1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3 4# This test is for checking the A-TCAM and C-TCAM operation in Spectrum-2. 5# It tries to exercise as many code paths in the eRP state machine as 6# possible. 7 8lib_dir=$(dirname $0)/../../../../net/forwarding 9 10ALL_TESTS="single_mask_test identical_filters_test two_masks_test \ 11 multiple_masks_test ctcam_edge_cases_test delta_simple_test \ 12 delta_two_masks_one_key_test delta_simple_rehash_test \ 13 bloom_simple_test bloom_complex_test bloom_delta_test \ 14 max_erp_entries_test max_group_size_test" 15NUM_NETIFS=2 16source $lib_dir/lib.sh 17source $lib_dir/tc_common.sh 18source $lib_dir/devlink_lib.sh 19 20tcflags="skip_hw" 21 22h1_create() 23{ 24 simple_if_init $h1 192.0.2.1/24 198.51.100.1/24 25} 26 27h1_destroy() 28{ 29 simple_if_fini $h1 192.0.2.1/24 198.51.100.1/24 30} 31 32h2_create() 33{ 34 simple_if_init $h2 192.0.2.2/24 198.51.100.2/24 35 tc qdisc add dev $h2 clsact 36} 37 38h2_destroy() 39{ 40 tc qdisc del dev $h2 clsact 41 simple_if_fini $h2 192.0.2.2/24 198.51.100.2/24 42} 43 44tp_record() 45{ 46 local tracepoint=$1 47 local cmd=$2 48 49 perf record -q -e $tracepoint $cmd 50 return $? 51} 52 53tp_record_all() 54{ 55 local tracepoint=$1 56 local seconds=$2 57 58 perf record -a -q -e $tracepoint sleep $seconds 59 return $? 60} 61 62__tp_hit_count() 63{ 64 local tracepoint=$1 65 66 local perf_output=`perf script -F trace:event,trace` 67 return `echo $perf_output | grep "$tracepoint:" | wc -l` 68} 69 70tp_check_hits() 71{ 72 local tracepoint=$1 73 local count=$2 74 75 __tp_hit_count $tracepoint 76 if [[ "$?" -ne "$count" ]]; then 77 return 1 78 fi 79 return 0 80} 81 82tp_check_hits_any() 83{ 84 local tracepoint=$1 85 86 __tp_hit_count $tracepoint 87 if [[ "$?" -eq "0" ]]; then 88 return 1 89 fi 90 return 0 91} 92 93single_mask_test() 94{ 95 # When only a single mask is required, the device uses the master 96 # mask and not the eRP table. Verify that under this mode the right 97 # filter is matched 98 99 RET=0 100 101 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 102 $tcflags dst_ip 192.0.2.2 action drop 103 104 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 105 -t ip -q 106 107 tc_check_packets "dev $h2 ingress" 101 1 108 check_err $? "Single filter - did not match" 109 110 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 111 $tcflags dst_ip 198.51.100.2 action drop 112 113 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 114 -t ip -q 115 116 tc_check_packets "dev $h2 ingress" 101 2 117 check_err $? "Two filters - did not match highest priority" 118 119 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \ 120 -t ip -q 121 122 tc_check_packets "dev $h2 ingress" 102 1 123 check_err $? "Two filters - did not match lowest priority" 124 125 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 126 127 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \ 128 -t ip -q 129 130 tc_check_packets "dev $h2 ingress" 102 2 131 check_err $? "Single filter - did not match after delete" 132 133 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 134 135 log_test "single mask test ($tcflags)" 136} 137 138identical_filters_test() 139{ 140 # When two filters that only differ in their priority are used, 141 # one needs to be inserted into the C-TCAM. This test verifies 142 # that filters are correctly spilled to C-TCAM and that the right 143 # filter is matched 144 145 RET=0 146 147 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 148 $tcflags dst_ip 192.0.2.2 action drop 149 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 150 $tcflags dst_ip 192.0.2.2 action drop 151 152 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 153 -t ip -q 154 155 tc_check_packets "dev $h2 ingress" 101 1 156 check_err $? "Did not match A-TCAM filter" 157 158 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 159 160 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 161 -t ip -q 162 163 tc_check_packets "dev $h2 ingress" 102 1 164 check_err $? "Did not match C-TCAM filter after A-TCAM delete" 165 166 tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \ 167 $tcflags dst_ip 192.0.2.2 action drop 168 169 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 170 -t ip -q 171 172 tc_check_packets "dev $h2 ingress" 102 2 173 check_err $? "Did not match C-TCAM filter after A-TCAM add" 