tc_flower_chains.sh (10645B)
1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# Copyright 2020 NXP 4 5WAIT_TIME=1 6NUM_NETIFS=4 7STABLE_MAC_ADDRS=yes 8lib_dir=$(dirname $0)/../../../net/forwarding 9source $lib_dir/tc_common.sh 10source $lib_dir/lib.sh 11 12require_command tcpdump 13 14h1=${NETIFS[p1]} 15swp1=${NETIFS[p2]} 16swp2=${NETIFS[p3]} 17h2=${NETIFS[p4]} 18 19# Helpers to map a VCAP IS1 and VCAP IS2 lookup and policy to a chain number 20# used by the kernel driver. The numbers are: 21# VCAP IS1 lookup 0: 10000 22# VCAP IS1 lookup 1: 11000 23# VCAP IS1 lookup 2: 12000 24# VCAP IS2 lookup 0 policy 0: 20000 25# VCAP IS2 lookup 0 policy 1: 20001 26# VCAP IS2 lookup 0 policy 255: 20255 27# VCAP IS2 lookup 1 policy 0: 21000 28# VCAP IS2 lookup 1 policy 1: 21001 29# VCAP IS2 lookup 1 policy 255: 21255 30IS1() 31{ 32 local lookup=$1 33 34 echo $((10000 + 1000 * lookup)) 35} 36 37IS2() 38{ 39 local lookup=$1 40 local pag=$2 41 42 echo $((20000 + 1000 * lookup + pag)) 43} 44 45ES0() 46{ 47 echo 0 48} 49 50# The Ocelot switches have a fixed ingress pipeline composed of: 51# 52# +----------------------------------------------+ +-----------------------------------------+ 53# | VCAP IS1 | | VCAP IS2 | 54# | | | | 55# | +----------+ +----------+ +----------+ | | +----------+ +----------+ | 56# | | Lookup 0 | | Lookup 1 | | Lookup 2 | | --+------> PAG 0: | Lookup 0 | -> | Lookup 1 | | 57# | +----------+ -> +----------+ -> +----------+ | | | +----------+ +----------+ | 58# | |key&action| |key&action| |key&action| | | | |key&action| |key&action| | 59# | |key&action| |key&action| |key&action| | | | | .. | | .. | | 60# | | .. | | .. | | .. | | | | +----------+ +----------+ | 61# | +----------+ +----------+ +----------+ | | | | 62# | selects PAG | | | +----------+ +----------+ | 63# +----------------------------------------------+ +------> PAG 1: | Lookup 0 | -> | Lookup 1 | | 64# | | +----------+ +----------+ | 65# | | |key&action| |key&action| | 66# | | | .. | | .. | | 67# | | +----------+ +----------+ | 68# | | ... | 69# | | | 70# | | +----------+ +----------+ | 71# +----> PAG 254: | Lookup 0 | -> | Lookup 1 | | 72# | | +----------+ +----------+ | 73# | | |key&action| |key&action| | 74# | | | .. | | .. | | 75# | | +----------+ +----------+ | 76# | | | 77# | | +----------+ +----------+ | 78# +----> PAG 255: | Lookup 0 | -> | Lookup 1 | | 79# | +----------+ +----------+ | 80# | |key&action| |key&action| | 81# | | .. | | .. | | 82# | +----------+ +----------+ | 83# +-----------------------------------------+ 84# 85# Both the VCAP IS1 (Ingress Stage 1) and IS2 (Ingress Stage 2) are indexed 86# (looked up) multiple times: IS1 3 times, and IS2 2 times. Each filter 87# (key and action pair) can be configured to only match during the first, or 88# second, etc, lookup. 89# 90# During one TCAM lookup, the filter processing stops at the first entry that 91# matches, then the pipeline jumps to the next lookup. 92# The driver maps each individual lookup of each individual ingress TCAM to a 93# separate chain number. For correct rule offloading, it is mandatory that each 94# filter installed in one TCAM is terminated by a non-optional GOTO action to 95# the next lookup from the fixed pipeline. 