net/mlxsw/tc_restrictions.sh

0001 #!/bin/bash
0002 # SPDX-License-Identifier: GPL-2.0
0003
0004 lib_dir=$(dirname $0)/../../../net/forwarding
0005
0006 ALL_TESTS="
0007         shared_block_drop_test
0008         egress_redirect_test
0009         multi_mirror_test
0010         matchall_sample_egress_test
0011         matchall_mirror_behind_flower_ingress_test
0012         matchall_sample_behind_flower_ingress_test
0013         matchall_mirror_behind_flower_egress_test
0014         matchall_proto_match_test
0015         police_limits_test
0016         multi_police_test
0017 "
0018 NUM_NETIFS=2
0019
0020 source $lib_dir/tc_common.sh
0021 source $lib_dir/lib.sh
0022 source $lib_dir/devlink_lib.sh
0023 source mlxsw_lib.sh
0024
0025 switch_create()
0026 {
0027         simple_if_init $swp1 192.0.2.1/24
0028         simple_if_init $swp2 192.0.2.2/24
0029 }
0030
0031 switch_destroy()
0032 {
0033         simple_if_fini $swp2 192.0.2.2/24
0034         simple_if_fini $swp1 192.0.2.1/24
0035 }
0036
0037 shared_block_drop_test()
0038 {
0039         RET=0
0040
0041         # It is forbidden in mlxsw driver to have mixed-bound
0042         # shared block with a drop rule.
0043
0044         tc qdisc add dev $swp1 ingress_block 22 clsact
0045         check_err $? "Failed to create clsact with ingress block"
0046
0047         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0048                 skip_sw dst_ip 192.0.2.2 action drop
0049         check_err $? "Failed to add drop rule to ingress bound block"
0050
0051         tc qdisc add dev $swp2 ingress_block 22 clsact
0052         check_err $? "Failed to create another clsact with ingress shared block"
0053
0054         tc qdisc del dev $swp2 clsact
0055
0056         tc qdisc add dev $swp2 egress_block 22 clsact
0057         check_fail $? "Incorrect success to create another clsact with egress shared block"
0058
0059         tc filter del block 22 protocol ip pref 1 handle 101 flower
0060
0061         tc qdisc add dev $swp2 egress_block 22 clsact
0062         check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed"
0063
0064         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0065                 skip_sw dst_ip 192.0.2.2 action drop
0066         check_fail $? "Incorrect success to add drop rule to mixed bound block"
0067
0068         tc qdisc del dev $swp1 clsact
0069
0070         tc qdisc add dev $swp1 egress_block 22 clsact
0071         check_err $? "Failed to create another clsact with egress shared block"
0072
0073         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0074                 skip_sw dst_ip 192.0.2.2 action drop
0075         check_err $? "Failed to add drop rule to egress bound shared block"
0076
0077         tc filter del block 22 protocol ip pref 1 handle 101 flower
0078
0079         tc qdisc del dev $swp2 clsact
0080         tc qdisc del dev $swp1 clsact
0081
0082         log_test "shared block drop"
0083 }
0084
0085 egress_redirect_test()
0086 {
0087         RET=0
0088
0089         # It is forbidden in mlxsw driver to have mirred redirect on
0090         # egress-bound block.
0091
0092         tc qdisc add dev $swp1 ingress_block 22 clsact
0093         check_err $? "Failed to create clsact with ingress block"
0094
0095         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0096                 skip_sw dst_ip 192.0.2.2 \
0097                 action mirred egress redirect dev $swp2
0098         check_err $? "Failed to add redirect rule to ingress bound block"
0099
0100         tc qdisc add dev $swp2 ingress_block 22 clsact
0101         check_err $? "Failed to create another clsact with ingress shared block"
0102
0103         tc qdisc del dev $swp2 clsact
0104
0105         tc qdisc add dev $swp2 egress_block 22 clsact
0106         check_fail $? "Incorrect success to create another clsact with egress shared block"
0107
0108         tc filter del block 22 protocol ip pref 1 handle 101 flower
0109
0110         tc qdisc add dev $swp2 egress_block 22 clsact
0111         check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed"
0112
0113         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0114                 skip_sw dst_ip 192.0.2.2 \
0115                 action mirred egress redirect dev $swp2
0116         check_fail $? "Incorrect success to add redirect rule to mixed bound block"
0117
0118         tc qdisc del dev $swp1 clsact
0119
0120         tc qdisc add dev $swp1 egress_block 22 clsact
0121         check_err $? "Failed to create another clsact with egress shared block"
0122
0123         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0124                 skip_sw dst_ip 192.0.2.2 \
0125                 action mirred egress redirect dev $swp2
0126         check_fail $? "Incorrect success to add redirect rule to egress bound shared block"
0127
0128         tc qdisc del dev $swp2 clsact
0129
0130         tc filter add block 22 protocol ip pref 1 handle 101 flower \
0131                 skip_sw dst_ip 192.0.2.2 \
0132                 action mirred egress redirect dev $swp2
0133         check_fail $? "Incorrect success to add redirect rule to egress bound block"
0134
0135         tc qdisc del dev $swp1 clsact
0136
0137         log_test "shared block drop"
0138 }
0139
0140 multi_mirror_test()
0141 {
0142         RET=0
0143
0144         # It is forbidden in mlxsw driver to have multiple mirror
0145         # actions in a single rule.
