summaryrefslogtreecommitdiffstats
path: root/tools/testing/selftests/drivers/net/mlxsw/tc_restrictions.sh
blob: 553cb9fad508411a32ef51f54aeba848812e6e82 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

lib_dir=$(dirname $0)/../../../net/forwarding

ALL_TESTS="
	shared_block_drop_test
	egress_redirect_test
	multi_mirror_test
	matchall_sample_egress_test
	matchall_mirror_behind_flower_ingress_test
	matchall_sample_behind_flower_ingress_test
	matchall_mirror_behind_flower_egress_test
	police_limits_test
	multi_police_test
"
NUM_NETIFS=2

source $lib_dir/tc_common.sh
source $lib_dir/lib.sh

switch_create()
{
	simple_if_init $swp1 192.0.2.1/24
	simple_if_init $swp2 192.0.2.2/24
}

switch_destroy()
{
	simple_if_fini $swp2 192.0.2.2/24
	simple_if_fini $swp1 192.0.2.1/24
}

shared_block_drop_test()
{
	RET=0

	# It is forbidden in mlxsw driver to have mixed-bound
	# shared block with a drop rule.

	tc qdisc add dev $swp1 ingress_block 22 clsact
	check_err $? "Failed to create clsact with ingress block"

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_err $? "Failed to add drop rule to ingress bound block"

	tc qdisc add dev $swp2 ingress_block 22 clsact
	check_err $? "Failed to create another clsact with ingress shared block"

	tc qdisc del dev $swp2 clsact

	tc qdisc add dev $swp2 egress_block 22 clsact
	check_fail $? "Incorrect success to create another clsact with egress shared block"

	tc filter del block 22 protocol ip pref 1 handle 101 flower

	tc qdisc add dev $swp2 egress_block 22 clsact
	check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed"

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_fail $? "Incorrect success to add drop rule to mixed bound block"

	tc qdisc del dev $swp1 clsact

	tc qdisc add dev $swp1 egress_block 22 clsact
	check_err $? "Failed to create another clsact with egress shared block"

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_err $? "Failed to add drop rule to egress bound shared block"

	tc filter del block 22 protocol ip pref 1 handle 101 flower

	tc qdisc del dev $swp2 clsact
	tc qdisc del dev $swp1 clsact

	log_test "shared block drop"
}

egress_redirect_test()
{
	RET=0

	# It is forbidden in mlxsw driver to have mirred redirect on
	# egress-bound block.

	tc qdisc add dev $swp1 ingress_block 22 clsact
	check_err $? "Failed to create clsact with ingress block"

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 \
		action mirred egress redirect dev $swp2
	check_err $? "Failed to add redirect rule to ingress bound block"

	tc qdisc add dev $swp2 ingress_block 22 clsact
	check_err $? "Failed to create another clsact with ingress shared block"

	tc qdisc del dev $swp2 clsact

	tc qdisc add dev $swp2 egress_block 22 clsact
	check_fail $? "Incorrect success to create another clsact with egress shared block"

	tc filter del block 22 protocol ip pref 1 handle 101 flower

	tc qdisc add dev $swp2 egress_block 22 clsact
	check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed"

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 \
		action mirred egress redirect dev $swp2
	check_fail $? "Incorrect success to add redirect rule to mixed bound block"

	tc qdisc del dev $swp1 clsact

	tc qdisc add dev $swp1 egress_block 22 clsact
	check_err $? "Failed to create another clsact with egress shared block"

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 \
		action mirred egress redirect dev $swp2
	check_fail $? "Incorrect success to add redirect rule to egress bound shared block"

	tc qdisc del dev $swp2 clsact

	tc filter add block 22 protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 \
		action mirred egress redirect dev $swp2
	check_fail $? "Incorrect success to add redirect rule to egress bound block"

	tc qdisc del dev $swp1 clsact

	log_test "shared block drop"
}

multi_mirror_test()
{
	RET=0

	# It is forbidden in mlxsw driver to have multiple mirror
	# actions in a single rule.

	tc qdisc add dev $swp1 clsact

	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 \
		action mirred egress mirror dev $swp2
	check_err $? "Failed to add rule with single mirror action"

