xref: /linux/tools/testing/selftests/drivers/net/mlxsw/spectrum-2/tc_flower.sh (revision a5d9265e017f081f0dc133c0e2f45103d027b874) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4# This test is for checking the A-TCAM and C-TCAM operation in Spectrum-2.
5# It tries to exercise as many code paths in the eRP state machine as
6# possible.
7
8lib_dir=$(dirname $0)/../../../../net/forwarding
9
10ALL_TESTS="single_mask_test identical_filters_test two_masks_test \
11	multiple_masks_test ctcam_edge_cases_test delta_simple_test \
12	delta_two_masks_one_key_test delta_simple_rehash_test \
13	bloom_simple_test bloom_complex_test bloom_delta_test"
14NUM_NETIFS=2
15source $lib_dir/tc_common.sh
16source $lib_dir/devlink_lib.sh
17
18tcflags="skip_hw"
19
20h1_create()
21{
22	simple_if_init $h1 192.0.2.1/24 198.51.100.1/24
23}
24
25h1_destroy()
26{
27	simple_if_fini $h1 192.0.2.1/24 198.51.100.1/24
28}
29
30h2_create()
31{
32	simple_if_init $h2 192.0.2.2/24 198.51.100.2/24
33	tc qdisc add dev $h2 clsact
34}
35
36h2_destroy()
37{
38	tc qdisc del dev $h2 clsact
39	simple_if_fini $h2 192.0.2.2/24 198.51.100.2/24
40}
41
42tp_record()
43{
44	local tracepoint=$1
45	local cmd=$2
46
47	perf record -q -e $tracepoint $cmd
48	return $?
49}
50
51tp_record_all()
52{
53	local tracepoint=$1
54	local seconds=$2
55
56	perf record -a -q -e $tracepoint sleep $seconds
57	return $?
58}
59
60__tp_hit_count()
61{
62	local tracepoint=$1
63
64	local perf_output=`perf script -F trace:event,trace`
65	return `echo $perf_output | grep "$tracepoint:" | wc -l`
66}
67
68tp_check_hits()
69{
70	local tracepoint=$1
71	local count=$2
72
73	__tp_hit_count $tracepoint
74	if [[ "$?" -ne "$count" ]]; then
75		return 1
76	fi
77	return 0
78}
79
80tp_check_hits_any()
81{
82	local tracepoint=$1
83
84	__tp_hit_count $tracepoint
85	if [[ "$?" -eq "0" ]]; then
86		return 1
87	fi
88	return 0
89}
90
91single_mask_test()
92{
93	# When only a single mask is required, the device uses the master
94	# mask and not the eRP table. Verify that under this mode the right
95	# filter is matched
96
97	RET=0
98
99	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
100		$tcflags dst_ip 192.0.2.2 action drop
101
102	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
103		-t ip -q
104
105	tc_check_packets "dev $h2 ingress" 101 1
106	check_err $? "Single filter - did not match"
107
108	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
109		$tcflags dst_ip 198.51.100.2 action drop
110
111	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
112		-t ip -q
113
114	tc_check_packets "dev $h2 ingress" 101 2
115	check_err $? "Two filters - did not match highest priority"
116
117	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
118		-t ip -q
119
120	tc_check_packets "dev $h2 ingress" 102 1
121	check_err $? "Two filters - did not match lowest priority"
122
123	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
124
125	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
126		-t ip -q
127
128	tc_check_packets "dev $h2 ingress" 102 2
129	check_err $? "Single filter - did not match after delete"
130
131	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
132
133	log_test "single mask test ($tcflags)"
134}
135
136identical_filters_test()
137{
138	# When two filters that only differ in their priority are used,
139	# one needs to be inserted into the C-TCAM. This test verifies
140	# that filters are correctly spilled to C-TCAM and that the right
141	# filter is matched
142
143	RET=0
144
145	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
146		$tcflags dst_ip 192.0.2.2 action drop
147	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
148		$tcflags dst_ip 192.0.2.2 action drop
149
150	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
151		-t ip -q
152
153	tc_check_packets "dev $h2 ingress" 101 1
154	check_err $? "Did not match A-TCAM filter"
155
156	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
157
158	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
159		-t ip -q
160
