• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \
5	mirred_egress_mirror_test matchall_mirred_egress_mirror_test \
6	gact_trap_test mirred_egress_to_ingress_tcp_test"
7NUM_NETIFS=4
8source tc_common.sh
9source lib.sh
10
11tcflags="skip_hw"
12
13h1_create()
14{
15	simple_if_init $h1 192.0.2.1/24
16}
17
18h1_destroy()
19{
20	simple_if_fini $h1 192.0.2.1/24
21}
22
23h2_create()
24{
25	simple_if_init $h2 192.0.2.2/24
26	tc qdisc add dev $h2 clsact
27}
28
29h2_destroy()
30{
31	tc qdisc del dev $h2 clsact
32	simple_if_fini $h2 192.0.2.2/24
33}
34
35switch_create()
36{
37	simple_if_init $swp1 192.0.2.2/24
38	tc qdisc add dev $swp1 clsact
39
40	simple_if_init $swp2 192.0.2.1/24
41}
42
43switch_destroy()
44{
45	simple_if_fini $swp2 192.0.2.1/24
46
47	tc qdisc del dev $swp1 clsact
48	simple_if_fini $swp1 192.0.2.2/24
49}
50
51mirred_egress_test()
52{
53	local action=$1
54	local protocol=$2
55	local classifier=$3
56	local classifier_args=$4
57
58	RET=0
59
60	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
61		$tcflags dst_ip 192.0.2.2 action drop
62
63	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
64		-t ip -q
65
66	tc_check_packets "dev $h2 ingress" 101 1
67	check_fail $? "Matched without redirect rule inserted"
68
69	tc filter add dev $swp1 ingress protocol $protocol pref 1 handle 101 \
70		$classifier $tcflags $classifier_args \
71		action mirred egress $action dev $swp2
72
73	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
74		-t ip -q
75
76	tc_check_packets "dev $h2 ingress" 101 1
77	check_err $? "Did not match incoming $action packet"
78
79	tc filter del dev $swp1 ingress protocol $protocol pref 1 handle 101 \
80		$classifier
81	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
82
83	log_test "mirred egress $classifier $action ($tcflags)"
84}
85
86gact_drop_and_ok_test()
87{
88	RET=0
89
90	tc filter add dev $swp1 ingress protocol ip pref 2 handle 102 flower \
91		$tcflags dst_ip 192.0.2.2 action drop
92
93	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
94		-t ip -q
95
96	tc_check_packets "dev $swp1 ingress" 102 1
97	check_err $? "Packet was not dropped"
98
99	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
100		$tcflags dst_ip 192.0.2.2 action ok
101
102	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
103		-t ip -q
104
105	tc_check_packets "dev $swp1 ingress" 101 1
106	check_err $? "Did not see passed packet"
107
108	tc_check_packets "dev $swp1 ingress" 102 2
109	check_fail $? "Packet was dropped and it should not reach here"
110
111	tc filter del dev $swp1 ingress protocol ip pref 2 handle 102 flower
112	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
113
114	log_test "gact drop and ok ($tcflags)"
115}
116
117gact_trap_test()
118{
119	RET=0
120
121	if [[ "$tcflags" != "skip_sw" ]]; then
122		return 0;
123	fi
124
125	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
126		skip_hw dst_ip 192.0.2.2 action drop
127	tc filter add dev $swp1 ingress protocol ip pref 3 handle 103 flower \
128		$tcflags dst_ip 192.0.2.2 action mirred egress redirect \
129		dev $swp2
130
131	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
132		-t ip -q
133
134	tc_check_packets "dev $swp1 ingress" 101 1
135	check_fail $? "Saw packet without trap rule inserted"
136
137	tc filter add dev $swp1 ingress protocol ip pref 2 handle 102 flower \
138		$tcflags dst_ip 192.0.2.2 action trap
139
140	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
141		-t ip -q
