xref: /linux/tools/testing/selftests/drivers/net/mlxsw/tc_restrictions.sh (revision 65d2dbb300197839eafc4171cfeb57a14c452724) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4lib_dir=$(dirname $0)/../../../net/forwarding
5
6ALL_TESTS="
7	shared_block_drop_test
8	egress_redirect_test
9	multi_mirror_test
10	matchall_sample_egress_test
11	matchall_mirror_behind_flower_ingress_test
12	matchall_sample_behind_flower_ingress_test
13	matchall_mirror_behind_flower_egress_test
14	police_limits_test
15	multi_police_test
16"
17NUM_NETIFS=2
18
19source $lib_dir/tc_common.sh
20source $lib_dir/lib.sh
21source $lib_dir/devlink_lib.sh
22
23switch_create()
24{
25	simple_if_init $swp1 192.0.2.1/24
26	simple_if_init $swp2 192.0.2.2/24
27}
28
29switch_destroy()
30{
31	simple_if_fini $swp2 192.0.2.2/24
32	simple_if_fini $swp1 192.0.2.1/24
33}
34
35shared_block_drop_test()
36{
37	RET=0
38
39	# It is forbidden in mlxsw driver to have mixed-bound
40	# shared block with a drop rule.
41
42	tc qdisc add dev $swp1 ingress_block 22 clsact
43	check_err $? "Failed to create clsact with ingress block"
44
45	tc filter add block 22 protocol ip pref 1 handle 101 flower \
46		skip_sw dst_ip 192.0.2.2 action drop
47	check_err $? "Failed to add drop rule to ingress bound block"
48
49	tc qdisc add dev $swp2 ingress_block 22 clsact
50	check_err $? "Failed to create another clsact with ingress shared block"
51
52	tc qdisc del dev $swp2 clsact
53
54	tc qdisc add dev $swp2 egress_block 22 clsact
55	check_fail $? "Incorrect success to create another clsact with egress shared block"
56
57	tc filter del block 22 protocol ip pref 1 handle 101 flower
58
59	tc qdisc add dev $swp2 egress_block 22 clsact
60	check_err $? "Failed to create another clsact with egress shared block after blocker drop rule removed"
61
62	tc filter add block 22 protocol ip pref 1 handle 101 flower \
63		skip_sw dst_ip 192.0.2.2 action drop
64	check_fail $? "Incorrect success to add drop rule to mixed bound block"
65
66	tc qdisc del dev $swp1 clsact
67
68	tc qdisc add dev $swp1 egress_block 22 clsact
69	check_err $? "Failed to create another clsact with egress shared block"
70
71	tc filter add block 22 protocol ip pref 1 handle 101 flower \
72		skip_sw dst_ip 192.0.2.2 action drop
73	check_err $? "Failed to add drop rule to egress bound shared block"
74
75	tc filter del block 22 protocol ip pref 1 handle 101 flower
76
77	tc qdisc del dev $swp2 clsact
78	tc qdisc del dev $swp1 clsact
79
80	log_test "shared block drop"
81}
82
83egress_redirect_test()
84{
85	RET=0
86
87	# It is forbidden in mlxsw driver to have mirred redirect on
88	# egress-bound block.
89
90	tc qdisc add dev $swp1 ingress_block 22 clsact
91	check_err $? "Failed to create clsact with ingress block"
92
93	tc filter add block 22 protocol ip pref 1 handle 101 flower \
94		skip_sw dst_ip 192.0.2.2 \
95		action mirred egress redirect dev $swp2
96	check_err $? "Failed to add redirect rule to ingress bound block"
97
98	tc qdisc add dev $swp2 ingress_block 22 clsact
99	check_err $? "Failed to create another clsact with ingress shared block"
100
101	tc qdisc del dev $swp2 clsact
102
103	tc qdisc add dev $swp2 egress_block 22 clsact
104	check_fail $? "Incorrect success to create another clsact with egress shared block"
105
106	tc filter del block 22 protocol ip pref 1 handle 101 flower
107
108	tc qdisc add dev $swp2 egress_block 22 clsact
109	check_err $? "Failed to create another clsact with egress shared block after blocker redirect rule removed"
110
111	tc filter add block 22 protocol ip pref 1 handle 101 flower \
112		skip_sw dst_ip 192.0.2.2 \
113		action mirred egress redirect dev $swp2
114	check_fail $? "Incorrect success to add redirect rule to mixed bound block"
115
116	tc qdisc del dev $swp1 clsact
117
118	tc qdisc add dev $swp1 egress_block 22 clsact
119	check_err $? "Failed to create another clsact with egress shared block"
120
121	tc filter add block 22 protocol ip pref 1 handle 101 flower \
122		skip_sw dst_ip 192.0.2.2 \
123		action mirred egress redirect dev $swp2
124	check_fail $? "Incorrect success to add redirect rule to egress bound shared block"
125
126	tc qdisc del dev $swp2 clsact
127
128	tc filter add block 22 protocol ip pref 1 handle 101 flower \
129		skip_sw dst_ip 192.0.2.2 \
130		action mirred egress redirect dev $swp2
131	check_fail $? "Incorrect success to add redirect rule to egress bound block"
132
133	tc qdisc del dev $swp1 clsact
134
135	log_test "shared block drop"
136}
137
138multi_mirror_test()
139{
140	RET=0
141
142	# It is forbidden in mlxsw driver to have multiple mirror
143	# actions in a single rule.