174 175 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 176 177 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 178 -t ip -q 179 180 tc_check_packets "dev $h2 ingress" 103 1 181 check_err $? "Did not match A-TCAM filter after C-TCAM delete" 182 183 tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower 184 185 log_test "identical filters test ($tcflags)" 186} 187 188two_masks_test() 189{ 190 # When more than one mask is required, the eRP table is used. This 191 # test verifies that the eRP table is correctly allocated and used 192 193 RET=0 194 195 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 196 $tcflags dst_ip 192.0.2.2 action drop 197 tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \ 198 $tcflags dst_ip 192.0.0.0/8 action drop 199 200 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 201 -t ip -q 202 203 tc_check_packets "dev $h2 ingress" 101 1 204 check_err $? "Two filters - did not match highest priority" 205 206 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 207 208 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 209 -t ip -q 210 211 tc_check_packets "dev $h2 ingress" 103 1 212 check_err $? "Single filter - did not match" 213 214 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 215 $tcflags dst_ip 192.0.2.0/24 action drop 216 217 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 218 -t ip -q 219 220 tc_check_packets "dev $h2 ingress" 102 1 221 check_err $? "Two filters - did not match highest priority after add" 222 223 tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower 224 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 225 226 log_test "two masks test ($tcflags)" 227} 228 229multiple_masks_test() 230{ 231 # The number of masks in a region is limited. Once the maximum 232 # number of masks has been reached filters that require new 233 # masks are spilled to the C-TCAM. This test verifies that 234 # spillage is performed correctly and that the right filter is 235 # matched 236 237 if [[ "$tcflags" != "skip_sw" ]]; then 238 return 0; 239 fi 240 241 local index 242 243 RET=0 244 245 NUM_MASKS=32 246 NUM_ERPS=16 247 BASE_INDEX=100 248 249 for i in $(eval echo {1..$NUM_MASKS}); do 250 index=$((BASE_INDEX - i)) 251 252 if ((i > NUM_ERPS)); then 253 exp_hits=1 254 err_msg="$i filters - C-TCAM spill did not happen when it was expected" 255 else 256 exp_hits=0 257 err_msg="$i filters - C-TCAM spill happened when it should not" 258 fi 259 260 tp_record "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" \ 261 "tc filter add dev $h2 ingress protocol ip pref $index \ 262 handle $index \ 263 flower $tcflags \ 264 dst_ip 192.0.2.2/${i} src_ip 192.0.2.1/${i} \ 265 action drop" 266 tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" \ 267 $exp_hits 268 check_err $? "$err_msg" 269 270 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 \ 271 -B 192.0.2.2 -t ip -q 272 273 tc_check_packets "dev $h2 ingress" $index 1 274 check_err $? "$i filters - did not match highest priority (add)" 275 done 276 277 for i in $(eval echo {$NUM_MASKS..1}); do 278 index=$((BASE_INDEX - i)) 279 280 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 \ 281 -B 192.0.2.2 -t ip -q 282 283 tc_check_packets "dev $h2 ingress" $index 2 284 check_err $? "$i filters - did not match highest priority (del)" 285 286 tc filter del dev $h2 ingress protocol ip pref $index \ 287 handle $index flower 288 done 289 290 log_test "multiple masks test ($tcflags)" 291} 292 293ctcam_two_atcam_masks_test() 294{ 295 RET=0 296 297 # First case: C-TCAM is disabled when there are two A-TCAM masks. 298 # We push a filter into the C-TCAM by using two identical filters 299 # as in identical_filters_test() 300 301 # Filter goes into A-TCAM 302 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 303 $tcflags dst_ip 192.0.2.2 action drop 304 # Filter goes into C-TCAM 305 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 306 $tcflags dst_ip 192.0.2.2 action drop 307 # Filter goes into A-TCAM 308 tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \ 309 $tcflags dst_ip 192.0.0.0/16 action drop 310 311 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 312 -t ip -q 313 314 tc_check_packets "dev $h2 ingress" 101 1 315 check_err $? "Did not match A-TCAM filter" 316 317 # Delete both A-TCAM and C-TCAM filters and make sure the remaining 