker 411*053f45beSAndroid Build Coastguard Workerwhile getopts :pv o 412*053f45beSAndroid Build Coastguard Workerdo 413*053f45beSAndroid Build Coastguard Worker case $o in 414*053f45beSAndroid Build Coastguard Worker p) PAUSE_ON_FAIL=yes;; 415*053f45beSAndroid Build Coastguard Worker v) VERBOSE=$(($VERBOSE + 1));; 416*053f45beSAndroid Build Coastguard Worker h) usage; exit 0;; 417*053f45beSAndroid Build Coastguard Worker *) usage; exit 1;; 418*053f45beSAndroid Build Coastguard Worker esac 419*053f45beSAndroid Build Coastguard Workerdone 420*053f45beSAndroid Build Coastguard Worker 421*053f45beSAndroid Build Coastguard Workercleanup 2>/dev/null 422*053f45beSAndroid Build Coastguard Workersetup 423*053f45beSAndroid Build Coastguard Worker 424*053f45beSAndroid Build Coastguard Workerecho 425*053f45beSAndroid Build Coastguard Workerecho "No qdisc on VRF device" 426*053f45beSAndroid Build Coastguard Workerrun_tests 427*053f45beSAndroid Build Coastguard Worker 428*053f45beSAndroid Build Coastguard Workerrun_cmd_host1 tc qdisc add dev ${VRF} root netem delay 100ms 429*053f45beSAndroid Build Coastguard Workerecho 430*053f45beSAndroid Build Coastguard Workerecho "netem qdisc on VRF device" 431*053f45beSAndroid Build Coastguard Workerrun_tests 432*053f45beSAndroid Build Coastguard Worker 433*053f45beSAndroid Build Coastguard Workerprintf "\nTests passed: %3d\n" ${nsuccess} 434*053f45beSAndroid Build Coastguard Workerprintf "Tests failed: %3d\n" ${nfail} 435*053f45beSAndroid Build Coastguard Worker 436*053f45beSAndroid Build Coastguard Workerexit $ret 437