1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4lib_dir=$(dirname $0)/../../../net/forwarding
5
6ALL_TESTS="
7	shared_block_drop_test
8	egress_redirect_test
9	multi_mirror_test
10	matchall_sample_egress_test
11	matchall_mirror_behind_flower_ingress_test
12	matchall_sample_behind_flower_ingress_test
13	matchall_mirror_behind_flower_egress_test
14	matchall_proto_match_test
15	police_limits_test
16	multi_police_test
17"
18NUM_NETIFS=2
19
20source $lib_dir/tc_common.sh
21source $lib_dir/lib.sh
22source $lib_dir/devlink_lib.sh
23source mlxsw_lib.sh
24
25switch_create()
26{
27	simple_if_init $swp1 192.0.2.1/24
28	simple_if_init $swp2 192.0.2.2/24
29}
30
31switch_destroy()
32{
33	simple_if_fini $swp2 192.0.2.2/24
34	simple_if_fini $swp1 192.0.2.1/24
35}
36
37shared_block_drop_test()
38{
39	RET=0
40
41	# It is forbidden in mlxsw driver to have mixed-bound
42	# shared block with a drop rule.
43
44	tc qdisc add dev $swp1 ingress_block 22 clsact
45	check_err $? "Failed to create clsact with ingress block"
46
47	tc filter add block 22 protocol ip pref 1 handle 101 flower \
48		skip_sw dst_ip 192.0.2.2 action drop
49	check_err $? "Failed to add drop rule to ingress bound block"
50
51	tc qdisc add dev $swp2 ingress_block 22 clsact
52	check_err $? "Failed to create another clsact with ingress shared block"
53
54	tc qdisc del dev $swp2 clsact
55
56	tc qdisc add dev $swp2 egress_block 22 clsact
57	check_fail $? "Incorrect success to create another clsact with egress shared block"
58
59	tc filter del block 22 protocol ip pref 1 handle 101 flower
60
61	tc qdisc add dev $swp2 egress_block 22 clsact
62	check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed"
63
64	tc filter add block 22 protocol ip pref 1 handle 101 flower \
65		skip_sw dst_ip 192.0.2.2 action drop
66	check_fail $? "Incorrect success to add drop rule to mixed bound block"
67
68	tc qdisc del dev $swp1 clsact
69
70	tc qdisc add dev $swp1 egress_block 22 clsact
71	check_err $? "Failed to create another clsact with egress shared block"
72
73	tc filter add block 22 protocol ip pref 1 handle 101 flower \
74		skip_sw dst_ip 192.0.2.2 action drop
75	check_err $? "Failed to add drop rule to egress bound shared block"
76
77	tc filter del block 22 protocol ip pref 1 handle 101 flower
78
79	tc qdisc del dev $swp2 clsact
80	tc qdisc del dev $swp1 clsact
81
82	log_test "shared block drop"
83}
84
85egress_redirect_test()
86{
87	RET=0
88
89	# It is forbidden in mlxsw driver to have mirred redirect on
90	# egress-bound block.