318 # A-TCAM filter still works 319 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 320 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 321 322 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 323 -t ip -q 324 325 tc_check_packets "dev $h2 ingress" 103 1 326 check_err $? "Did not match A-TCAM filter" 327 328 tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower 329 330 log_test "ctcam with two atcam masks test ($tcflags)" 331} 332 333ctcam_one_atcam_mask_test() 334{ 335 RET=0 336 337 # Second case: C-TCAM is disabled when there is one A-TCAM mask. 338 # The test is similar to identical_filters_test() 339 340 # Filter goes into A-TCAM 341 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 342 $tcflags dst_ip 192.0.2.2 action drop 343 # Filter goes into C-TCAM 344 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 345 $tcflags dst_ip 192.0.2.2 action drop 346 347 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 348 -t ip -q 349 350 tc_check_packets "dev $h2 ingress" 101 1 351 check_err $? "Did not match C-TCAM filter" 352 353 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 354 355 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 356 -t ip -q 357 358 tc_check_packets "dev $h2 ingress" 102 1 359 check_err $? "Did not match A-TCAM filter" 360 361 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 362 363 log_test "ctcam with one atcam mask test ($tcflags)" 364} 365 366ctcam_no_atcam_masks_test() 367{ 368 RET=0 369 370 # Third case: C-TCAM is disabled when there are no A-TCAM masks 371 # This test exercises the code path that transitions the eRP table 372 # to its initial state after deleting the last C-TCAM mask 373 374 # Filter goes into A-TCAM 375 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 376 $tcflags dst_ip 192.0.2.2 action drop 377 # Filter goes into C-TCAM 378 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 379 $tcflags dst_ip 192.0.2.2 action drop 380 381 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 382 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 383 384 log_test "ctcam with no atcam masks test ($tcflags)" 385} 386 387ctcam_edge_cases_test() 388{ 389 # When the C-TCAM is disabled after deleting the last C-TCAM 390 # mask, we want to make sure the eRP state machine is put in 391 # the correct state 392 393 ctcam_two_atcam_masks_test 394 ctcam_one_atcam_mask_test 395 ctcam_no_atcam_masks_test 396} 397 398delta_simple_test() 399{ 400 # The first filter will create eRP, the second filter will fit into 401 # the first eRP with delta. Remove the first rule then and check that 402 # the eRP stays (referenced by the second filter). 403 404 RET=0 405 406 if [[ "$tcflags" != "skip_sw" ]]; then 407 return 0; 408 fi 409 410 tp_record "objagg:*" "tc filter add dev $h2 ingress protocol ip \ 411 pref 1 handle 101 flower $tcflags dst_ip 192.0.0.0/24 \ 412 action drop" 413 tp_check_hits "objagg:objagg_obj_root_create" 1 414 check_err $? "eRP was not created" 415 416 tp_record "objagg:*" "tc filter add dev $h2 ingress protocol ip \ 417 pref 2 handle 102 flower $tcflags dst_ip 192.0.2.2 \ 418 action drop" 419 tp_check_hits "objagg:objagg_obj_root_create" 0 420 check_err $? "eRP was incorrectly created" 421 tp_check_hits "objagg:objagg_obj_parent_assign" 1 422 check_err $? "delta was not created" 423 424 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 425 -t ip -q 426 427 tc_check_packets "dev $h2 ingress" 101 1 428 check_fail $? "Matched a wrong filter" 429 430 tc_check_packets "dev $h2 ingress" 102 1 431 check_err $? "Did not match on correct filter" 432 433 tp_record "objagg:*" "tc filter del dev $h2 ingress protocol ip \ 434 pref 1 handle 101 flower" 435 tp_check_hits "objagg:objagg_obj_root_destroy" 0 436 check_err $? "eRP was incorrectly destroyed" 437 tp_check_hits "objagg:objagg_obj_parent_unassign" 0 438 check_err $? "delta was incorrectly destroyed" 439 440 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 441 -t ip -q 442 443 tc_check_packets "dev $h2 ingress" 102 2 444 check_err $? "Did not match on correct filter after the first was removed" 445 446 tp_record "objagg:*" "tc filter del dev $h2 ingress protocol ip \ 447 pref 2 handle 102 flower" 448 tp_check_hits "objagg:objagg_obj_parent_unassign" 1 449 check_err $? "delta was not destroyed" 450 tp_check_hits "objagg:objagg_obj_root_destroy" 1 451 check_err $? "eRP was not destroyed" 452 453 log_test "delta simple test ($tcflags)" 454} 455 456delta_two_masks_one_key_test() 457{ 458 # If 2 keys are the same and only differ in mask in a way that 459 # they belong under the same ERP (second is delta of the first), 460 # there should be no C-TCAM spill. 