1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4lib_dir=$(dirname $0)/../../../net/forwarding
5
6ALL_TESTS="
7	shared_block_drop_test
8	egress_redirect_test
9	multi_mirror_test
10	matchall_sample_egress_test
11	matchall_mirror_behind_flower_ingress_test
12	matchall_sample_behind_flower_ingress_test
13	matchall_mirror_behind_flower_egress_test
14	matchall_proto_match_test
15	police_limits_test
16	multi_police_test
17"
18NUM_NETIFS=2
19
20source $lib_dir/tc_common.sh
21source $lib_dir/lib.sh
22source $lib_dir/devlink_lib.sh
23
24switch_create()
25{
26	simple_if_init $swp1 192.0.2.1/24
27	simple_if_init $swp2 192.0.2.2/24
28}
29
30switch_destroy()
31{
32	simple_if_fini $swp2 192.0.2.2/24
33	simple_if_fini $swp1 192.0.2.1/24
34}
35
36shared_block_drop_test()
37{
38	RET=0
39
40	# It is forbidden in mlxsw driver to have mixed-bound
41	# shared block with a drop rule.
42
43	tc qdisc add dev $swp1 ingress_block 22 clsact
44	check_err $? "Failed to create clsact with ingress block"
45
46	tc filter add block 22 protocol ip pref 1 handle 101 flower \
47		skip_sw dst_ip 192.0.2.2 action drop
48	check_err $? "Failed to add drop rule to ingress bound block"
49
50	tc qdisc add dev $swp2 ingress_block 22 clsact
51	check_err $? "Failed to create another clsact with ingress shared block"
52
53	tc qdisc del dev $swp2 clsact
54
55	tc qdisc add dev $swp2 egress_block 22 clsact
56	check_fail $? "Incorrect success to create another clsact with egress shared block"
57
58	tc filter del block 22 protocol ip pref 1 handle 101 flower
59
60	tc qdisc add dev $swp2 egress_block 22 clsact
61	check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed"
62
63	tc filter add block 22 protocol ip pref 1 handle 101 flower \
64		skip_sw dst_ip 192.0.2.2 action drop
65	check_fail $? "Incorrect success to add drop rule to mixed bound block"
66
67	tc qdisc del dev $swp1 clsact
68
69	tc qdisc add dev $swp1 egress_block 22 clsact
70	check_err $? "Failed to create another clsact with egress shared block"
71
72	tc filter add block 22 protocol ip pref 1 handle 101 flower \
73		skip_sw dst_ip 192.0.2.2 action drop
74	check_err $? "Failed to add drop rule to egress bound shared block"
75
76	tc filter del block 22 protocol ip pref 1 handle 101 flower
77
78	tc qdisc del dev $swp2 clsact
79	tc qdisc del dev $swp1 clsact
80
81	log_test "shared block drop"
82}
83
84egress_redirect_test()
85{
86	RET=0
87
88	# It is forbidden in mlxsw driver to have mirred redirect on
89	# egress-bound block.