91
92	tc qdisc add dev $swp1 ingress_block 22 clsact
93	check_err $? "Failed to create clsact with ingress block"
94
95	tc filter add block 22 protocol ip pref 1 handle 101 flower \
96		skip_sw dst_ip 192.0.2.2 \
97		action mirred egress redirect dev $swp2
98	check_err $? "Failed to add redirect rule to ingress bound block"
99
100	tc qdisc add dev $swp2 ingress_block 22 clsact
101	check_err $? "Failed to create another clsact with ingress shared block"
102
103	tc qdisc del dev $swp2 clsact
104
105	tc qdisc add dev $swp2 egress_block 22 clsact
106	check_fail $? "Incorrect success to create another clsact with egress shared block"
107
108	tc filter del block 22 protocol ip pref 1 handle 101 flower
109
110	tc qdisc add dev $swp2 egress_block 22 clsact
111	check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed"
112
113	tc filter add block 22 protocol ip pref 1 handle 101 flower \
114		skip_sw dst_ip 192.0.2.2 \
115		action mirred egress redirect dev $swp2
116	check_fail $? "Incorrect success to add redirect rule to mixed bound block"
117
118	tc qdisc del dev $swp1 clsact
119
120	tc qdisc add dev $swp1 egress_block 22 clsact
121	check_err $? "Failed to create another clsact with egress shared block"
122
123	tc filter add block 22 protocol ip pref 1 handle 101 flower \
124		skip_sw dst_ip 192.0.2.2 \
125		action mirred egress redirect dev $swp2
126	check_fail $? "Incorrect success to add redirect rule to egress bound shared block"
127
128	tc qdisc del dev $swp2 clsact
129
130	tc filter add block 22 protocol ip pref 1 handle 101 flower \
131		skip_sw dst_ip 192.0.2.2 \
132		action mirred egress redirect dev $swp2
133	check_fail $? "Incorrect success to add redirect rule to egress bound block"
134
135	tc qdisc del dev $swp1 clsact
136
137	log_test "shared block drop"
138}
139
140multi_mirror_test()
141{
142	RET=0
143
144	# It is forbidden in mlxsw driver to have multiple mirror
145	# actions in a single rule.
146
147	tc qdisc add dev $swp1 clsact
148
149	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
150		skip_sw dst_ip 192.0.2.2 \
151		action mirred egress mirror dev $swp2
152	check_err $? "Failed to add rule with single mirror action"
153
154	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
155
156	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
157		skip_sw dst_ip 192.0.2.2 \
158		action mirred egress mirror dev $swp2 \
159		action mirred egress mirror dev $swp1
160	check_fail $? "Incorrect success to add rule with two mirror actions"
161
162	tc qdisc del dev $swp1 clsact
163
164	log_test "multi mirror"
165}
166
167matchall_sample_egress_test()
168{
169	RET=0
170
171	# It is forbidden in mlxsw driver to have matchall with sample action
172	# bound on egress. Spectrum-1 specific restriction
173	mlxsw_only_on_spectrum 1 || return
174
175	tc qdisc add dev $swp1 clsact
176
177	tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \
178		matchall skip_sw action sample rate 100 group 1
179	check_err $? "Failed to add rule with sample action on ingress"
180
181	tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall
182
183	tc filter add dev $swp1 egress protocol all pref 1 handle 101 \
184		matchall skip_sw action sample rate 100 group 1
185	check_fail $? "Incorrect success to add rule with sample action on egress"
186
187	tc qdisc del dev $swp1 clsact
188
189	log_test "matchall sample egress"
190}
191
192matchall_behind_flower_ingress_test()
193{
194	local action=$1
195	local action_args=$2
196
197	RET=0
198
199	# On ingress, all matchall-mirror and matchall-sample
200	# rules have to be in front of the flower rules
201
202	tc qdisc add dev $swp1 clsact
203
204	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
205		skip_sw dst_ip 192.0.2.2 action drop
206
207	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
208		matchall skip_sw action $action_args
209	check_err $? "Failed to add matchall rule in front of a flower rule"
210
211	tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall
212
213	tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \
214		matchall skip_sw action $action_args
215	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
216
217	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
218
219	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
220		matchall skip_sw action $action_args
221
222	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
223		skip_sw dst_ip 192.0.2.2 action drop
224	check_err $? "Failed to add flower rule behind a matchall rule"
225
226	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
227
228	tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \
229		skip_sw dst_ip 192.0.2.2 action drop
230	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
231
232	tc qdisc del dev $swp1 clsact
233
234	log_test "matchall $action flower ingress"
235}
236
237matchall_mirror_behind_flower_ingress_test()
238{
239	matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2"