142
143	tc_check_packets "dev $swp1 ingress" 102 1
144	check_err $? "Packet was not trapped"
145
146	tc_check_packets "dev $swp1 ingress" 101 1
147	check_err $? "Did not see trapped packet"
148
149	tc filter del dev $swp1 ingress protocol ip pref 3 handle 103 flower
150	tc filter del dev $swp1 ingress protocol ip pref 2 handle 102 flower
151	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
152
153	log_test "trap ($tcflags)"
154}
155
156mirred_egress_to_ingress_tcp_test()
157{
158	local tmpfile=$(mktemp) tmpfile1=$(mktemp)
159
160	RET=0
161	dd conv=sparse status=none if=/dev/zero bs=1M count=2 of=$tmpfile
162	tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \
163		$tcflags ip_proto tcp src_ip 192.0.2.1 dst_ip 192.0.2.2 \
164			action ct commit nat src addr 192.0.2.2 pipe \
165			action ct clear pipe \
166			action ct commit nat dst addr 192.0.2.1 pipe \
167			action ct clear pipe \
168			action skbedit ptype host pipe \
169			action mirred ingress redirect dev $h1
170	tc filter add dev $h1 protocol ip pref 101 handle 101 egress flower \
171		$tcflags ip_proto icmp \
172			action mirred ingress redirect dev $h1
173	tc filter add dev $h1 protocol ip pref 102 handle 102 ingress flower \
174		ip_proto icmp \
175			action drop
176
177	ip vrf exec v$h1 nc --recv-only -w10 -l -p 12345 -o $tmpfile1  &
178	local rpid=$!
179	ip vrf exec v$h1 nc -w1 --send-only 192.0.2.2 12345 <$tmpfile
180	wait -n $rpid
181	cmp -s $tmpfile $tmpfile1
182	check_err $? "server output check failed"
183
184	$MZ $h1 -c 10 -p 64 -a $h1mac -b $h1mac -A 192.0.2.1 -B 192.0.2.1 \
185		-t icmp "ping,id=42,seq=5" -q
186	tc_check_packets "dev $h1 egress" 101 10
187	check_err $? "didn't mirred redirect ICMP"
188	tc_check_packets "dev $h1 ingress" 102 10
189	check_err $? "didn't drop mirred ICMP"
190	local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits)
191	test ${overlimits} = 10
192	check_err $? "wrong overlimits, expected 10 got ${overlimits}"
193
194	tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
195	tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower
196	tc filter del dev $h1 ingress protocol ip pref 102 handle 102 flower
197
198	rm -f $tmpfile $tmpfile1
199	log_test "mirred_egress_to_ingress_tcp ($tcflags)"
200}
201
202setup_prepare()
203{
204	h1=${NETIFS[p1]}
205	swp1=${NETIFS[p2]}
206
207	swp2=${NETIFS[p3]}
208	h2=${NETIFS[p4]}
209
210	h1mac=$(mac_get $h1)
211	h2mac=$(mac_get $h2)
212
213	swp1origmac=$(mac_get $swp1)
214	swp2origmac=$(mac_get $swp2)
215	ip link set $swp1 address $h2mac
216	ip link set $swp2 address $h1mac
217
218	vrf_prepare
219
220	h1_create
221	h2_create
222	switch_create
223}
224
225cleanup()
226{
227	pre_cleanup
228
229	switch_destroy
230	h2_destroy
231	h1_destroy
232
233	vrf_cleanup
234
235	ip link set $swp2 address $swp2origmac
236	ip link set $swp1 address $swp1origmac
237}
238
239mirred_egress_redirect_test()
240{
241	mirred_egress_test "redirect" "ip" "flower" "dst_ip 192.0.2.2"
242}
243
244mirred_egress_mirror_test()
245{
246	mirred_egress_test "mirror" "ip" "flower" "dst_ip 192.0.2.2"
247}
248
249matchall_mirred_egress_mirror_test()
250{
251	mirred_egress_test "mirror" "all" "matchall" ""
252}
253
254trap cleanup EXIT
255
256setup_prepare
257setup_wait
258
259tests_run
260
261tc_offload_check
262if [[ $? -ne 0 ]]; then
263	log_info "Could not test offloaded functionality"
264else
265	tcflags="skip_sw"
266	tests_run
267fi
268
269exit $EXIT_STATUS
270