xref: /linux/tools/testing/selftests/net/forwarding/tc_flower_port_range.sh (revision 27eddbf3449026a73d6ed52d55b192bfcf526a03) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4# +-----------------------+                             +----------------------+
5# | H1 (vrf)              |                             | H2 (vrf)             |
6# |    + $h1              |                             |              $h2 +   |
7# |    | 192.0.2.1/28     |                             |     192.0.2.2/28 |   |
8# |    | 2001:db8:1::1/64 |                             | 2001:db8:1::2/64 |   |
9# +----|------------------+                             +------------------|---+
10#      |                                                                   |
11# +----|-------------------------------------------------------------------|---+
12# | SW |                                                                   |   |
13# |  +-|-------------------------------------------------------------------|-+ |
14# |  | + $swp1                       BR                              $swp2 + | |
15# |  +-----------------------------------------------------------------------+ |
16# +----------------------------------------------------------------------------+
17
18ALL_TESTS="
19	test_port_range_ipv4_udp
20	test_port_range_ipv4_tcp
21	test_port_range_ipv6_udp
22	test_port_range_ipv6_tcp
23	test_port_range_ipv4_udp_drop
24"
25
26NUM_NETIFS=4
27source lib.sh
28source tc_common.sh
29
30h1_create()
31{
32	simple_if_init $h1 192.0.2.1/28 2001:db8:1::1/64
33}
34
35h1_destroy()
36{
37	simple_if_fini $h1 192.0.2.1/28 2001:db8:1::1/64
38}
39
40h2_create()
41{
42	simple_if_init $h2 192.0.2.2/28 2001:db8:1::2/64
43}
44
45h2_destroy()
46{
47	simple_if_fini $h2 192.0.2.2/28 2001:db8:1::2/64
48}
49
50switch_create()
51{
52	ip link add name br1 type bridge
53	ip link set dev $swp1 master br1
54	ip link set dev $swp1 up
55	ip link set dev $swp2 master br1
56	ip link set dev $swp2 up
57	ip link set dev br1 up
58
59	tc qdisc add dev $swp1 clsact
60	tc qdisc add dev $swp2 clsact
61}
62
63switch_destroy()
64{
65	tc qdisc del dev $swp2 clsact
66	tc qdisc del dev $swp1 clsact
67
68	ip link set dev br1 down
69	ip link set dev $swp2 down
70	ip link set dev $swp2 nomaster
71	ip link set dev $swp1 down
72	ip link set dev $swp1 nomaster
73	ip link del dev br1
74}
75
76__test_port_range()
77{
78	local proto=$1; shift
79	local ip_proto=$1; shift
80	local sip=$1; shift
81	local dip=$1; shift
82	local mode=$1; shift
83	local name=$1; shift
84	local dmac=$(mac_get $h2)
85	local smac=$(mac_get $h1)
86	local sport_min=100
87	local sport_max=200
88	local sport_mid=$((sport_min + (sport_max - sport_min) / 2))
89	local dport_min=300
90	local dport_max=400
91	local dport_mid=$((dport_min + (dport_max - dport_min) / 2))
92
93	RET=0
94
95	tc filter add dev $swp1 ingress protocol $proto handle 101 pref 1 \
96		flower src_ip $sip dst_ip $dip ip_proto $ip_proto \
97		src_port $sport_min-$sport_max \
98		dst_port $dport_min-$dport_max \
99		action pass
100	tc filter add dev $swp2 egress protocol $proto handle 101 pref 1 \
101		flower src_ip $sip dst_ip $dip ip_proto $ip_proto \
102		src_port $sport_min-$sport_max \
103		dst_port $dport_min-$dport_max \
104		action drop
105
106	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
107		-t $ip_proto "sp=$sport_min,dp=$dport_min"
108	tc_check_packets "dev $swp1 ingress" 101 1
109	check_err $? "Ingress filter not hit with minimum ports"
110	tc_check_packets "dev $swp2 egress" 101 1
111	check_err $? "Egress filter not hit with minimum ports"
112
113	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
114		-t $ip_proto "sp=$sport_mid,dp=$dport_mid"
115	tc_check_packets "dev $swp1 ingress" 101 2
116	check_err $? "Ingress filter not hit with middle ports"
117	tc_check_packets "dev $swp2 egress" 101 2
118	check_err $? "Egress filter not hit with middle ports"
119
120	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
121		-t $ip_proto "sp=$sport_max,dp=$dport_max"
122	tc_check_packets "dev $swp1 ingress" 101 3
123	check_err $? "Ingress filter not hit with maximum ports"
124	tc_check_packets "dev $swp2 egress" 101 3
125	check_err $? "Egress filter not hit with maximum ports"
126
127	# Send traffic when both ports are out of range and when only one port
128	# is out of range.