461 462 RET=0 463 464 if [[ "$tcflags" != "skip_sw" ]]; then 465 return 0; 466 fi 467 468 tp_record "mlxsw:*" "tc filter add dev $h2 ingress protocol ip \ 469 pref 1 handle 101 flower $tcflags dst_ip 192.0.2.0/24 \ 470 action drop" 471 tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" 0 472 check_err $? "incorrect C-TCAM spill while inserting the first rule" 473 474 tp_record "mlxsw:*" "tc filter add dev $h2 ingress protocol ip \ 475 pref 2 handle 102 flower $tcflags dst_ip 192.0.2.2 \ 476 action drop" 477 tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" 0 478 check_err $? "incorrect C-TCAM spill while inserting the second rule" 479 480 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 481 -t ip -q 482 483 tc_check_packets "dev $h2 ingress" 101 1 484 check_err $? "Did not match on correct filter" 485 486 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 487 488 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 489 -t ip -q 490 491 tc_check_packets "dev $h2 ingress" 102 1 492 check_err $? "Did not match on correct filter" 493 494 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 495 496 log_test "delta two masks one key test ($tcflags)" 497} 498 499delta_simple_rehash_test() 500{ 501 RET=0 502 503 if [[ "$tcflags" != "skip_sw" ]]; then 504 return 0; 505 fi 506 507 devlink dev param set $DEVLINK_DEV \ 508 name acl_region_rehash_interval cmode runtime value 0 509 check_err $? "Failed to set ACL region rehash interval" 510 511 tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7 512 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 513 check_fail $? "Rehash trace was hit even when rehash should be disabled" 514 515 devlink dev param set $DEVLINK_DEV \ 516 name acl_region_rehash_interval cmode runtime value 3000 517 check_err $? "Failed to set ACL region rehash interval" 518 519 sleep 1 520 521 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 522 $tcflags dst_ip 192.0.1.0/25 action drop 523 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 524 $tcflags dst_ip 192.0.2.2 action drop 525 tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \ 526 $tcflags dst_ip 192.0.3.0/24 action drop 527 528 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 529 -t ip -q 530 531 tc_check_packets "dev $h2 ingress" 101 1 532 check_fail $? "Matched a wrong filter" 533 534 tc_check_packets "dev $h2 ingress" 103 1 535 check_fail $? "Matched a wrong filter" 536 537 tc_check_packets "dev $h2 ingress" 102 1 538 check_err $? "Did not match on correct filter" 539 540 tp_record_all mlxsw:* 3 541 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 542 check_err $? "Rehash trace was not hit" 543 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate 544 check_err $? "Migrate trace was not hit" 545 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end 546 check_err $? "Migrate end trace was not hit" 547 tp_record_all mlxsw:* 3 548 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 549 check_err $? "Rehash trace was not hit" 550 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate 551 check_fail $? "Migrate trace was hit when no migration should happen" 552 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end 553 check_fail $? "Migrate end trace was hit when no migration should happen" 554 555 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 556 -t ip -q 557 558 tc_check_packets "dev $h2 ingress" 101 1 559 check_fail $? "Matched a wrong filter after rehash" 560 561 tc_check_packets "dev $h2 ingress" 103 1 562 check_fail $? "Matched a wrong filter after rehash" 563 564 tc_check_packets "dev $h2 ingress" 102 2 565 check_err $? "Did not match on correct filter after rehash" 566 567 tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower 568 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 569 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 570 571 log_test "delta simple rehash test ($tcflags)" 572} 573 574delta_simple_ipv6_rehash_test() 575{ 576 RET=0 577 578 if [[ "$tcflags" != "skip_sw" ]]; then 