144
145	tc qdisc add dev $swp1 clsact
146
147	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
148		skip_sw dst_ip 192.0.2.2 \
149		action mirred egress mirror dev $swp2
150	check_err $? "Failed to add rule with single mirror action"
151
152	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
153
154	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
155		skip_sw dst_ip 192.0.2.2 \
156		action mirred egress mirror dev $swp2 \
157		action mirred egress mirror dev $swp1
158	check_fail $? "Incorrect success to add rule with two mirror actions"
159
160	tc qdisc del dev $swp1 clsact
161
162	log_test "multi mirror"
163}
164
165matchall_sample_egress_test()
166{
167	RET=0
168
169	# It is forbidden in mlxsw driver to have matchall with sample action
170	# bound on egress. Spectrum-1 specific restriction
171	[[ "$DEVLINK_VIDDID" != "15b3:cb84" ]] && return
172
173	tc qdisc add dev $swp1 clsact
174
175	tc filter add dev $swp1 ingress protocol all pref 1 handle 101 \
176		matchall skip_sw action sample rate 100 group 1
177	check_err $? "Failed to add rule with sample action on ingress"
178
179	tc filter del dev $swp1 ingress protocol all pref 1 handle 101 matchall
180
181	tc filter add dev $swp1 egress protocol all pref 1 handle 101 \
182		matchall skip_sw action sample rate 100 group 1
183	check_fail $? "Incorrect success to add rule with sample action on egress"
184
185	tc qdisc del dev $swp1 clsact
186
187	log_test "matchall sample egress"
188}
189
190matchall_behind_flower_ingress_test()
191{
192	local action=$1
193	local action_args=$2
194
195	RET=0
196
197	# On ingress, all matchall-mirror and matchall-sample
198	# rules have to be in front of the flower rules
199
200	tc qdisc add dev $swp1 clsact
201
202	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
203		skip_sw dst_ip 192.0.2.2 action drop
204
205	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
206		matchall skip_sw action $action_args
207	check_err $? "Failed to add matchall rule in front of a flower rule"
208
209	tc filter del dev $swp1 ingress protocol all pref 9 handle 102 matchall
210
211	tc filter add dev $swp1 ingress protocol all pref 11 handle 102 \
212		matchall skip_sw action $action_args
213	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
214
215	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
216
217	tc filter add dev $swp1 ingress protocol all pref 9 handle 102 \
218		matchall skip_sw action $action_args
219
220	tc filter add dev $swp1 ingress protocol ip pref 10 handle 101 flower \
221		skip_sw dst_ip 192.0.2.2 action drop
222	check_err $? "Failed to add flower rule behind a matchall rule"
223
224	tc filter del dev $swp1 ingress protocol ip pref 10 handle 101 flower
225
226	tc filter add dev $swp1 ingress protocol ip pref 8 handle 101 flower \
227		skip_sw dst_ip 192.0.2.2 action drop
228	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
229
230	tc qdisc del dev $swp1 clsact
231
232	log_test "matchall $action flower ingress"
233}
234
235matchall_mirror_behind_flower_ingress_test()
236{
237	matchall_behind_flower_ingress_test "mirror" "mirred egress mirror dev $swp2"
238}
239
240matchall_sample_behind_flower_ingress_test()
241{
242	matchall_behind_flower_ingress_test "sample" "sample rate 100 group 1"
243}
244
245matchall_behind_flower_egress_test()
246{
247	local action=$1
248	local action_args=$2
249
250	RET=0
251
252	# On egress, all matchall-mirror rules have to be behind the flower rules
253
254	tc qdisc add dev $swp1 clsact
255
256	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
257		skip_sw dst_ip 192.0.2.2 action drop
258
259	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
260		matchall skip_sw action $action_args
261	check_err $? "Failed to add matchall rule in front of a flower rule"
262
263	tc filter del dev $swp1 egress protocol all pref 11 handle 102 matchall
264