161	tc_check_packets "dev $h2 ingress" 102 1
162	check_err $? "Did not match C-TCAM filter after A-TCAM delete"
163
164	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
165		$tcflags dst_ip 192.0.2.2 action drop
166
167	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
168		-t ip -q
169
170	tc_check_packets "dev $h2 ingress" 102 2
171	check_err $? "Did not match C-TCAM filter after A-TCAM add"
172
173	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
174
175	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
176		-t ip -q
177
178	tc_check_packets "dev $h2 ingress" 103 1
179	check_err $? "Did not match A-TCAM filter after C-TCAM delete"
180
181	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
182
183	log_test "identical filters test ($tcflags)"
184}
185
186two_masks_test()
187{
188	# When more than one mask is required, the eRP table is used. This
189	# test verifies that the eRP table is correctly allocated and used
190
191	RET=0
192
193	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
194		$tcflags dst_ip 192.0.2.2 action drop
195	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
196		$tcflags dst_ip 192.0.0.0/8 action drop
197
198	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
199		-t ip -q
200
201	tc_check_packets "dev $h2 ingress" 101 1
202	check_err $? "Two filters - did not match highest priority"
203
204	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
205
206	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
207		-t ip -q
208
209	tc_check_packets "dev $h2 ingress" 103 1
210	check_err $? "Single filter - did not match"
211
212	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
213		$tcflags dst_ip 192.0.2.0/24 action drop
214
215	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
216		-t ip -q
217
218	tc_check_packets "dev $h2 ingress" 102 1
219	check_err $? "Two filters - did not match highest priority after add"
220
221	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
222	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
223
224	log_test "two masks test ($tcflags)"
225}
226
227multiple_masks_test()
228{
229	# The number of masks in a region is limited. Once the maximum
230	# number of masks has been reached filters that require new
231	# masks are spilled to the C-TCAM. This test verifies that
232	# spillage is performed correctly and that the right filter is
233	# matched
234
235	if [[ "$tcflags" != "skip_sw" ]]; then
236		return 0;
237	fi
238
239	local index
240
241	RET=0
242
243	NUM_MASKS=32
244	NUM_ERPS=16
245	BASE_INDEX=100
246
247	for i in $(eval echo {1..$NUM_MASKS}); do
248		index=$((BASE_INDEX - i))
249
250		if ((i > NUM_ERPS)); then
251			exp_hits=1
252			err_msg="$i filters - C-TCAM spill did not happen when it was expected"
253		else
254			exp_hits=0
255			err_msg="$i filters - C-TCAM spill happened when it should not"
256		fi
257
258		tp_record "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" \
259			"tc filter add dev $h2 ingress protocol ip pref $index \
260				handle $index \
261				flower $tcflags \
262				dst_ip 192.0.2.2/${i} src_ip 192.0.2.1/${i} \
263				action drop"
264		tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" \
265				$exp_hits
266		check_err $? "$err_msg"
267
268		$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 \
269			-B 192.0.2.2 -t ip -q
270
271		tc_check_packets "dev $h2 ingress" $index 1
272		check_err $? "$i filters - did not match highest priority (add)"
273	done
274
275	for i in $(eval echo {$NUM_MASKS..1}); do
276		index=$((BASE_INDEX - i))
277
278		$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 \
279			-B 192.0.2.2 -t ip -q
280
281		tc_check_packets "dev $h2 ingress" $index 2
282		check_err $? "$i filters - did not match highest priority (del)"
283
284		tc filter del dev $h2 ingress protocol ip pref $index \
285			handle $index flower
286	done
287
288	log_test "multiple masks test ($tcflags)"
289}
290
291ctcam_two_atcam_masks_test()
292{
293	RET=0
294
295	# First case: C-TCAM is disabled when there are two A-TCAM masks.