	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 \
		action mirred egress mirror dev $swp2 \
		action mirred egress mirror dev $swp1
	check_fail $? "Incorrect success to add rule with two mirror actions"

	tc qdisc del dev $swp1 clsact

	log_test "multi mirror"
}

matchall_sample_egress_test()
{
	RET=0

	# It is forbidden in mlxsw driver to have matchall with sample action
	# bound on egress

	tc qdisc add dev $swp1 clsact

	tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \
		matchall skip_sw action sample rate 100 group 1
	check_err $? "Failed to add rule with sample action on ingress"

	tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall

	tc filter add dev $swp1 egress protocol all pref 1 handle 101 \
		matchall skip_sw action sample rate 100 group 1
	check_fail $? "Incorrect success to add rule with sample action on egress"

	tc qdisc del dev $swp1 clsact

	log_test "matchall sample egress"
}

matchall_behind_flower_ingress_test()
{
	local action=$1
	local action_args=$2

	RET=0

	# On ingress, all matchall-mirror and matchall-sample
	# rules have to be in front of the flower rules

	tc qdisc add dev $swp1 clsact

	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop

	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
		matchall skip_sw action $action_args
	check_err $? "Failed to add matchall rule in front of a flower rule"

	tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall

	tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \
		matchall skip_sw action $action_args
	check_fail $? "Incorrect success to add matchall rule behind a flower rule"

	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower

	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
		matchall skip_sw action $action_args

	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_err $? "Failed to add flower rule behind a matchall rule"

	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower

	tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"

	tc qdisc del dev $swp1 clsact

	log_test "matchall $action flower ingress"
}

matchall_mirror_behind_flower_ingress_test()
{
	matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2"
}

matchall_sample_behind_flower_ingress_test()
{
	matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1"
}

matchall_behind_flower_egress_test()
{
	local action=$1
	local action_args=$2

	RET=0

	# On egress, all matchall-mirror rules have to be behind the flower rules

	tc qdisc add dev $swp1 clsact

	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop

	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
		matchall skip_sw action $action_args
	check_err $? "Failed to add matchall rule in front of a flower rule"

	tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall

	tc filter add dev $swp1 egress protocol all pref 9 handle 102 \
		matchall skip_sw action $action_args
	check_fail $? "Incorrect success to add matchall rule behind a flower rule"

	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower

	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
		matchall skip_sw action $action_args

	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_err $? "Failed to add flower rule behind a matchall rule"

	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower

	tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \
		skip_sw dst_ip 192.0.2.2 action drop
	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"

	tc qdisc del dev $swp1 clsact

	log_test "matchall $action flower egress"
}

matchall_mirror_behind_flower_egress_test()
{
	matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2"
}

police_limits_test()
{
	RET=0

	tc qdisc add dev $swp1 clsact

	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
		flower skip_sw \
		action police rate 0.5kbit burst 1m conform-exceed drop/ok
	check_fail $? "Incorrect success to add police action with too low rate"

	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
		flower skip_sw \
		action police rate 2.5tbit burst 1g conform-exceed drop/ok
	check_fail $? "Incorrect success to add police action with too high rate"

	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
		flower skip_sw \
		action police rate 1.5kbit burst 1m conform-exceed drop/ok
	check_err $? "Failed to add police action with low rate"

	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
		flower skip_sw \
		action police rate 1.9tbit burst 1g conform-exceed drop/ok
	check_err $? "Failed to add police action with high rate"

	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
		flower skip_sw \
		action police rate 1.5kbit burst 512b conform-exceed drop/ok
	check_fail $? "Incorrect success to add police action with too low burst size"

	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
		flower skip_sw \
		action police rate 1.5kbit burst 2k conform-exceed drop/ok
	check_err $? "Failed to add police action with low burst size"

	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	tc qdisc del dev $swp1 clsact

	log_test "police rate and burst limits"
}

multi_police_test()
{
	RET=0

	# It is forbidden in mlxsw driver to have multiple police
	# actions in a single rule.

	tc qdisc add dev $swp1 clsact

	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
		flower skip_sw \
		action police rate 100mbit burst 100k conform-exceed drop/ok
	check_err $? "Failed to add rule with single police action"

	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
		flower skip_sw \
		action police rate 100mbit burst 100k conform-exceed drop/pipe \
		action police rate 200mbit burst 200k conform-exceed drop/ok
	check_fail $? "Incorrect success to add rule with two police actions"

	tc qdisc del dev $swp1 clsact

	log_test "multi police"
}

setup_prepare()
{
	swp1=${NETIFS[p1]}
	swp2=${NETIFS[p2]}

	vrf_prepare

	switch_create
}

cleanup()
{
	pre_cleanup

	switch_destroy

	vrf_cleanup
}

check_tc_shblock_support

trap cleanup EXIT

setup_prepare
setup_wait

tests_run

exit $EXIT_STATUS