1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4lib_dir=$(dirname $0)/../../../net/forwarding
5
6ALL_TESTS="
7	shared_block_drop_test
8	egress_redirect_test
9	multi_mirror_test
10	matchall_sample_egress_test
11	matchall_mirror_behind_flower_ingress_test
12	matchall_sample_behind_flower_ingress_test
13	matchall_mirror_behind_flower_egress_test
14	police_limits_test
15	multi_police_test
16"
17NUM_NETIFS=2
18
19source $lib_dir/tc_common.sh
20source $lib_dir/lib.sh
21
22switch_create()
23{
24	simple_if_init $swp1 192.0.2.1/24
25	simple_if_init $swp2 192.0.2.2/24
26}
27
28switch_destroy()
29{
30	simple_if_fini $swp2 192.0.2.2/24
31	simple_if_fini $swp1 192.0.2.1/24
32}
33
34shared_block_drop_test()
35{
36	RET=0
37
38	# It is forbidden in mlxsw driver to have mixed-bound
39	# shared block with a drop rule.
40
41	tc qdisc add dev $swp1 ingress_block 22 clsact
42	check_err $? "Failed to create clsact with ingress block"
43
44	tc filter add block 22 protocol ip pref 1 handle 101 flower \
45		skip_sw dst_ip 192.0.2.2 action drop
46	check_err $? "Failed to add drop rule to ingress bound block"
47
48	tc qdisc add dev $swp2 ingress_block 22 clsact
49	check_err $? "Failed to create another clsact with ingress shared block"
50
51	tc qdisc del dev $swp2 clsact
52
53	tc qdisc add dev $swp2 egress_block 22 clsact
54	check_fail $? "Incorrect success to create another clsact with egress shared block"
55
56	tc filter del block 22 protocol ip pref 1 handle 101 flower
57
58	tc qdisc add dev $swp2 egress_block 22 clsact
59	check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed"
60
61	tc filter add block 22 protocol ip pref 1 handle 101 flower \
62		skip_sw dst_ip 192.0.2.2 action drop
63	check_fail $? "Incorrect success to add drop rule to mixed bound block"
64
65	tc qdisc del dev $swp1 clsact
66
67	tc qdisc add dev $swp1 egress_block 22 clsact
68	check_err $? "Failed to create another clsact with egress shared block"
69
70	tc filter add block 22 protocol ip pref 1 handle 101 flower \
71		skip_sw dst_ip 192.0.2.2 action drop
72	check_err $? "Failed to add drop rule to egress bound shared block"
73
74	tc filter del block 22 protocol ip pref 1 handle 101 flower
75
76	tc qdisc del dev $swp2 clsact
77	tc qdisc del dev $swp1 clsact
78
79	log_test "shared block drop"
80}
81
82egress_redirect_test()
83{
84	RET=0
85
86	# It is forbidden in mlxsw driver to have mirred redirect on
87	# egress-bound block.
88
89	tc qdisc add dev $swp1 ingress_block 22 clsact
90	check_err $? "Failed to create clsact with ingress block"
91
92	tc filter add block 22 protocol ip pref 1 handle 101 flower \
93		skip_sw dst_ip 192.0.2.2 \
94		action mirred egress redirect dev $swp2
95	check_err $? "Failed to add redirect rule to ingress bound block"
96
97	tc qdisc add dev $swp2 ingress_block 22 clsact
98	check_err $? "Failed to create another clsact with ingress shared block"
99
100	tc qdisc del dev $swp2 clsact
101
102	tc qdisc add dev $swp2 egress_block 22 clsact
103	check_fail $? "Incorrect success to create another clsact with egress shared block"
104
105	tc filter del block 22 protocol ip pref 1 handle 101 flower
106
107	tc qdisc add dev $swp2 egress_block 22 clsact
108	check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed"
109
110	tc filter add block 22 protocol ip pref 1 handle 101 flower \
111		skip_sw dst_ip 192.0.2.2 \
112		action mirred egress redirect dev $swp2
113	check_fail $? "Incorrect success to add redirect rule to mixed bound block"
114
115	tc qdisc del dev $swp1 clsact
116
117	tc qdisc add dev $swp1 egress_block 22 clsact
118	check_err $? "Failed to create another clsact with egress shared block"
119
120	tc filter add block 22 protocol ip pref 1 handle 101 flower \
121		skip_sw dst_ip 192.0.2.2 \
122		action mirred egress redirect dev $swp2
123	check_fail $? "Incorrect success to add redirect rule to egress bound shared block"
124
125	tc qdisc del dev $swp2 clsact
126
127	tc filter add block 22 protocol ip pref 1 handle 101 flower \
128		skip_sw dst_ip 192.0.2.2 \
129		action mirred egress redirect dev $swp2
130	check_fail $? "Incorrect success to add redirect rule to egress bound block"
131
132	tc qdisc del dev $swp1 clsact
133
134	log_test "shared block drop"
135}
136
137multi_mirror_test()
138{
139	RET=0
140
141	# It is forbidden in mlxsw driver to have multiple mirror
142	# actions in a single rule.