90
91	tc qdisc add dev $swp1 ingress_block 22 clsact
92	check_err $? "Failed to create clsact with ingress block"
93
94	tc filter add block 22 protocol ip pref 1 handle 101 flower \
95		skip_sw dst_ip 192.0.2.2 \
96		action mirred egress redirect dev $swp2
97	check_err $? "Failed to add redirect rule to ingress bound block"
98
99	tc qdisc add dev $swp2 ingress_block 22 clsact
100	check_err $? "Failed to create another clsact with ingress shared block"
101
102	tc qdisc del dev $swp2 clsact
103
104	tc qdisc add dev $swp2 egress_block 22 clsact
105	check_fail $? "Incorrect success to create another clsact with egress shared block"
106
107	tc filter del block 22 protocol ip pref 1 handle 101 flower
108
109	tc qdisc add dev $swp2 egress_block 22 clsact
110	check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed"
111
112	tc filter add block 22 protocol ip pref 1 handle 101 flower \
113		skip_sw dst_ip 192.0.2.2 \
114		action mirred egress redirect dev $swp2
115	check_fail $? "Incorrect success to add redirect rule to mixed bound block"
116
117	tc qdisc del dev $swp1 clsact
118
119	tc qdisc add dev $swp1 egress_block 22 clsact
120	check_err $? "Failed to create another clsact with egress shared block"
121
122	tc filter add block 22 protocol ip pref 1 handle 101 flower \
123		skip_sw dst_ip 192.0.2.2 \
124		action mirred egress redirect dev $swp2
125	check_fail $? "Incorrect success to add redirect rule to egress bound shared block"
126
127	tc qdisc del dev $swp2 clsact
128
129	tc filter add block 22 protocol ip pref 1 handle 101 flower \
130		skip_sw dst_ip 192.0.2.2 \
131		action mirred egress redirect dev $swp2
132	check_fail $? "Incorrect success to add redirect rule to egress bound block"
133
134	tc qdisc del dev $swp1 clsact
135
136	log_test "shared block drop"
137}
138
139multi_mirror_test()
140{
141	RET=0
142
143	# It is forbidden in mlxsw driver to have multiple mirror
144	# actions in a single rule.
145
146	tc qdisc add dev $swp1 clsact
147
148	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
149		skip_sw dst_ip 192.0.2.2 \
150		action mirred egress mirror dev $swp2
151	check_err $? "Failed to add rule with single mirror action"
152
153	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
154
155	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
156		skip_sw dst_ip 192.0.2.2 \
157		action mirred egress mirror dev $swp2 \
158		action mirred egress mirror dev $swp1
159	check_fail $? "Incorrect success to add rule with two mirror actions"
160
161	tc qdisc del dev $swp1 clsact
162
163	log_test "multi mirror"
164}
165
166matchall_sample_egress_test()
167{
168	RET=0
169
170	# It is forbidden in mlxsw driver to have matchall with sample action
171	# bound on egress. Spectrum-1 specific restriction
172	[[ "$DEVLINK_VIDDID" != "15b3:cb84" ]] && return
173
174	tc qdisc add dev $swp1 clsact
175
176	tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \
177		matchall skip_sw action sample rate 100 group 1
178	check_err $? "Failed to add rule with sample action on ingress"
179
180	tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall
181
182	tc filter add dev $swp1 egress protocol all pref 1 handle 101 \
183		matchall skip_sw action sample rate 100 group 1
184	check_fail $? "Incorrect success to add rule with sample action on egress"
185
186	tc qdisc del dev $swp1 clsact
187
188	log_test "matchall sample egress"
189}
190
191matchall_behind_flower_ingress_test()
192{
193	local action=$1
194	local action_args=$2
195
196	RET=0
197
198	# On ingress, all matchall-mirror and matchall-sample
199	# rules have to be in front of the flower rules
200
201	tc qdisc add dev $swp1 clsact
202
203	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
204		skip_sw dst_ip 192.0.2.2 action drop
205
206	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
207		matchall skip_sw action $action_args
208	check_err $? "Failed to add matchall rule in front of a flower rule"
209
210	tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall
211
212	tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \
213		matchall skip_sw action $action_args
214	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
215
216	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
217
218	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
219		matchall skip_sw action $action_args
220
221	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
222		skip_sw dst_ip 192.0.2.2 action drop
223	check_err $? "Failed to add flower rule behind a matchall rule"
224
225	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
226
227	tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \
228		skip_sw dst_ip 192.0.2.2 action drop
229	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
230
231	tc qdisc del dev $swp1 clsact
232
233	log_test "matchall $action flower ingress"
234}
235
236matchall_mirror_behind_flower_ingress_test()
237{
238	matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2"