265	tc filter add dev $swp1 egress protocol all pref 9 handle 102 \
266		matchall skip_sw action $action_args
267	check_fail $? "Incorrect success to add matchall rule behind a flower rule"
268
269	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
270
271	tc filter add dev $swp1 egress protocol all pref 11 handle 102 \
272		matchall skip_sw action $action_args
273
274	tc filter add dev $swp1 egress protocol ip pref 10 handle 101 flower \
275		skip_sw dst_ip 192.0.2.2 action drop
276	check_err $? "Failed to add flower rule behind a matchall rule"
277
278	tc filter del dev $swp1 egress protocol ip pref 10 handle 101 flower
279
280	tc filter add dev $swp1 egress protocol ip pref 12 handle 101 flower \
281		skip_sw dst_ip 192.0.2.2 action drop
282	check_fail $? "Incorrect success to add flower rule in front of a matchall rule"
283
284	tc qdisc del dev $swp1 clsact
285
286	log_test "matchall $action flower egress"
287}
288
289matchall_mirror_behind_flower_egress_test()
290{
291	matchall_behind_flower_egress_test "mirror" "mirred egress mirror dev $swp2"
292}
293
294police_limits_test()
295{
296	RET=0
297
298	tc qdisc add dev $swp1 clsact
299
300	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
301		flower skip_sw \
302		action police rate 0.5kbit burst 1m conform-exceed drop/ok
303	check_fail $? "Incorrect success to add police action with too low rate"
304
305	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
306		flower skip_sw \
307		action police rate 2.5tbit burst 1g conform-exceed drop/ok
308	check_fail $? "Incorrect success to add police action with too high rate"
309
310	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
311		flower skip_sw \
312		action police rate 1.5kbit burst 1m conform-exceed drop/ok
313	check_err $? "Failed to add police action with low rate"
314
315	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
316
317	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
318		flower skip_sw \
319		action police rate 1.9tbit burst 1g conform-exceed drop/ok
320	check_err $? "Failed to add police action with high rate"
321
322	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
323
324	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
325		flower skip_sw \
326		action police rate 1.5kbit burst 512b conform-exceed drop/ok
327	check_fail $? "Incorrect success to add police action with too low burst size"
328
329	tc filter add dev $swp1 ingress pref 1 proto ip handle 101 \
330		flower skip_sw \
331		action police rate 1.5kbit burst 2k conform-exceed drop/ok
332	check_err $? "Failed to add police action with low burst size"
333
334	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
335
336	tc qdisc del dev $swp1 clsact
337
338	log_test "police rate and burst limits"
339}
340
341multi_police_test()
342{
343	RET=0
344
345	# It is forbidden in mlxsw driver to have multiple police
346	# actions in a single rule.
347
348	tc qdisc add dev $swp1 clsact
349
350	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
351		flower skip_sw \
352		action police rate 100mbit burst 100k conform-exceed drop/ok
353	check_err $? "Failed to add rule with single police action"
354
355	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
356
357	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 \
358		flower skip_sw \
359		action police rate 100mbit burst 100k conform-exceed drop/pipe \
360		action police rate 200mbit burst 200k conform-exceed drop/ok
361	check_fail $? "Incorrect success to add rule with two police actions"
362
363	tc qdisc del dev $swp1 clsact
364
365	log_test "multi police"
366}
367
368setup_prepare()
369{
370	swp1=${NETIFS[p1]}
371	swp2=${NETIFS[p2]}
372
373	vrf_prepare
374
375	switch_create
376}
377
378cleanup()
379{
380	pre_cleanup
381
382	switch_destroy
383
384	vrf_cleanup
385}
386
387check_tc_shblock_support
388
389trap cleanup EXIT
390
391setup_prepare
392setup_wait
393
394tests_run
395
396exit $EXIT_STATUS
397