143
144	tc qdisc add dev $swp1 clsact
145
146	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
147		skip_sw dst_ip 192.0.2.2 \
148		action mirred egress mirror dev $swp2
149	check_err $? "Failed to add rule with single mirror action"
150
151	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
152
153	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
154		skip_sw dst_ip 192.0.2.2 \
155		action mirred egress mirror dev $swp2 \
156		action mirred egress mirror dev $swp1
157	check_fail $? "Incorrect success to add rule with two mirror actions"
158
159	tc qdisc del dev $swp1 clsact
160
161	log_test "multi mirror"
162}
163
164matchall_sample_egress_test()
165{
166	RET=0
167
168	# It is forbidden in mlxsw driver to have matchall with sample action
169	# bound on egress
170
171	tc qdisc add dev $swp1 clsact
172
173	tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \
174		matchall skip_sw action sample rate 100 group 1
175	check_err $? "Failed to add rule with sample action on ingress"
176
177	tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall
178
179	tc filter add dev $swp1 egress protocol all pref 1 handle 101 \
180		matchall skip_sw action sample rate 100 group 1
181	check_fail $? "Incorrect success to add rule with sample action on egress"
182
183	tc qdisc del dev $swp1 clsact
184
185	log_test "matchall sample egress"
186}
187
188matchall_behind_flower_ingress_test()
189{
190	local action=$1
191	local action_args=$2
192
193	RET=0
194
195	# On ingress, all matchall-mirror and matchall-sample
196	# rules have to be in front of the flower rules
197
198	tc qdisc add dev $swp1 clsact
199
200	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
201		skip_sw dst_ip 192.0.2.2 action drop
202
203	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
204		matchall skip_sw action $action_args
205	check_err $? "Failed to add matchall rule in front of a flower rule"
206
207	tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall
208
209	tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \
210		matchall skip_sw action $action_args
211	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
212
213	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
214
215	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
216		matchall skip_sw action $action_args
217
218	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
219		skip_sw dst_ip 192.0.2.2 action drop
220	check_err $? "Failed to add flower rule behind a matchall rule"
221
222	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
223
224	tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \
225		skip_sw dst_ip 192.0.2.2 action drop
226	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
227
228	tc qdisc del dev $swp1 clsact
229
230	log_test "matchall $action flower ingress"
231}
232
233matchall_mirror_behind_flower_ingress_test()
234{
235	matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2"
236}
237
238matchall_sample_behind_flower_ingress_test()
239{
240	matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1"
241}
242
243matchall_behind_flower_egress_test()
244{
245	local action=$1
246	local action_args=$2
247
248	RET=0
249
250	# On egress, all matchall-mirror rules have to be behind the flower rules
251
252	tc qdisc add dev $swp1 clsact
253
254	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
255		skip_sw dst_ip 192.0.2.2 action drop
256
257	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
258		matchall skip_sw action $action_args
259	check_err $? "Failed to add matchall rule in front of a flower rule"
260
261	tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall
262
263	tc filter add dev $swp1 egress protocol all pref 9 handle 102 \
264		matchall skip_sw action $action_args
265	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
266
267	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
268
269	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
270		matchall skip_sw action $action_args
271
272	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
273		skip_sw dst_ip 192.0.2.2 action drop
274	check_err $? "Failed to add flower rule behind a matchall rule"
275
276	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
277
278	tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \
279		skip_sw dst_ip 192.0.2.2 action drop
280	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
281
282	tc qdisc del dev $swp1 clsact
283
284	log_test "matchall $action flower egress"
285}
286
287matchall_mirror_behind_flower_egress_test()
288{
289	matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2"
290}
291
292police_limits_test()
293{
294	RET=0
295
296	tc qdisc add dev $swp1 clsact
297
298	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
299		flower skip_sw \
300		action police rate 0.5kbit burst 1m conform-exceed drop/ok
301	check_fail $? "Incorrect success to add police action with too low rate"
302
303	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
304		flower skip_sw \
305		action police rate 2.5tbit burst 1g conform-exceed drop/ok
306	check_fail $? "Incorrect success to add police action with too high rate"
307
308	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
309		flower skip_sw \
310		action police rate 1.5kbit burst 1m conform-exceed drop/ok
311	check_err $? "Failed to add police action with low rate"
312
313	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
314
315	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
316		flower skip_sw \
317		action police rate 1.9tbit burst 1g conform-exceed drop/ok
318	check_err $? "Failed to add police action with high rate"
319
320	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
321
322	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
323		flower skip_sw \
324		action police rate 1.5kbit burst 512b conform-exceed drop/ok
325	check_fail $? "Incorrect success to add police action with too low burst size"
326
327	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
328		flower skip_sw \
329		action police rate 1.5kbit burst 2k conform-exceed drop/ok
330	check_err $? "Failed to add police action with low burst size"
331
332	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
333
334	tc qdisc del dev $swp1 clsact
335
336	log_test "police rate and burst limits"
337}
338
339multi_police_test()
340{
341	RET=0
342
343	# It is forbidden in mlxsw driver to have multiple police
344	# actions in a single rule.
345
346	tc qdisc add dev $swp1 clsact
347
348	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
349		flower skip_sw \
350		action police rate 100mbit burst 100k conform-exceed drop/ok
351	check_err $? "Failed to add rule with single police action"
352
353	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
354
355	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
356		flower skip_sw \
357		action police rate 100mbit burst 100k conform-exceed drop/pipe \
358		action police rate 200mbit burst 200k conform-exceed drop/ok
359	check_fail $? "Incorrect success to add rule with two police actions"
360
361	tc qdisc del dev $swp1 clsact
362
363	log_test "multi police"
364}
365
366setup_prepare()
367{
368	swp1=${NETIFS[p1]}
369	swp2=${NETIFS[p2]}
370
371	vrf_prepare
372
373	switch_create
374}
375
376cleanup()
377{
378	pre_cleanup
379
380	switch_destroy
381
382	vrf_cleanup
383}
384
385check_tc_shblock_support
386
387trap cleanup EXIT
388
389setup_prepare
390setup_wait
391
392tests_run
393
394exit $EXIT_STATUS
395