296	# We push a filter into the C-TCAM by using two identical filters
297	# as in identical_filters_test()
298
299	# Filter goes into A-TCAM
300	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
301		$tcflags dst_ip 192.0.2.2 action drop
302	# Filter goes into C-TCAM
303	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
304		$tcflags dst_ip 192.0.2.2 action drop
305	# Filter goes into A-TCAM
306	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
307		$tcflags dst_ip 192.0.0.0/16 action drop
308
309	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
310		-t ip -q
311
312	tc_check_packets "dev $h2 ingress" 101 1
313	check_err $? "Did not match A-TCAM filter"
314
315	# Delete both A-TCAM and C-TCAM filters and make sure the remaining
316	# A-TCAM filter still works
317	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
318	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
319
320	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
321		-t ip -q
322
323	tc_check_packets "dev $h2 ingress" 103 1
324	check_err $? "Did not match A-TCAM filter"
325
326	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
327
328	log_test "ctcam with two atcam masks test ($tcflags)"
329}
330
331ctcam_one_atcam_mask_test()
332{
333	RET=0
334
335	# Second case: C-TCAM is disabled when there is one A-TCAM mask.
336	# The test is similar to identical_filters_test()
337
338	# Filter goes into A-TCAM
339	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
340		$tcflags dst_ip 192.0.2.2 action drop
341	# Filter goes into C-TCAM
342	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
343		$tcflags dst_ip 192.0.2.2 action drop
344
345	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
346		-t ip -q
347
348	tc_check_packets "dev $h2 ingress" 101 1
349	check_err $? "Did not match C-TCAM filter"
350
351	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
352
353	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
354		-t ip -q
355
356	tc_check_packets "dev $h2 ingress" 102 1
357	check_err $? "Did not match A-TCAM filter"
358
359	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
360
361	log_test "ctcam with one atcam mask test ($tcflags)"
362}
363
364ctcam_no_atcam_masks_test()
365{
366	RET=0
367
368	# Third case: C-TCAM is disabled when there are no A-TCAM masks
369	# This test exercises the code path that transitions the eRP table
370	# to its initial state after deleting the last C-TCAM mask
371
372	# Filter goes into A-TCAM
373	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
374		$tcflags dst_ip 192.0.2.2 action drop
375	# Filter goes into C-TCAM
376	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
377		$tcflags dst_ip 192.0.2.2 action drop
378
379	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
380	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
381
382	log_test "ctcam with no atcam masks test ($tcflags)"
383}
384
385ctcam_edge_cases_test()
386{
387	# When the C-TCAM is disabled after deleting the last C-TCAM
388	# mask, we want to make sure the eRP state machine is put in
389	# the correct state
390
391	ctcam_two_atcam_masks_test
392	ctcam_one_atcam_mask_test
393	ctcam_no_atcam_masks_test
394}
395
396delta_simple_test()
397{
398	# The first filter will create eRP, the second filter will fit into
399	# the first eRP with delta. Remove the first rule then and check that
400        # the eRP stays (referenced by the second filter).