579 return 0; 580 fi 581 582 devlink dev param set $DEVLINK_DEV \ 583 name acl_region_rehash_interval cmode runtime value 0 584 check_err $? "Failed to set ACL region rehash interval" 585 586 tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7 587 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 588 check_fail $? "Rehash trace was hit even when rehash should be disabled" 589 590 devlink dev param set $DEVLINK_DEV \ 591 name acl_region_rehash_interval cmode runtime value 3000 592 check_err $? "Failed to set ACL region rehash interval" 593 594 sleep 1 595 596 tc filter add dev $h2 ingress protocol ipv6 pref 1 handle 101 flower \ 597 $tcflags dst_ip 2001:db8:1::0/121 action drop 598 tc filter add dev $h2 ingress protocol ipv6 pref 2 handle 102 flower \ 599 $tcflags dst_ip 2001:db8:2::2 action drop 600 tc filter add dev $h2 ingress protocol ipv6 pref 3 handle 103 flower \ 601 $tcflags dst_ip 2001:db8:3::0/120 action drop 602 603 $MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \ 604 -A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q 605 606 tc_check_packets "dev $h2 ingress" 101 1 607 check_fail $? "Matched a wrong filter" 608 609 tc_check_packets "dev $h2 ingress" 103 1 610 check_fail $? "Matched a wrong filter" 611 612 tc_check_packets "dev $h2 ingress" 102 1 613 check_err $? "Did not match on correct filter" 614 615 tp_record_all mlxsw:* 3 616 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 617 check_err $? "Rehash trace was not hit" 618 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate 619 check_err $? "Migrate trace was not hit" 620 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end 621 check_err $? "Migrate end trace was not hit" 622 tp_record_all mlxsw:* 3 623 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 624 check_err $? "Rehash trace was not hit" 625 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate 626 check_fail $? "Migrate trace was hit when no migration should happen" 627 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end 628 check_fail $? "Migrate end trace was hit when no migration should happen" 629 630 $MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \ 631 -A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q 632 633 tc_check_packets "dev $h2 ingress" 101 1 634 check_fail $? "Matched a wrong filter after rehash" 635 636 tc_check_packets "dev $h2 ingress" 103 1 637 check_fail $? "Matched a wrong filter after rehash" 638 639 tc_check_packets "dev $h2 ingress" 102 2 640 check_err $? "Did not match on correct filter after rehash" 641 642 tc filter del dev $h2 ingress protocol ipv6 pref 3 handle 103 flower 643 tc filter del dev $h2 ingress protocol ipv6 pref 2 handle 102 flower 644 tc filter del dev $h2 ingress protocol ipv6 pref 1 handle 101 flower 645 646 log_test "delta simple IPv6 rehash test ($tcflags)" 647} 648 649TEST_RULE_BASE=256 650declare -a test_rules_inserted 651 652test_rule_add() 653{ 654 local iface=$1 655 local tcflags=$2 656 local index=$3 657 658 if ! [ ${test_rules_inserted[$index]} ] ; then 659 test_rules_inserted[$index]=false 660 fi 661 if ${test_rules_inserted[$index]} ; then 662 return 663 fi 664 665 local number=$(( $index + $TEST_RULE_BASE )) 666 printf -v hexnumber '%x' $number 667 668 batch="${batch}filter add dev $iface ingress protocol ipv6 pref 1 \ 669 handle $number flower $tcflags \ 670 src_ip 2001:db8:1::$hexnumber action drop\n" 671 test_rules_inserted[$index]=true 672} 673 674test_rule_del() 675{ 676 local iface=$1 677 local index=$2 678 679 if ! [ ${test_rules_inserted[$index]} ] ; then 680 test_rules_inserted[$index]=false 681 fi 682 if ! ${test_rules_inserted[$index]} ; then 683 return 684 fi 685 686 local number=$(( $index + $TEST_RULE_BASE )) 687 printf -v hexnumber '%x' $number 688 689 batch="${batch}filter del dev $iface ingress protocol ipv6 pref 1 \ 690 handle $number flower\n" 691 test_rules_inserted[$index]=false 692} 693 694test_rule_add_or_remove() 695{ 696 local iface=$1 697 local tcflags=$2 698 local index=$3 699 700 if ! [ ${test_rules_inserted[$index]} ] ; then 701 test_rules_inserted[$index]=false 702 fi 703 if ${test_rules_inserted[$index]} ; then 704 test_rule_del $iface $index 705 else 706 test_rule_add $iface $tcflags $index 707 fi 708} 709 710test_rule_add_or_remove_random_batch() 711{ 712 local iface=$1 713 local