0146
0147         tc qdisc add dev $swp1 clsact
0148
0149         tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
0150                 skip_sw dst_ip 192.0.2.2 \
0151                 action mirred egress mirror dev $swp2
0152         check_err $? "Failed to add rule with single mirror action"
0153
0154         tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
0155
0156         tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
0157                 skip_sw dst_ip 192.0.2.2 \
0158                 action mirred egress mirror dev $swp2 \
0159                 action mirred egress mirror dev $swp1
0160         check_fail $? "Incorrect success to add rule with two mirror actions"
0161
0162         tc qdisc del dev $swp1 clsact
0163
0164         log_test "multi mirror"
0165 }
0166
0167 matchall_sample_egress_test()
0168 {
0169         RET=0
0170
0171         # It is forbidden in mlxsw driver to have matchall with sample action
0172         # bound on egress. Spectrum-1 specific restriction
0173         mlxsw_only_on_spectrum 1 || return
0174
0175         tc qdisc add dev $swp1 clsact
0176
0177         tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \
0178                 matchall skip_sw action sample rate 100 group 1
0179         check_err $? "Failed to add rule with sample action on ingress"
0180
0181         tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall
0182
0183         tc filter add dev $swp1 egress protocol all pref 1 handle 101 \
0184                 matchall skip_sw action sample rate 100 group 1
0185         check_fail $? "Incorrect success to add rule with sample action on egress"
0186
0187         tc qdisc del dev $swp1 clsact
0188
0189         log_test "matchall sample egress"
0190 }
0191
0192 matchall_behind_flower_ingress_test()
0193 {
0194         local action=$1
0195         local action_args=$2
0196
0197         RET=0
0198
0199         # On ingress, all matchall-mirror and matchall-sample
0200         # rules have to be in front of the flower rules
0201
0202         tc qdisc add dev $swp1 clsact
0203
0204         tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
0205                 skip_sw dst_ip 192.0.2.2 action drop
0206
0207         tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
0208                 matchall skip_sw action $action_args
0209         check_err $? "Failed to add matchall rule in front of a flower rule"
0210
0211         tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall
0212
0213         tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \
0214                 matchall skip_sw action $action_args
0215         check_fail $? "Incorrect success to add matchall rule behind a flower rule"
0216
0217         tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
0218
0219         tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
0220                 matchall skip_sw action $action_args
0221
0222         tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
0223                 skip_sw dst_ip 192.0.2.2 action drop
0224         check_err $? "Failed to add flower rule behind a matchall rule"
0225
0226         tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
0227
0228         tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \
0229                 skip_sw dst_ip 192.0.2.2 action drop
0230         check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
0231
0232         tc qdisc del dev $swp1 clsact
0233
0234         log_test "matchall $action flower ingress"
0235 }
0236
0237 matchall_mirror_behind_flower_ingress_test()
0238 {
0239         matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2"
0240 }
0241
0242 matchall_sample_behind_flower_ingress_test()
0243 {
0244         matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1"
0245 }
0246
0247 matchall_behind_flower_egress_test()
0248 {
0249         local action=$1
0250         local action_args=$2
0251
0252         RET=0
0253
0254         # On egress, all matchall-mirror rules have to be behind the flower rules
0255
0256         tc qdisc add dev $swp1 clsact
0257
0258         tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
0259                 skip_sw dst_ip 192.0.2.2 action drop
0260
0261         tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
0262                 matchall skip_sw action $action_args
0263         check_err $? "Failed to add matchall rule in front of a flower rule"
0264
0265         tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall
0266
0267         tc filter add dev $swp1 egress protocol all pref 9 handle 102 \
0268                 matchall skip_sw action $action_args
0269         check_fail $? "Incorrect success to add matchall rule behind a flower rule"
0270
0271         tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
0272