401
402	RET=0
403
404	if [[ "$tcflags" != "skip_sw" ]]; then
405		return 0;
406	fi
407
408	tp_record "objagg:*" "tc filter add dev $h2 ingress protocol ip \
409		   pref 1 handle 101 flower $tcflags dst_ip 192.0.0.0/24 \
410		   action drop"
411	tp_check_hits "objagg:objagg_obj_root_create" 1
412	check_err $? "eRP was not created"
413
414	tp_record "objagg:*" "tc filter add dev $h2 ingress protocol ip \
415		   pref 2 handle 102 flower $tcflags dst_ip 192.0.2.2 \
416		   action drop"
417	tp_check_hits "objagg:objagg_obj_root_create" 0
418	check_err $? "eRP was incorrectly created"
419	tp_check_hits "objagg:objagg_obj_parent_assign" 1
420	check_err $? "delta was not created"
421
422	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
423		-t ip -q
424
425	tc_check_packets "dev $h2 ingress" 101 1
426	check_fail $? "Matched a wrong filter"
427
428	tc_check_packets "dev $h2 ingress" 102 1
429	check_err $? "Did not match on correct filter"
430
431	tp_record "objagg:*" "tc filter del dev $h2 ingress protocol ip \
432		   pref 1 handle 101 flower"
433	tp_check_hits "objagg:objagg_obj_root_destroy" 0
434	check_err $? "eRP was incorrectly destroyed"
435	tp_check_hits "objagg:objagg_obj_parent_unassign" 0
436	check_err $? "delta was incorrectly destroyed"
437
438	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
439		-t ip -q
440
441	tc_check_packets "dev $h2 ingress" 102 2
442	check_err $? "Did not match on correct filter after the first was removed"
443
444	tp_record "objagg:*" "tc filter del dev $h2 ingress protocol ip \
445		   pref 2 handle 102 flower"
446	tp_check_hits "objagg:objagg_obj_parent_unassign" 1
447	check_err $? "delta was not destroyed"
448	tp_check_hits "objagg:objagg_obj_root_destroy" 1
449	check_err $? "eRP was not destroyed"
450
451	log_test "delta simple test ($tcflags)"
452}
453
454delta_two_masks_one_key_test()
455{
456	# If 2 keys are the same and only differ in mask in a way that
457	# they belong under the same ERP (second is delta of the first),
458	# there should be no C-TCAM spill.
459
460	RET=0
461
462	if [[ "$tcflags" != "skip_sw" ]]; then
463		return 0;
464	fi
465
466	tp_record "mlxsw:*" "tc filter add dev $h2 ingress protocol ip \
467		   pref 1 handle 101 flower $tcflags dst_ip 192.0.2.0/24 \
468		   action drop"
469	tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" 0
470	check_err $? "incorrect C-TCAM spill while inserting the first rule"
471
472	tp_record "mlxsw:*" "tc filter add dev $h2 ingress protocol ip \
473		   pref 2 handle 102 flower $tcflags dst_ip 192.0.2.2 \
474		   action drop"
475	tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" 0
476	check_err $? "incorrect C-TCAM spill while inserting the second rule"
477
478	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
479		-t ip -q
480
481	tc_check_packets "dev $h2 ingress" 101 1
482	check_err $? "Did not match on correct filter"
483
484	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
485
486	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
487		-t ip -q
488
489	tc_check_packets "dev $h2 ingress" 102 1
490	check_err $? "Did not match on correct filter"
491
492	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
493
494	log_test "delta two masks one key test ($tcflags)"
495}
496
497delta_simple_rehash_test()
498{
499	RET=0
500
501	if [[ "$tcflags" != "skip_sw" ]]; then
502		return 0;
503	fi
504
505	devlink dev param set $DEVLINK_DEV \
506		name acl_region_rehash_interval cmode runtime value 0
507	check_err $? "Failed to set ACL region rehash interval"
508
509	tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7
510	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
511	check_fail $? "Rehash trace was hit even when rehash should be disabled"
512
513	devlink dev param set $DEVLINK_DEV \
514		name acl_region_rehash_interval cmode runtime value 3000
515	check_err $? "Failed to set ACL region rehash interval"
516
517	sleep 1
518
519	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
520		$tcflags dst_ip 192.0.1.0/25 action drop
521	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
522		$tcflags dst_ip 192.0.2.2 action drop
523	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
524		$tcflags dst_ip 192.0.3.0/24 action drop
525
526	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
527		-t ip -q
528
529	tc_check_packets "dev $h2 ingress" 101 1
530	check_fail $? "Matched a wrong filter"
531
532	tc_check_packets "dev $h2 ingress" 103 1
533	check_fail $? "Matched a wrong filter"
534
535	tc_check_packets "dev $h2 ingress" 102 1
536	check_err $? "Did not match on correct filter"
537
538	tp_record_all mlxsw:* 3
539	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
540	check_err $? "Rehash trace was not hit"
541	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate
542	check_err $? "Migrate trace was not hit"
543	tp_record_all mlxsw:* 3
544	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
545	check_err $? "Rehash trace was not hit"
546	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate
547	check_fail $? "Migrate trace was hit when no migration should happen"
548
549	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
550		-t ip -q
551
552	tc_check_packets "dev $h2 ingress" 101 1
553	check_fail $? "Matched a wrong filter after rehash"
554
555	tc_check_packets "dev $h2 ingress" 103 1
556	check_fail $? "Matched a wrong filter after rehash"
557
558	tc_check_packets "dev $h2 ingress" 102 2
559	check_err $? "Did not match on correct filter after rehash"
560
561	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
562	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
563	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
564
565	log_test "delta simple rehash test ($tcflags)"
566}
567
568bloom_simple_test()
569{
570	# Bloom filter requires that the eRP table is used. This test
571	# verifies that Bloom filter is not harming correctness of ACLs.
