tc_restrictions.sh (11853B)
1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3 4lib_dir=$(dirname $0)/../../../net/forwarding 5 6ALL_TESTS=" 7 shared_block_drop_test 8 egress_redirect_test 9 multi_mirror_test 10 matchall_sample_egress_test 11 matchall_mirror_behind_flower_ingress_test 12 matchall_sample_behind_flower_ingress_test 13 matchall_mirror_behind_flower_egress_test 14 matchall_proto_match_test 15 police_limits_test 16 multi_police_test 17" 18NUM_NETIFS=2 19 20source $lib_dir/tc_common.sh 21source $lib_dir/lib.sh 22source $lib_dir/devlink_lib.sh 23source mlxsw_lib.sh 24 25switch_create() 26{ 27 simple_if_init $swp1 192.0.2.1/24 28 simple_if_init $swp2 192.0.2.2/24 29} 30 31switch_destroy() 32{ 33 simple_if_fini $swp2 192.0.2.2/24 34 simple_if_fini $swp1 192.0.2.1/24 35} 36 37shared_block_drop_test() 38{ 39 RET=0 40 41 # It is forbidden in mlxsw driver to have mixed-bound 42 # shared block with a drop rule. 43 44 tc qdisc add dev $swp1 ingress_block 22 clsact 45 check_err $? "Failed to create clsact with ingress block" 46 47 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 48 skip_sw dst_ip 192.0.2.2 action drop 49 check_err $? "Failed to add drop rule to ingress bound block" 50 51 tc qdisc add dev $swp2 ingress_block 22 clsact 52 check_err $? "Failed to create another clsact with ingress shared block" 53 54 tc qdisc del dev $swp2 clsact 55 56 tc qdisc add dev $swp2 egress_block 22 clsact 57 check_fail $? "Incorrect success to create another clsact with egress shared block" 58 59 tc filter del block 22 protocol ip pref 1 handle 101 flower 60 61 tc qdisc add dev $swp2 egress_block 22 clsact 62 check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed" 63 64 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 65 skip_sw dst_ip 192.0.2.2 action drop 66 check_fail $? "Incorrect success to add drop rule to mixed bound block" 67 68 tc qdisc del dev $swp1 clsact 69 70 tc qdisc add dev $swp1 egress_block 22 clsact 71 check_err $? "Failed to create another clsact with egress shared block" 72 73 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 74 skip_sw dst_ip 192.0.2.2 action drop 75 check_err $? "Failed to add drop rule to egress bound shared block" 76 77 tc filter del block 22 protocol ip pref 1 handle 101 flower 78 79 tc qdisc del dev $swp2 clsact 80 tc qdisc del dev $swp1 clsact 81 82 log_test "shared block drop" 83} 84 85egress_redirect_test() 86{ 87 RET=0 88 89 # It is forbidden in mlxsw driver to have mirred redirect on 90 # egress-bound block. 91 92 tc qdisc add dev $swp1 ingress_block 22 clsact 93 check_err $? "Failed to create clsact with ingress block" 94 95 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 96 skip_sw dst_ip 192.0.2.2 \ 97 action mirred egress redirect dev $swp2 98 check_err $? "Failed to add redirect rule to ingress bound block" 99 100 tc qdisc add dev $swp2 ingress_block 22 clsact 101 check_err $? "Failed to create another clsact with ingress shared block" 102 103 tc qdisc del dev $swp2 clsact 104 105 tc qdisc add dev $swp2 egress_block 22 clsact 106 check_fail $? "Incorrect success to create another clsact with egress shared block" 107 108 tc filter del block 22 protocol ip pref 1 handle 101 flower 109 110 tc qdisc add dev $swp2 egress_block 22 clsact 111 check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed" 112 113 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 114 skip_sw dst_ip 192.0.2.2 \ 115 action mirred egress redirect dev $swp2 116 check_fail $? "Incorrect success to add redirect rule to mixed bound block" 117 118 tc qdisc del dev $swp1 clsact 119 120 tc qdisc add dev $swp1 egress_block 22 clsact 121 check_err $? "Failed to create another clsact with egress shared block" 122 123 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 124 skip_sw dst_ip 192.0.2.2 \ 125 action mirred egress redirect dev $swp2 126 check_fail $? "Incorrect success to add redirect rule to egress bound shared block" 127 128 tc qdisc del dev $swp2 clsact 129 130 tc filter add block 22 protocol ip pref 1 handle 101 flower \ 131 skip_sw dst_ip 192.0.2.2 \ 132 action mirred egress redirect dev $swp2 133 check_fail $? "Incorrect success to add redirect rule to egress bound block" 134 135 tc qdisc del dev $swp1 clsact 136 137 log_test "shared block drop" 138} 139 140multi_mirror_test() 141{ 142 RET=0 143 144 # It is forbidden in mlxsw driver to have multiple mirror 145 # actions in a single rule. 146 147 tc qdisc add dev $swp1 clsact 148 149 tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \ 150 skip_sw dst_ip 192.0.2.2 \ 151 action mirred egress mirror dev $swp2 152 check_err $? "Failed to add rule with single mirror action" 153 154 tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower 155 156 tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \ 157 skip_sw dst_ip 192.0.2.2 \ 158 action mirred egress mirror dev $swp2 \ 159 action mirred egress mirror dev $swp1 160 check_fail $? "Incorrect success to add rule with two mirror actions" 161 162 tc qdisc del dev $swp1 clsact 163 164 log_test "multi mirror" 165} 166 167matchall_sample_egress_test() 168{ 169 RET=0 170 171 # It is forbidden in mlxsw driver to have matchall with sample action 172 # bound on egress. Spectrum-1 specific restriction 173 mlxsw_only_on_spectrum 1 || return 174 175 tc qdisc add dev $swp1 clsact 176 177 tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \ 178 matchall skip_sw action sample rate 100 group 1 179 check_err $? "Failed to add rule with sample action on ingress" 180 181 tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall 182 183 tc filter add dev $swp1 egress protocol all pref 1 handle 101 \ 184 matchall skip_sw action sample rate 100 group 1 185 check_fail $? "Incorrect success to add rule with sample action on egress" 186 187 tc qdisc del dev $swp1 clsact 188 189 log_test "matchall sample egress" 190} 191 192matchall_behind_flower_ingress_test() 193{ 194 local action=$1 195 local action_args=$2 196 197 RET=0 198 199 # On ingress, all matchall-mirror and matchall-sample 200 # rules have to be in front of the flower rules 201 202 tc qdisc add dev $swp1 clsact 203 204 tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \ 205 skip_sw dst_ip 192.0.2.2 action drop 206 207 tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \ 208 matchall skip_sw action $action_args 209 check_err $? "Failed to add matchall rule in front of a flower rule" 210 211 tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall 212 213 tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \ 214 matchall skip_sw action $action_args 215 check_fail $? "Incorrect success to add matchall rule behind a flower rule" 216 217 tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower 218 219 tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \ 220 matchall skip_sw action $action_args 221 222 tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \ 223 skip_sw dst_ip 192.0.2.2 action drop 224 check_err $? "Failed to add flower rule behind a matchall rule" 225 226 tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower 227 228 tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \ 229 skip_sw dst_ip 192.0.2.2 action drop 230 check_fail $? "Incorrect success to add flower rule in front of a matchall rule" 231 232 tc qdisc del dev $swp1 clsact 233 234 log_test "matchall $action flower ingress" 235} 236 237matchall_mirror_behind_flower_ingress_test() 238{ 239 matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2" 240} 241 242matchall_sample_behind_flower_ingress_test() 243{ 244 matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1" 245} 246 247matchall_behind_flower_egress_test() 248{ 249 local action=$1 250 local action_args=$2 251 252 RET=0 253 254 # On egress, all matchall-mirror rules have to be behind the flower rules 255 256 tc qdisc add dev $swp1 clsact 257 258 tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \ 259 skip_sw dst_ip 192.0.2.2 action drop 260 261 tc filter add dev $swp1 egress protocol all pref 11 handle 102 \ 262 matchall skip_sw action $action_args 263 check_err $? "Failed to add matchall rule in front of a flower rule" 264 265 tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall 266 267 tc filter add dev $swp1 egress protocol all pref 9 handle 102 \ 268 matchall skip_sw action $action_args 269 check_fail $? "Incorrect success to add matchall rule behind a flower rule" 270 271 tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower 272 273 tc filter add dev $swp1 egress protocol all pref 11 handle 102 \ 274 matchall skip_sw action $action_args 275 276 tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \ 277 skip_sw dst_ip 192.0.2.2 action drop 278 check_err $? "Failed to add flower rule behind a matchall rule" 279 280 tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower 281 282 tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \ 283 skip_sw dst_ip 192.0.2.2 action drop 284 check_fail $? "Incorrect success to add flower rule in front of a matchall rule" 285 286 tc qdisc del dev $swp1 clsact 287 288 log_test "matchall $action flower egress" 289} 290 291matchall_mirror_behind_flower_egress_test() 292{ 293 matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2" 294} 295 296matchall_proto_match_test() 297{ 298 RET=0 299 300 tc qdisc add dev $swp1 clsact 301 302 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 303 matchall skip_sw \ 304 action sample group 1 rate 100 305 check_fail $? "Incorrect success to add matchall rule with protocol match" 306 307 tc qdisc del dev $swp1 clsact 308 309 log_test "matchall protocol match" 310} 311 312police_limits_test() 313{ 314 RET=0 315 316 tc qdisc add dev $swp1 clsact 317 318 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 319 flower skip_sw \ 320 action police rate 0.5kbit burst 1m conform-exceed drop/ok 321 check_fail $? "Incorrect success to add police action with too low rate" 322 323 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 324 flower skip_sw \ 325 action police rate 2.5tbit burst 1g conform-exceed drop/ok 326 check_fail $? "Incorrect success to add police action with too high rate" 327 328 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 329 flower skip_sw \ 330 action police rate 1.5kbit burst 1m conform-exceed drop/ok 331 check_err $? "Failed to add police action with low rate" 332 333 tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower 334 335 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 336 flower skip_sw \ 337 action police rate 1.9tbit burst 1g conform-exceed drop/ok 338 check_err $? "Failed to add police action with high rate" 339 340 tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower 341 342 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 343 flower skip_sw \ 344 action police rate 1.5kbit burst 512b conform-exceed drop/ok 345 check_fail $? "Incorrect success to add police action with too low burst size" 346 347 tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \ 348 flower skip_sw \ 349 action police rate 1.5kbit burst 2k conform-exceed drop/ok 350 check_err $? "Failed to add police action with low burst size" 351 352 tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower 353 354 tc qdisc del dev $swp1 clsact 355 356 log_test "police rate and burst limits" 357} 358 359multi_police_test() 360{ 361 RET=0 362 363 # It is forbidden in mlxsw driver to have multiple police 364 # actions in a single rule. 365 366 tc qdisc add dev $swp1 clsact 367 368 tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \ 369 flower skip_sw \ 370 action police rate 100mbit burst 100k conform-exceed drop/ok 371 check_err $? "Failed to add rule with single police action" 372 373 tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower 374 375 tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \ 376 flower skip_sw \ 377 action police rate 100mbit burst 100k conform-exceed drop/pipe \ 378 action police rate 200mbit burst 200k conform-exceed drop/ok 379 check_fail $? "Incorrect success to add rule with two police actions" 380 381 tc qdisc del dev $swp1 clsact 382 383 log_test "multi police" 384} 385 386setup_prepare() 387{ 388 swp1=${NETIFS[p1]} 389 swp2=${NETIFS[p2]} 390 391 vrf_prepare 392 393 switch_create 394} 395 396cleanup() 397{ 398 pre_cleanup 399 400 switch_destroy 401 402 vrf_cleanup 403} 404 405check_tc_shblock_support 406 407trap cleanup EXIT 408 409setup_prepare 410setup_wait 411 412tests_run 413 414exit $EXIT_STATUS