96# 97# A chain can only be used if there is a GOTO action correctly set up from the 98# prior lookup in the processing pipeline. Setting up all chains is not 99# mandatory. 100 101# NOTE: VCAP IS1 currently uses only S1_NORMAL half keys and VCAP IS2 102# dynamically chooses between MAC_ETYPE, ARP, IP4_TCP_UDP, IP4_OTHER, which are 103# all half keys as well. 104 105create_tcam_skeleton() 106{ 107 local eth=$1 108 109 tc qdisc add dev $eth clsact 110 111 # VCAP IS1 is the Ingress Classification TCAM and can offload the 112 # following actions: 113 # - skbedit priority 114 # - vlan pop 115 # - vlan modify 116 # - goto (only in lookup 2, the last IS1 lookup) 117 tc filter add dev $eth ingress chain 0 pref 49152 flower \ 118 skip_sw action goto chain $(IS1 0) 119 tc filter add dev $eth ingress chain $(IS1 0) pref 49152 \ 120 flower skip_sw action goto chain $(IS1 1) 121 tc filter add dev $eth ingress chain $(IS1 1) pref 49152 \ 122 flower skip_sw action goto chain $(IS1 2) 123 tc filter add dev $eth ingress chain $(IS1 2) pref 49152 \ 124 flower skip_sw action goto chain $(IS2 0 0) 125 126 # VCAP IS2 is the Security Enforcement ingress TCAM and can offload the 127 # following actions: 128 # - trap 129 # - drop 130 # - police 131 # The two VCAP IS2 lookups can be segmented into up to 256 groups of 132 # rules, called Policies. A Policy is selected through the Policy 133 # Association Group (PAG) action of VCAP IS1 (which is the 134 # GOTO offload). 135 tc filter add dev $eth ingress chain $(IS2 0 0) pref 49152 \ 136 flower skip_sw action goto chain $(IS2 1 0) 137} 138 139setup_prepare() 140{ 141 ip link set $swp1 up 142 ip link set $swp2 up 143 ip link set $h2 up 144 ip link set $h1 up 145 146 create_tcam_skeleton $swp1 147 148 ip link add br0 type bridge 149 ip link set $swp1 master br0 150 ip link set $swp2 master br0 151 ip link set br0 up 152 153 ip link add link $h1 name $h1.100 type vlan id 100 154 ip link set $h1.100 up 155 156 ip link add link $h1 name $h1.200 type vlan id 200 157 ip link set $h1.200 up 158 159 tc filter add dev $swp1 ingress chain $(IS1 1) pref 1 \ 160 protocol 802.1Q flower skip_sw vlan_id 100 \ 161 action vlan pop \ 162 action goto chain $(IS1 2) 163 164 tc filter add dev $swp1 egress chain $(ES0) pref 1 \ 165 flower skip_sw indev $swp2 \ 166 action vlan push protocol 802.1Q id 100 167 168 tc filter add dev $swp1 ingress chain $(IS1 0) pref 2 \ 169 protocol ipv4 flower skip_sw src_ip 10.1.1.2 \ 170 action skbedit priority 7 \ 171 action goto chain $(IS1 1) 172 173 tc filter add dev $swp1 ingress chain $(IS2 0 0) pref 1 \ 174 protocol ipv4 flower skip_sw ip_proto udp dst_port 5201 \ 175 action police rate 50mbit burst 64k conform-exceed drop/pipe \ 176 action goto chain $(IS2 1 0) 177} 178 179cleanup() 180{ 181 ip link del $h1.200 182 ip link del $h1.100 183 tc qdisc del dev $swp1 clsact 184 ip link del br0 185} 186 187test_vlan_pop() 188{ 189 local h1_mac=$(mac_get $h1) 190 local h2_mac=$(mac_get $h2) 191 192 RET=0 193 194 tcpdump_start $h2 195 196 # Work around Mausezahn VLAN builder bug 197 # (https://github.com/netsniff-ng/netsniff-ng/issues/225) by using 198 # an 8021q upper 199 $MZ $h1.100 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip 200 201 sleep 1 202 203 tcpdump_stop $h2 204 205 tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, ethertype IPv4" 206 check_err "$?" "untagged reception" 207 208 tcpdump_cleanup $h2 209 210 log_test "VLAN pop" 211} 212 213test_vlan_push() 214{ 215 local h1_mac=$(mac_get $h1) 216 local h2_mac=$(mac_get $h2) 217 218 RET=0 219 220 tcpdump_start $h1.100 221 222 $MZ $h2 -q -c 1 -p 64 -a $h2_mac -b $h1_mac -t ip 223 224 sleep 1 225 226 tcpdump_stop $h1.100 227 228 tcpdump_show $h1.100 | grep -q "$h2_mac > $h1_mac" 229 check_err "$?" "tagged reception" 230 231 tcpdump_cleanup $h1.100 232 233 log_test "VLAN push" 234} 235 236test_vlan_ingress_modify() 237{ 238 local h1_mac=$(mac_get $h1) 239 local h2_mac=$(mac_get $h2) 240 241 RET=0 242 243 ip link set br0 type bridge vlan_filtering 1 244 bridge vlan add dev $swp1 vid 200 245 bridge vlan add dev $swp1 vid 300 246 bridge vlan add dev $swp2 vid 300 247 248 tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \ 249 protocol 802.1Q flower skip_sw vlan_id 200 \ 250 action vlan modify id 300 \ 251 action goto chain $(IS2 0 0) 252 253 tcpdump_start $h2 254 255 $MZ $h1.200 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip 256 257 sleep 1 258 259 tcpdump_stop $h2 260 261 tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, .* vlan 300" 262 check_err "$?" "tagged reception" 263 264 tcpdump_cleanup $h2 265 266 tc filter del dev $swp1 ingress chain $(IS1 2) pref 3 267 268 bridge vlan del dev $swp1 vid 200 269 bridge vlan del dev $swp1 vid 300 270 bridge vlan del dev $swp2 vid 300 271 ip link set br0 type bridge vlan_filtering 0 272 273 log_test "Ingress VLAN modification" 274} 275 276test_vlan_egress_modify() 277{ 278 local h1_mac=$(mac_get $h1) 279 local h2_mac=$(mac_get $h2) 280 281 RET=0 282 283 tc qdisc add dev $swp2 clsact 284 285 ip link set br0 type bridge vlan_filtering 1 286 bridge vlan add dev $swp1 vid 200 287 bridge vlan add dev $swp2 vid 200 288 289 tc filter add dev $swp2 egress chain $(ES0) pref 3 \ 290 protocol 802.1Q flower skip_sw vlan_id 200 vlan_prio 0 \ 291 action vlan modify id 300 priority 7 292 293 tcpdump_start $h2 294 295 $MZ $h1.200 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip 296 297 sleep 1 298 299 tcpdump_stop $h2 300 301 tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, .* vlan 300" 302 check_err "$?" "tagged reception" 303 304 tcpdump_cleanup $h2 305 306 tc filter del dev $swp2 egress chain $(ES0) pref 3 307 tc qdisc del dev $swp2 clsact 308 309 bridge vlan del dev $swp1 vid 200 310 bridge vlan del dev $swp2 vid 200 311 ip link set br0 type bridge vlan_filtering 0 312 313 log_test "Egress VLAN modification" 314} 315 316test_skbedit_priority() 317{ 318 local h1_mac=$(mac_get $h1) 319 local h2_mac=$(mac_get $h2) 320 local num_pkts=100 321 322 before=$(ethtool_stats_get $swp1 'rx_green_prio_7') 323 324 $MZ $h1 -q -c $num_pkts -p 64 -a $h1_mac -b $h2_mac -t ip -A 10.1.1.2 325 326 after=$(ethtool_stats_get $swp1 'rx_green_prio_7') 327 328 if [ $((after - before)) = $num_pkts ]; then 329 RET=0 330 else 331 RET=1 332 fi 333 334 log_test "Frame prioritization" 335} 336 337trap cleanup EXIT 338 339ALL_TESTS=" 340 test_vlan_pop 341 test_vlan_push 342 test_vlan_ingress_modify 343 test_vlan_egress_modify 344 test_skbedit_priority 345" 346 347setup_prepare 348setup_wait 349 350tests_run 351 352exit $EXIT_STATUS