240}
241
242matchall_sample_behind_flower_ingress_test()
243{
244	matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1"
245}
246
247matchall_behind_flower_egress_test()
248{
249	local action=$1
250	local action_args=$2
251
252	RET=0
253
254	# On egress, all matchall-mirror rules have to be behind the flower rules
255
256	tc qdisc add dev $swp1 clsact
257
258	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
259		skip_sw dst_ip 192.0.2.2 action drop
260
261	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
262		matchall skip_sw action $action_args
263	check_err $? "Failed to add matchall rule in front of a flower rule"
264
265	tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall
266
267	tc filter add dev $swp1 egress protocol all pref 9 handle 102 \
268		matchall skip_sw action $action_args
269	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
270
271	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
272
273	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
274		matchall skip_sw action $action_args
275
276	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
277		skip_sw dst_ip 192.0.2.2 action drop
278	check_err $? "Failed to add flower rule behind a matchall rule"
279
280	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
281
282	tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \
283		skip_sw dst_ip 192.0.2.2 action drop
284	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
285
286	tc qdisc del dev $swp1 clsact
287
288	log_test "matchall $action flower egress"
289}
290
291matchall_mirror_behind_flower_egress_test()
292{
293	matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2"
294}
295
296matchall_proto_match_test()
297{
298	RET=0
299
300	tc qdisc add dev $swp1 clsact
301
302	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
303		matchall skip_sw \
304		action sample group 1 rate 100
305	check_fail $? "Incorrect success to add matchall rule with protocol match"
306
307	tc qdisc del dev $swp1 clsact
308
309	log_test "matchall protocol match"
310}
311
312police_limits_test()
313{
314	RET=0
315
316	tc qdisc add dev $swp1 clsact
317
318	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
319		flower skip_sw \
320		action police rate 0.5kbit burst 1m conform-exceed drop/ok
321	check_fail $? "Incorrect success to add police action with too low rate"
322
323	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
324		flower skip_sw \
325		action police rate 2.5tbit burst 1g conform-exceed drop/ok
326	check_fail $? "Incorrect success to add police action with too high rate"
327
328	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
329		flower skip_sw \
330		action police rate 1.5kbit burst 1m conform-exceed drop/ok
331	check_err $? "Failed to add police action with low rate"
332
333	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
334
335	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
336		flower skip_sw \
337		action police rate 1.9tbit burst 1g conform-exceed drop/ok
338	check_err $? "Failed to add police action with high rate"
339
340	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
341
342	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
343		flower skip_sw \
344		action police rate 1.5kbit burst 512b conform-exceed drop/ok
345	check_fail $? "Incorrect success to add police action with too low burst size"
346
347	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
348		flower skip_sw \
349		action police rate 1.5kbit burst 2k conform-exceed drop/ok
350	check_err $? "Failed to add police action with low burst size"
351
352	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
353
354	tc qdisc del dev $swp1 clsact
355
356	log_test "police rate and burst limits"
357}
358
359multi_police_test()
360{
361	RET=0
362
363	# It is forbidden in mlxsw driver to have multiple police
364	# actions in a single rule.
365
366	tc qdisc add dev $swp1 clsact
367
368	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
369		flower skip_sw \
370		action police rate 100mbit burst 100k conform-exceed drop/ok
371	check_err $? "Failed to add rule with single police action"
372
373	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
374
375	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
376		flower skip_sw \
377		action police rate 100mbit burst 100k conform-exceed drop/pipe \
378		action police rate 200mbit burst 200k conform-exceed drop/ok
379	check_fail $? "Incorrect success to add rule with two police actions"
380
381	tc qdisc del dev $swp1 clsact
382
383	log_test "multi police"
384}
385
386setup_prepare()
387{
388	swp1=${NETIFS[p1]}
389	swp2=${NETIFS[p2]}
390
391	vrf_prepare
392
393	switch_create
394}
395
396cleanup()
397{
398	pre_cleanup
399
400	switch_destroy
401
402	vrf_cleanup
403}
404
405check_tc_shblock_support
406
407trap cleanup EXIT
408
409setup_prepare
410setup_wait
411
412tests_run
413
414exit $EXIT_STATUS
415