572	# First, make sure that eRP table is used and then set rule patterns
573	# which are distant enough and will result skipping a lookup after
574	# consulting the Bloom filter. Although some eRP lookups are skipped,
575	# the correct filter should be hit.
576
577	RET=0
578
579	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
580		$tcflags dst_ip 192.0.2.2 action drop
581	tc filter add dev $h2 ingress protocol ip pref 5 handle 104 flower \
582		$tcflags dst_ip 198.51.100.2 action drop
583	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
584		$tcflags dst_ip 192.0.0.0/8 action drop
585
586	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
587		-t ip -q
588
589	tc_check_packets "dev $h2 ingress" 101 1
590	check_err $? "Two filters - did not match highest priority"
591
592	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
593		-t ip -q
594
595	tc_check_packets "dev $h2 ingress" 104 1
596	check_err $? "Single filter - did not match"
597
598	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
599
600	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
601		-t ip -q
602
603	tc_check_packets "dev $h2 ingress" 103 1
604	check_err $? "Low prio filter - did not match"
605
606	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
607		$tcflags dst_ip 198.0.0.0/8 action drop
608
609	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
610		-t ip -q
611
612	tc_check_packets "dev $h2 ingress" 102 1
613	check_err $? "Two filters - did not match highest priority after add"
614
615	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
616	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
617	tc filter del dev $h2 ingress protocol ip pref 5 handle 104 flower
618
619	log_test "bloom simple test ($tcflags)"
620}
621
622bloom_complex_test()
623{
624	# Bloom filter index computation is affected from region ID, eRP
625	# ID and from the region key size. In order to excercise those parts
626	# of the Bloom filter code, use a series of regions, each with a
627	# different key size and send packet that should hit all of them.