129	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
130		-t $ip_proto "sp=$((sport_min - 1)),dp=$dport_min"
131	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
132		-t $ip_proto "sp=$((sport_max + 1)),dp=$dport_min"
133	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
134		-t $ip_proto "sp=$sport_min,dp=$((dport_min - 1))"
135	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
136		-t $ip_proto "sp=$sport_min,dp=$((dport_max + 1))"
137	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
138		-t $ip_proto "sp=$((sport_max + 1)),dp=$((dport_max + 1))"
139	tc_check_packets "dev $swp1 ingress" 101 3
140	check_err $? "Ingress filter was hit when should not"
141	tc_check_packets "dev $swp2 egress" 101 3
142	check_err $? "Egress filter was hit when should not"
143
144	tc filter del dev $swp2 egress protocol $proto pref 1 handle 101 flower
145	tc filter del dev $swp1 ingress protocol $proto pref 1 handle 101 flower
146
147	log_test "Port range matching - $name"
148}
149
150test_port_range_ipv4_udp()
151{
152	local proto=ipv4
153	local ip_proto=udp
154	local sip=192.0.2.1
155	local dip=192.0.2.2
156	local mode="-4"
157	local name="IPv4 UDP"
158
159	__test_port_range $proto $ip_proto $sip $dip $mode "$name"
160}
161
162test_port_range_ipv4_tcp()
163{
164	local proto=ipv4
165	local ip_proto=tcp
166	local sip=192.0.2.1
167	local dip=192.0.2.2
168	local mode="-4"
169	local name="IPv4 TCP"
170
171	__test_port_range $proto $ip_proto $sip $dip $mode "$name"
172}
173
174test_port_range_ipv6_udp()
175{
176	local proto=ipv6
177	local ip_proto=udp
178	local sip=2001:db8:1::1
179	local dip=2001:db8:1::2
180	local mode="-6"
181	local name="IPv6 UDP"
182
183	__test_port_range $proto $ip_proto $sip $dip $mode "$name"
184}
185
186test_port_range_ipv6_tcp()
187{
188	local proto=ipv6
189	local ip_proto=tcp
190	local sip=2001:db8:1::1
191	local dip=2001:db8:1::2
192	local mode="-6"
193	local name="IPv6 TCP"
194
195	__test_port_range $proto $ip_proto $sip $dip $mode "$name"
196}
197
198test_port_range_ipv4_udp_drop()
199{
200	local proto=ipv4
201	local ip_proto=udp
202	local sip=192.0.2.1
203	local dip=192.0.2.2
204	local mode="-4"
205	local name="IPv4 UDP Drop"
206	local dmac=$(mac_get $h2)
207	local smac=$(mac_get $h1)
208	local sport_min=2000
209	local sport_max=3000
210	local sport_mid=$((sport_min + (sport_max - sport_min) / 2))
211	local dport=5000
212
213	RET=0
214
215	tc filter add dev $swp1 ingress protocol $proto handle 101 pref 1 \
216		flower src_ip $sip dst_ip $dip ip_proto $ip_proto \
217		src_port $sport_min-$sport_max \
218		dst_port $dport \
219		action drop
220
221	# Test ports outside range - should pass
222	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
223		-t $ip_proto "sp=$((sport_min - 1)),dp=$dport"
224	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
225		-t $ip_proto "sp=$((sport_max + 1)),dp=$dport"
226
227	# Test ports inside range - should be dropped
228	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
229		-t $ip_proto "sp=$sport_min,dp=$dport"
230	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
231		-t $ip_proto "sp=$sport_mid,dp=$dport"
232	$MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
233		-t $ip_proto "sp=$sport_max,dp=$dport"
234
235	tc_check_packets "dev $swp1 ingress" 101 3
236	check_err $? "Filter did not drop the expected number of packets"
237
238	tc filter del dev $swp1 ingress protocol $proto pref 1 handle 101 flower
239
240	log_test "Port range matching - $name"
241}
242
243setup_prepare()
244{
245	h1=${NETIFS[p1]}
246	swp1=${NETIFS[p2]}
247
248	swp2=${NETIFS[p3]}
249	h2=${NETIFS[p4]}
250
251	vrf_prepare
252	h1_create
253	h2_create
254	switch_create
255}
256
257cleanup()
258{
259	pre_cleanup
260
261	switch_destroy
262	h2_destroy
263	h1_destroy
264	vrf_cleanup
265}
266
267trap cleanup EXIT
268
269setup_prepare
270setup_wait
271
272tests_run
273
274exit $EXIT_STATUS
275