tcflags=$2 714 local total_count=$3 715 local skip=0 716 local count=0 717 local MAXSKIP=20 718 local MAXCOUNT=20 719 720 for ((i=1;i<=total_count;i++)); do 721 if (( $skip == 0 )) && (($count == 0)); then 722 ((skip=$RANDOM % $MAXSKIP + 1)) 723 ((count=$RANDOM % $MAXCOUNT + 1)) 724 fi 725 if (( $skip != 0 )); then 726 ((skip-=1)) 727 else 728 ((count-=1)) 729 test_rule_add_or_remove $iface $tcflags $i 730 fi 731 done 732} 733 734delta_massive_ipv6_rehash_test() 735{ 736 RET=0 737 738 if [[ "$tcflags" != "skip_sw" ]]; then 739 return 0; 740 fi 741 742 devlink dev param set $DEVLINK_DEV \ 743 name acl_region_rehash_interval cmode runtime value 0 744 check_err $? "Failed to set ACL region rehash interval" 745 746 tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7 747 tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 748 check_fail $? "Rehash trace was hit even when rehash should be disabled" 749 750 RANDOM=4432897 751 declare batch="" 752 test_rule_add_or_remove_random_batch $h2 $tcflags 5000 753 754 echo -n -e $batch | tc -b - 755 756 declare batch="" 757 test_rule_add_or_remove_random_batch $h2 $tcflags 5000 758 759 devlink dev param set $DEVLINK_DEV \ 760 name acl_region_rehash_interval cmode runtime value 3000 761 check_err $? "Failed to set ACL region rehash interval" 762 763 sleep 1 764 765 tc filter add dev $h2 ingress protocol ipv6 pref 1 handle 101 flower \ 766 $tcflags dst_ip 2001:db8:1::0/121 action drop 767 tc filter add dev $h2 ingress protocol ipv6 pref 2 handle 102 flower \ 768 $tcflags dst_ip 2001:db8:2::2 action drop 769 tc filter add dev $h2 ingress protocol ipv6 pref 3 handle 103 flower \ 770 $tcflags dst_ip 2001:db8:3::0/120 action drop 771 772 $MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \ 773 -A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q 774 775 tc_check_packets "dev $h2 ingress" 101 1 776 check_fail $? "Matched a wrong filter" 777 778 tc_check_packets "dev $h2 ingress" 103 1 779 check_fail $? "Matched a wrong filter" 780 781 tc_check_packets "dev $h2 ingress" 102 1 782 check_err $? "Did not match on correct filter" 783 784 echo -n -e $batch | tc -b - 785 786 devlink dev param set $DEVLINK_DEV \ 787 name acl_region_rehash_interval cmode runtime value 0 788 check_err $? "Failed to set ACL region rehash interval" 789 790 $MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \ 791 -A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q 792 793 tc_check_packets "dev $h2 ingress" 101 1 794 check_fail $? "Matched a wrong filter after rehash" 795 796 tc_check_packets "dev $h2 ingress" 103 1 797 check_fail $? "Matched a wrong filter after rehash" 798 799 tc_check_packets "dev $h2 ingress" 102 2 800 check_err $? "Did not match on correct filter after rehash" 801 802 tc filter del dev $h2 ingress protocol ipv6 pref 3 handle 103 flower 803 tc filter del dev $h2 ingress protocol ipv6 pref 2 handle 102 flower 804 tc filter del dev $h2 ingress protocol ipv6 pref 1 handle 101 flower 805 806 declare batch="" 807 for i in {1..5000}; do 808 test_rule_del $h2 $tcflags $i 809 done 810 echo -e $batch | tc -b - 811 812 log_test "delta massive IPv6 rehash test ($tcflags)" 813} 814 815bloom_simple_test() 816{ 817 # Bloom filter requires that the eRP table is used. This test 818 # verifies that Bloom filter is not harming correctness of ACLs. 819 # First, make sure that eRP table is used and then set rule patterns 820 # which are distant enough and will result skipping a lookup after 821 # consulting the Bloom filter. Although some eRP lookups are skipped, 822 # the correct filter should be hit. 823 824 RET=0 825 826 tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ 827 $tcflags dst_ip 192.0.2.2 action drop 828 tc filter add dev $h2 ingress protocol ip pref 5 handle 104 flower \ 829 $tcflags dst_ip 198.51.100.2 action drop 830 tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \ 831 $tcflags dst_ip 192.0.0.0/8 action drop 832 833 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 834 -t ip -q 835 836 tc_check_packets "dev $h2 ingress" 101 1 837 check_err $? "Two filters - did not match highest priority" 838 839 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \ 840 -t ip -q 841 842 tc_check_packets "dev $h2 ingress" 104 1 843 check_err $? "Single filter - did not match" 844 845 tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower 846 847 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 848 -t ip -q 849 850 tc_check_packets "dev $h2 ingress" 103 1 851 check_err $? "Low prio filter - did not match" 852 853 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 854 $tcflags dst_ip 198.0.0.0/8 action drop 855 856 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \ 857 -t ip -q 858 859 tc_check_packets "dev $h2 ingress" 102 1 860 check_err $? "Two filters - did not match highest priority after add" 861 862 tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower 863 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 864 tc filter del dev $h2 ingress protocol ip pref 5 handle 104 flower 865 866 log_test "bloom simple test ($tcflags)" 867} 868 869bloom_complex_test() 870{ 871 # Bloom filter index computation is affected from region ID, eRP 872 # ID and from the region key size. In order to excercise those parts 873 # of the Bloom filter code, use a series of regions, each with a 874 # different key size and send packet that should hit all of them. 875 local index 876 877 RET=0 878 NUM_CHAINS=4 879 BASE_INDEX=100 880 881 # Create chain with up to 2 key blocks (ip_proto only) 882 tc chain add dev $h2 ingress chain 1 protocol ip flower \ 883 ip_proto tcp &> /dev/null 884 # Create chain with 2-4 key blocks (ip_proto, src MAC) 885 tc chain add dev $h2 ingress chain 2 protocol ip flower \ 886 ip_proto tcp \ 887 src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF &> /dev/null 888 # Create chain with 4-8 key blocks (ip_proto, src & dst MAC, IPv4 dest) 889 tc chain add dev $h2 ingress chain 3 protocol ip flower \ 890 ip_proto tcp \ 891 dst_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF \ 892 src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF \ 893 dst_ip 0.0.0.0/32 &> /dev/null 894 # Default chain contains all fields and therefore is 8-12 key blocks 895 tc chain add dev $h2 ingress chain 4 896 897 # We need at least 2 rules in every region to have eRP table active 898 # so create a dummy rule per chain using a different pattern 899 for i in $(eval echo {0..$NUM_CHAINS}); do 900 index=$((BASE_INDEX - 1 - i)) 901 tc filter add dev $h2 ingress chain $i protocol ip \ 902 pref 2 handle $index flower \ 903 $tcflags ip_proto tcp action drop 904 done 905 906 # Add rules to test Bloom filter, each in a different chain 907 index=$BASE_INDEX 908 tc filter add dev $h2 ingress protocol ip \ 909 pref 1 handle $((++index)) flower \ 910 $tcflags dst_ip 192.0.0.0/16 action goto chain 1 911 tc filter add dev $h2 ingress chain 1 protocol ip \ 912 pref 1 handle $((++index)) flower \ 913 $tcflags action goto chain 2 914 tc filter add dev $h2 ingress chain 2 protocol ip \ 915 pref 1 handle $((++index)) flower \ 916 $tcflags src_mac $h1mac action goto chain 3 917 tc filter add dev $h2 ingress chain 3 protocol ip \ 918 pref 1 handle $((++index)) flower \ 919 $tcflags dst_ip 192.0.0.0/8 action goto chain 4 920 tc filter add dev $h2 ingress chain 4 protocol ip \ 921 pref 1 handle $((++index)) flower \ 922 $tcflags src_ip 192.0.2.0/24 action drop 923 924 # Send a packet that is supposed to hit all chains 925 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \ 926 -t ip -q 927 928 for i in $(eval echo {0..$NUM_CHAINS}); do 929 index=$((BASE_INDEX + i + 1)) 930 tc_check_packets "dev $h2 ingress" $index 1 931 check_err $? "Did not match chain $i" 932 done 933 934 # Rules cleanup 935 for i in $(eval echo {$NUM_CHAINS..0}); do 936 index=$((BASE_INDEX - i - 1)) 937 tc filter del dev $h2 ingress chain $i \ 938 pref 2 handle $index flower 939 index=$((BASE_INDEX + i + 1)) 940 tc filter del dev $h2 ingress chain $i \ 941 pref 1 handle $index flower 942 done 943 944 # Chains cleanup 945 for i in $(eval echo {$NUM_CHAINS..1}); do 946 tc chain del dev $h2 ingress chain $i 947 done 948 949 log_test "bloom complex test ($tcflags)" 950} 951 952 953bloom_delta_test() 954{ 955 # When multiple masks are used, the eRP table is activated. When 956 # masks are close enough (delta) the masks reside on the same 957 # eRP table. This test verifies that the eRP table is correctly 958 # allocated and used in delta condition and that Bloom filter is 959 # still functional with delta. 