xref: /linux/tools/testing/selftests/net/forwarding/tc_chains.sh (revision a1c3be890440a1769ed6f822376a3e3ab0d42994)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4ALL_TESTS="unreachable_chain_test gact_goto_chain_test create_destroy_chain \
5	   template_filter_fits"
6NUM_NETIFS=2
7source tc_common.sh
8source lib.sh
9
10tcflags="skip_hw"
11
12h1_create()
13{
14	simple_if_init $h1 192.0.2.1/24
15}
16
17h1_destroy()
18{
19	simple_if_fini $h1 192.0.2.1/24
20}
21
22h2_create()
23{
24	simple_if_init $h2 192.0.2.2/24
25	tc qdisc add dev $h2 clsact
26}
27
28h2_destroy()
29{
30	tc qdisc del dev $h2 clsact
31	simple_if_fini $h2 192.0.2.2/24
32}
33
34unreachable_chain_test()
35{
36	RET=0
37
38	tc filter add dev $h2 ingress chain 1 protocol ip pref 1 handle 1101 \
39		flower $tcflags dst_mac $h2mac action drop
40
41	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
42		-t ip -q
43
44	tc_check_packets "dev $h2 ingress" 1101 1
45	check_fail $? "matched on filter in unreachable chain"
46
47	tc filter del dev $h2 ingress chain 1 protocol ip pref 1 handle 1101 \
48		flower
49
50	log_test "unreachable chain ($tcflags)"
51}
52
53gact_goto_chain_test()
54{
55	RET=0
56
57	tc filter add dev $h2 ingress chain 1 protocol ip pref 1 handle 1101 \
58		flower $tcflags dst_mac $h2mac action drop
59	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
60		$tcflags dst_mac $h2mac action drop
61	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
62		$tcflags dst_mac $h2mac action goto chain 1
63
64	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
65		-t ip -q
66
67	tc_check_packets "dev $h2 ingress" 102 1
68	check_fail $? "Matched on a wrong filter"
69
70	tc_check_packets "dev $h2 ingress" 101 1
71	check_err $? "Did not match on correct filter with goto chain action"
72
73	tc_check_packets "dev $h2 ingress" 1101 1
74	check_err $? "Did not match on correct filter in chain 1"
75
76	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
77	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
78	tc filter del dev $h2 ingress chain 1 protocol ip pref 1 handle 1101 \
79		flower
80
81	log_test "gact goto chain ($tcflags)"
82}
83
84create_destroy_chain()
85{
86	RET=0
87
88	tc chain add dev $h2 ingress
89	check_err $? "Failed to create default chain"
90
91	output="$(tc -j chain get dev $h2 ingress)"
92	check_err $? "Failed to get default chain"
93
94	echo $output | jq -e ".[] | select(.chain == 0)" &> /dev/null
95	check_err $? "Unexpected output for default chain"
96
97	tc chain add dev $h2 ingress chain 1
98	check_err $? "Failed to create chain 1"
99
100	output="$(tc -j chain get dev $h2 ingress chain 1)"
101	check_err $? "Failed to get chain 1"
102
103	echo $output | jq -e ".[] | select(.chain == 1)" &> /dev/null
104	check_err $? "Unexpected output for chain 1"
105
106	output="$(tc -j chain show dev $h2 ingress)"
107	check_err $? "Failed to dump chains"
108
109	echo $output | jq -e ".[] | select(.chain == 0)" &> /dev/null
110	check_err $? "Can't find default chain in dump"
111
112	echo $output | jq -e ".[] | select(.chain == 1)" &> /dev/null
113	check_err $? "Can't find chain 1 in dump"
114
115	tc chain del dev $h2 ingress
116	check_err $? "Failed to destroy default chain"
117
118	tc chain del dev $h2 ingress chain 1
119	check_err $? "Failed to destroy chain 1"
120
121	log_test "create destroy chain"
122}
123
124template_filter_fits()
125{
126	RET=0
127
128	tc chain add dev $h2 ingress protocol ip \
129		flower dst_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF &> /dev/null
130	tc chain add dev $h2 ingress chain 1 protocol ip \
131		flower src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF &> /dev/null
132
133	tc filter add dev $h2 ingress protocol ip pref 1 handle 1101 \
134		flower dst_mac $h2mac action drop
135	check_err $? "Failed to insert filter which fits template"
136
137	tc filter add dev $h2 ingress protocol ip pref 1 handle 1102 \
138		flower src_mac $h2mac action drop &> /dev/null
139	check_fail $? "Incorrectly succeeded to insert filter which does not template"
140
141	tc filter add dev $h2 ingress chain 1 protocol ip pref 1 handle 1101 \
142		flower src_mac $h2mac action drop
143	check_err $? "Failed to insert filter which fits template"
144
145	tc filter add dev $h2 ingress chain 1 protocol ip pref 1 handle 1102 \
146		flower dst_mac $h2mac action drop &> /dev/null
147	check_fail $? "Incorrectly succeeded to insert filter which does not template"
148
149	tc filter del dev $h2 ingress chain 1 protocol ip pref 1 handle 1102 \
150		flower &> /dev/null
151	tc filter del dev $h2 ingress chain 1 protocol ip pref 1 handle 1101 \
152		flower &> /dev/null
153
154	tc filter del dev $h2 ingress protocol ip pref 1 handle 1102 \
155		flower &> /dev/null
156	tc filter del dev $h2 ingress protocol ip pref 1 handle 1101 \
157		flower &> /dev/null
158
159	tc chain del dev $h2 ingress chain 1
160	tc chain del dev $h2 ingress
161
162	log_test "template filter fits"
163}
164
165setup_prepare()
166{
167	h1=${NETIFS[p1]}
168	h2=${NETIFS[p2]}
169	h1mac=$(mac_get $h1)
170	h2mac=$(mac_get $h2)
171
172	vrf_prepare
173
174	h1_create
175	h2_create
176}
177
178cleanup()
179{
180	pre_cleanup
181
182	h2_destroy
183	h1_destroy
184
185	vrf_cleanup
186}
187
188check_tc_chain_support
189
190trap cleanup EXIT
191
192setup_prepare
193setup_wait
194
195tests_run
196
197tc_offload_check
198if [[ $? -ne 0 ]]; then
199	log_info "Could not test offloaded functionality"
200else
201	tcflags="skip_sw"
202	tests_run
203fi
204
205exit $EXIT_STATUS
206