0273         tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
0274                 matchall skip_sw action $action_args
0275
0276         tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
0277                 skip_sw dst_ip 192.0.2.2 action drop
0278         check_err $? "Failed to add flower rule behind a matchall rule"
0279
0280         tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
0281
0282         tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \
0283                 skip_sw dst_ip 192.0.2.2 action drop
0284         check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
0285
0286         tc qdisc del dev $swp1 clsact
0287
0288         log_test "matchall $action flower egress"
0289 }
0290
0291 matchall_mirror_behind_flower_egress_test()
0292 {
0293         matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2"
0294 }
0295
0296 matchall_proto_match_test()
0297 {
0298         RET=0
0299
0300         tc qdisc add dev $swp1 clsact
0301
0302         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0303                 matchall skip_sw \
0304                 action sample group 1 rate 100
0305         check_fail $? "Incorrect success to add matchall rule with protocol match"
0306
0307         tc qdisc del dev $swp1 clsact
0308
0309         log_test "matchall protocol match"
0310 }
0311
0312 police_limits_test()
0313 {
0314         RET=0
0315
0316         tc qdisc add dev $swp1 clsact
0317
0318         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0319                 flower skip_sw \
0320                 action police rate 0.5kbit burst 1m conform-exceed drop/ok
0321         check_fail $? "Incorrect success to add police action with too low rate"
0322
0323         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0324                 flower skip_sw \
0325                 action police rate 2.5tbit burst 1g conform-exceed drop/ok
0326         check_fail $? "Incorrect success to add police action with too high rate"
0327
0328         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0329                 flower skip_sw \
0330                 action police rate 1.5kbit burst 1m conform-exceed drop/ok
0331         check_err $? "Failed to add police action with low rate"
0332
0333         tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
0334
0335         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0336                 flower skip_sw \
0337                 action police rate 1.9tbit burst 1g conform-exceed drop/ok
0338         check_err $? "Failed to add police action with high rate"
0339
0340         tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
0341
0342         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0343                 flower skip_sw \
0344                 action police rate 1.5kbit burst 512b conform-exceed drop/ok
0345         check_fail $? "Incorrect success to add police action with too low burst size"
0346
0347         tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
0348                 flower skip_sw \
0349                 action police rate 1.5kbit burst 2k conform-exceed drop/ok
0350         check_err $? "Failed to add police action with low burst size"
0351
0352         tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
0353
0354         tc qdisc del dev $swp1 clsact
0355
0356         log_test "police rate and burst limits"
0357 }
0358
0359 multi_police_test()
0360 {
0361         RET=0
0362
0363         # It is forbidden in mlxsw driver to have multiple police
0364         # actions in a single rule.
0365
0366         tc qdisc add dev $swp1 clsact
0367
0368         tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
0369                 flower skip_sw \
0370                 action police rate 100mbit burst 100k conform-exceed drop/ok
0371         check_err $? "Failed to add rule with single police action"
0372
0373         tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
0374
0375         tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
0376                 flower skip_sw \
0377                 action police rate 100mbit burst 100k conform-exceed drop/pipe \
0378                 action police rate 200mbit burst 200k conform-exceed drop/ok
0379         check_fail $? "Incorrect success to add rule with two police actions"
0380
0381         tc qdisc del dev $swp1 clsact
0382
0383         log_test "multi police"
0384 }
0385
0386 setup_prepare()
0387 {
0388         swp1=${NETIFS[p1]}
0389         swp2=${NETIFS[p2]}
0390
0391         vrf_prepare
0392
0393         switch_create
0394 }
0395
0396 cleanup()
0397 {
0398         pre_cleanup
0399
0400         switch_destroy
0401
0402         vrf_cleanup
0403 }
0404
0405 check_tc_shblock_support
0406
0407 trap cleanup EXIT
0408
0409 setup_prepare
0410 setup_wait
0411
0412 tests_run
0413
0414 exit $EXIT_STATUS