960 961 RET=0 962 963 tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \ 964 $tcflags dst_ip 192.1.0.0/16 action drop 965 966 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.1.2.1 -B 192.1.2.2 \ 967 -t ip -q 968 969 tc_check_packets "dev $h2 ingress" 103 1 970 check_err $? "Single filter - did not match" 971 972 tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \ 973 $tcflags dst_ip 192.2.1.0/24 action drop 974 975 $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.2.1.1 -B 192.2.1.2 \ 976 -t ip -q 977 978 tc_check_packets "dev $h2 ingress" 102 1 979 check_err $? "Delta filters - did not match second filter" 980 981 tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower 982 tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower 983 984 log_test "bloom delta test ($tcflags)" 985} 986 987max_erp_entries_test() 988{ 989 # The number of eRP entries is limited. Once the maximum number of eRPs 990 # has been reached, filters cannot be added. This test verifies that 991 # when this limit is reached, inserstion fails without crashing. 992 993 RET=0 994 995 local num_masks=32 996 local num_regions=15 997 local chain_failed 998 local mask_failed 999 local ret 1000 1001 if [[ "$tcflags" != "skip_sw" ]]; then 1002 return 0; 1003 fi 1004 1005 for ((i=1; i < $num_regions; i++)); do 1006 for ((j=$num_masks; j >= 0; j--)); do 1007 tc filter add dev $h2 ingress chain $i protocol ip \ 1008 pref $i handle $j flower $tcflags \ 1009 dst_ip 192.1.0.0/$j &> /dev/null 1010 ret=$? 1011 1012 if [ $ret -ne 0 ]; then 1013 chain_failed=$i 1014 mask_failed=$j 1015 break 2 1016 fi 1017 done 1018 done 1019 1020 # We expect to exceed the maximum number of eRP entries, so that 1021 # insertion eventually fails. Otherwise, the test should be adjusted to 1022 # add more filters. 1023 check_fail $ret "expected to exceed number of eRP entries" 1024 1025 for ((; i >= 1; i--)); do 1026 for ((j=0; j <= $num_masks; j++)); do 1027 tc filter del dev $h2 ingress chain $i protocol ip \ 1028 pref $i handle $j flower &> /dev/null 1029 done 1030 done 1031 1032 log_test "max eRP entries test ($tcflags). " \ 1033 "max chain $chain_failed, mask $mask_failed" 1034} 1035 1036max_group_size_test() 1037{ 1038 # The number of ACLs in an ACL group is limited. Once the maximum 1039 # number of ACLs has been reached, filters cannot be added. This test 1040 # verifies that when this limit is reached, insertion fails without 1041 # crashing. 1042 1043 RET=0 1044 1045 local num_acls=32 1046 local max_size 1047 local ret 1048 1049 if [[ "$tcflags" != "skip_sw" ]]; then 1050 return 0; 1051 fi 1052 1053 for ((i=1; i < $num_acls; i++)); do 1054 if [[ $(( i % 2 )) == 1 ]]; then 1055 tc filter add dev $h2 ingress pref $i proto ipv4 \ 1056 flower $tcflags dst_ip 198.51.100.1/32 \ 1057 ip_proto tcp tcp_flags 0x01/0x01 \ 1058 action drop &> /dev/null 1059 else 1060 tc filter add dev $h2 ingress pref $i proto ipv6 \ 1061 flower $tcflags dst_ip 2001:db8:1::1/128 \ 1062 action drop &> /dev/null 1063 fi 1064 1065 ret=$? 1066 [[ $ret -ne 0 ]] && max_size=$((i - 1)) && break 1067 done 1068 1069 # We expect to exceed the maximum number of ACLs in a group, so that 1070 # insertion eventually fails. Otherwise, the test should be adjusted to 1071 # add more filters. 1072 check_fail $ret "expected to exceed number of ACLs in a group" 1073 1074 for ((; i >= 1; i--)); do 1075 if [[ $(( i % 2 )) == 1 ]]; then 1076 tc filter del dev $h2 ingress pref $i proto ipv4 \ 1077 flower $tcflags dst_ip 198.51.100.1/32 \ 1078 ip_proto tcp tcp_flags 0x01/0x01 \ 1079 action drop &> /dev/null 1080 else 1081 tc filter del dev $h2 ingress pref $i proto ipv6 \ 1082 flower $tcflags dst_ip 2001:db8:1::1/128 \ 1083 action drop &> /dev/null 1084 fi 1085 done 1086 1087 log_test "max ACL group size test ($tcflags). max size $max_size" 1088} 1089 1090setup_prepare() 1091{ 1092 h1=${NETIFS[p1]} 1093 h2=${NETIFS[p2]} 1094 h1mac=$(mac_get $h1) 1095 h2mac=$(mac_get $h2) 1096 1097 vrf_prepare 1098 1099 h1_create 1100 h2_create 1101} 1102 1103cleanup() 1104{ 1105 pre_cleanup 1106 1107 h2_destroy 1108 h1_destroy 1109 1110 vrf_cleanup 1111} 1112 1113trap cleanup EXIT 1114 1115setup_prepare 1116setup_wait 1117 1118tests_run 1119 1120if ! tc_offload_check; then 1121 check_err 1 "Could not test offloaded functionality" 1122 log_test "mlxsw-specific tests for tc flower" 1123 exit 1124else 1125 tcflags="skip_sw" 1126 tests_run 1127fi 1128 1129exit $EXIT_STATUS 1130