628	local index
629
630	RET=0
631	NUM_CHAINS=4
632	BASE_INDEX=100
633
634	# Create chain with up to 2 key blocks (ip_proto only)
635	tc chain add dev $h2 ingress chain 1 protocol ip flower \
636		ip_proto tcp &> /dev/null
637	# Create chain with 2-4 key blocks (ip_proto, src MAC)
638	tc chain add dev $h2 ingress chain 2 protocol ip flower \
639		ip_proto tcp \
640		src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF &> /dev/null
641	# Create chain with 4-8 key blocks (ip_proto, src & dst MAC, IPv4 dest)
642	tc chain add dev $h2 ingress chain 3 protocol ip flower \
643		ip_proto tcp \
644		dst_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF \
645		src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF \
646		dst_ip 0.0.0.0/32 &> /dev/null
647	# Default chain contains all fields and therefore is 8-12 key blocks
648	tc chain add dev $h2 ingress chain 4
649
650	# We need at least 2 rules in every region to have eRP table active
651	# so create a dummy rule per chain using a different pattern
652	for i in $(eval echo {0..$NUM_CHAINS}); do
653		index=$((BASE_INDEX - 1 - i))
654		tc filter add dev $h2 ingress chain $i protocol ip \
655			pref 2 handle $index flower \
656			$tcflags ip_proto tcp action drop
657	done
658
659	# Add rules to test Bloom filter, each in a different chain
660	index=$BASE_INDEX
661	tc filter add dev $h2 ingress protocol ip \
662		pref 1 handle $((++index)) flower \
663		$tcflags dst_ip 192.0.0.0/16 action goto chain 1
664	tc filter add dev $h2 ingress chain 1 protocol ip \
665		pref 1 handle $((++index)) flower \
666		$tcflags action goto chain 2
667	tc filter add dev $h2 ingress chain 2 protocol ip \
668		pref 1 handle $((++index)) flower \
669		$tcflags src_mac $h1mac action goto chain 3
670	tc filter add dev $h2 ingress chain 3 protocol ip \
671		pref 1 handle $((++index)) flower \
672		$tcflags dst_ip 192.0.0.0/8 action goto chain 4
673	tc filter add dev $h2 ingress chain 4 protocol ip \
674		pref 1 handle $((++index)) flower \
675		$tcflags src_ip 192.0.2.0/24 action drop
676
677	# Send a packet that is supposed to hit all chains
678	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
679		-t ip -q
680
681	for i in $(eval echo {0..$NUM_CHAINS}); do
682		index=$((BASE_INDEX + i + 1))
683		tc_check_packets "dev $h2 ingress" $index 1
684		check_err $? "Did not match chain $i"
685	done
686
687	# Rules cleanup
688	for i in $(eval echo {$NUM_CHAINS..0}); do
689		index=$((BASE_INDEX - i - 1))
690		tc filter del dev $h2 ingress chain $i \
691			pref 2 handle $index flower
692		index=$((BASE_INDEX + i + 1))
693		tc filter del dev $h2 ingress chain $i \
694			pref 1 handle $index flower
695	done
696
697	# Chains cleanup
698	for i in $(eval echo {$NUM_CHAINS..1}); do
699		tc chain del dev $h2 ingress chain $i
700	done
701
702	log_test "bloom complex test ($tcflags)"
703}
704
705
706bloom_delta_test()
707{
708	# When multiple masks are used, the eRP table is activated. When
709	# masks are close enough (delta) the masks reside on the same
710	# eRP table. This test verifies that the eRP table is correctly
711	# allocated and used in delta condition and that Bloom filter is
712	# still functional with delta.
713
714	RET=0
715
716	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
717		$tcflags dst_ip 192.1.0.0/16 action drop
718
719	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.1.2.1 -B 192.1.2.2 \
720		-t ip -q
721
722	tc_check_packets "dev $h2 ingress" 103 1
723	check_err $? "Single filter - did not match"
724
725	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
726		$tcflags dst_ip 192.2.1.0/24 action drop
727
728	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.2.1.1 -B 192.2.1.2 \
729		-t ip -q
730
731	tc_check_packets "dev $h2 ingress" 102 1
732	check_err $? "Delta filters - did not match second filter"
733
734	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
735	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
736
737	log_test "bloom delta test ($tcflags)"
738}
739
740setup_prepare()
741{
742	h1=${NETIFS[p1]}
743	h2=${NETIFS[p2]}
744	h1mac=$(mac_get $h1)
745	h2mac=$(mac_get $h2)
746
747	vrf_prepare
748
749	h1_create
750	h2_create
751}
752
753cleanup()
754{
755	pre_cleanup
756
757	h2_destroy
758	h1_destroy
759
760	vrf_cleanup
761}
762
763trap cleanup EXIT
764
765setup_prepare
766setup_wait
767
768tests_run
769
770if ! tc_offload_check; then
771	check_err 1 "Could not test offloaded functionality"
772	log_test "mlxsw-specific tests for tc flower"
773	exit
774else
775	tcflags="skip_sw"
776	tests_run
777fi
778
779exit $EXIT_STATUS
780