239}
240
241matchall_sample_behind_flower_ingress_test()
242{
243	matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1"
244}
245
246matchall_behind_flower_egress_test()
247{
248	local action=$1
249	local action_args=$2
250
251	RET=0
252
253	# On egress, all matchall-mirror rules have to be behind the flower rules
254
255	tc qdisc add dev $swp1 clsact
256
257	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
258		skip_sw dst_ip 192.0.2.2 action drop
259
260	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
261		matchall skip_sw action $action_args
262	check_err $? "Failed to add matchall rule in front of a flower rule"
263
264	tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall
265
266	tc filter add dev $swp1 egress protocol all pref 9 handle 102 \
267		matchall skip_sw action $action_args
268	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
269
270	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
271
272	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
273		matchall skip_sw action $action_args
274
275	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
276		skip_sw dst_ip 192.0.2.2 action drop
277	check_err $? "Failed to add flower rule behind a matchall rule"
278
279	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
280
281	tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \
282		skip_sw dst_ip 192.0.2.2 action drop
283	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
284
285	tc qdisc del dev $swp1 clsact
286
287	log_test "matchall $action flower egress"
288}
289
290matchall_mirror_behind_flower_egress_test()
291{
292	matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2"
293}
294
295matchall_proto_match_test()
296{
297	RET=0
298
299	tc qdisc add dev $swp1 clsact
300
301	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
302		matchall skip_sw \
303		action sample group 1 rate 100
304	check_fail $? "Incorrect success to add matchall rule with protocol match"
305
306	tc qdisc del dev $swp1 clsact
307
308	log_test "matchall protocol match"
309}
310
311police_limits_test()
312{
313	RET=0
314
315	tc qdisc add dev $swp1 clsact
316
317	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
318		flower skip_sw \
319		action police rate 0.5kbit burst 1m conform-exceed drop/ok
320	check_fail $? "Incorrect success to add police action with too low rate"
321
322	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
323		flower skip_sw \
324		action police rate 2.5tbit burst 1g conform-exceed drop/ok
325	check_fail $? "Incorrect success to add police action with too high rate"
326
327	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
328		flower skip_sw \
329		action police rate 1.5kbit burst 1m conform-exceed drop/ok
330	check_err $? "Failed to add police action with low rate"
331
332	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
333
334	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
335		flower skip_sw \
336		action police rate 1.9tbit burst 1g conform-exceed drop/ok
337	check_err $? "Failed to add police action with high rate"
338
339	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
340
341	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
342		flower skip_sw \
343		action police rate 1.5kbit burst 512b conform-exceed drop/ok
344	check_fail $? "Incorrect success to add police action with too low burst size"
345
346	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
347		flower skip_sw \
348		action police rate 1.5kbit burst 2k conform-exceed drop/ok
349	check_err $? "Failed to add police action with low burst size"
350
351	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
352
353	tc qdisc del dev $swp1 clsact
354
355	log_test "police rate and burst limits"
356}
357
358multi_police_test()
359{
360	RET=0
361
362	# It is forbidden in mlxsw driver to have multiple police
363	# actions in a single rule.
364
365	tc qdisc add dev $swp1 clsact
366
367	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
368		flower skip_sw \
369		action police rate 100mbit burst 100k conform-exceed drop/ok
370	check_err $? "Failed to add rule with single police action"
371
372	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
373
374	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
375		flower skip_sw \
376		action police rate 100mbit burst 100k conform-exceed drop/pipe \
377		action police rate 200mbit burst 200k conform-exceed drop/ok
378	check_fail $? "Incorrect success to add rule with two police actions"
379
380	tc qdisc del dev $swp1 clsact
381
382	log_test "multi police"
383}
384
385setup_prepare()
386{
387	swp1=${NETIFS[p1]}
388	swp2=${NETIFS[p2]}
389
390	vrf_prepare
391
392	switch_create
393}
394
395cleanup()
396{
397	pre_cleanup
398
399	switch_destroy
400
401	vrf_cleanup
402}
403
404check_tc_shblock_support
405
406trap cleanup EXIT
407
408setup_prepare
409setup_wait
410
411tests_run
412
413exit $EXIT_STATUS
414