[linux-2.6-block.git] / tools / testing / selftests / net / forwarding / tc_actions.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \
	mirred_egress_mirror_test matchall_mirred_egress_mirror_test \
	gact_trap_test mirred_egress_to_ingress_test"
NUM_NETIFS=4
source tc_common.sh
source lib.sh

tcflags="skip_hw"

h1_create()
{
	simple_if_init $h1 192.0.2.1/24
	tc qdisc add dev $h1 clsact
}

h1_destroy()
{
	tc qdisc del dev $h1 clsact
	simple_if_fini $h1 192.0.2.1/24
}

h2_create()
{
	simple_if_init $h2 192.0.2.2/24
	tc qdisc add dev $h2 clsact
}

h2_destroy()
{
	tc qdisc del dev $h2 clsact
	simple_if_fini $h2 192.0.2.2/24
}

switch_create()
{
	simple_if_init $swp1 192.0.2.2/24
	tc qdisc add dev $swp1 clsact

	simple_if_init $swp2 192.0.2.1/24
}

switch_destroy()
{
	simple_if_fini $swp2 192.0.2.1/24

	tc qdisc del dev $swp1 clsact
	simple_if_fini $swp1 192.0.2.2/24
}

mirred_egress_test()
{
	local action=$1
	local protocol=$2
	local classifier=$3
	local classifier_args=$4

	RET=0

	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		dst_ip 192.0.2.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched without redirect rule inserted"

	tc filter add dev $swp1 ingress protocol $protocol pref 1 handle 101 \
		$classifier $tcflags $classifier_args \
		action mirred egress $action dev $swp2

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Did not match incoming $action packet"

	tc filter del dev $swp1 ingress protocol $protocol pref 1 handle 101 \
		$classifier
	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	log_test "mirred egress $classifier $action ($tcflags)"
}

gact_drop_and_ok_test()
{
	RET=0

	tc filter add dev $swp1 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $swp1 ingress" 102 1
	check_err $? "Packet was not dropped"

	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action ok

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $swp1 ingress" 101 1
	check_err $? "Did not see passed packet"

	tc_check_packets "dev $swp1 ingress" 102 2
	check_fail $? "Packet was dropped and it should not reach here"

	tc filter del dev $swp1 ingress protocol ip pref 2 handle 102 flower
	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	log_test "gact drop and ok ($tcflags)"
}

gact_trap_test()
{
	RET=0

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
		skip_hw dst_ip 192.0.2.2 action drop
	tc filter add dev $swp1 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.0.2.2 action mirred egress redirect \
		dev $swp2

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $swp1 ingress" 101 1
	check_fail $? "Saw packet without trap rule inserted"

	tc filter add dev $swp1 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action trap

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $swp1 ingress" 102 1
	check_err $? "Packet was not trapped"

	tc_check_packets "dev $swp1 ingress" 101 1
	check_err $? "Did not see trapped packet"

	tc filter del dev $swp1 ingress protocol ip pref 3 handle 103 flower
	tc filter del dev $swp1 ingress protocol ip pref 2 handle 102 flower
	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower

	log_test "trap ($tcflags)"
}

mirred_egress_to_ingress_test()
{
	RET=0

	tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \
		ip_proto icmp src_ip 192.0.2.1 dst_ip 192.0.2.2 type 8 action \
			ct commit nat src addr 192.0.2.2 pipe \
			ct clear pipe \
			ct commit nat dst addr 192.0.2.1 pipe \
			mirred ingress redirect dev $h1

	tc filter add dev $swp1 protocol ip pref 11 handle 111 ingress flower \
		ip_proto icmp src_ip 192.0.2.1 dst_ip 192.0.2.2 type 8 action drop
	tc filter add dev $swp1 protocol ip pref 12 handle 112 ingress flower \
		ip_proto icmp src_ip 192.0.2.1 dst_ip 192.0.2.2 type 0 action pass

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t icmp "ping,id=42,seq=10" -q

	tc_check_packets "dev $h1 egress" 100 1
	check_err $? "didn't mirror first packet"

	tc_check_packets "dev $swp1 ingress" 111 1
	check_fail $? "didn't redirect first packet"
	tc_check_packets "dev $swp1 ingress" 112 1
	check_err $? "didn't receive reply to first packet"

	ping 192.0.2.2 -I$h1 -c1 -w1 -q 1>/dev/null 2>&1

	tc_check_packets "dev $h1 egress" 100 2
	check_err $? "didn't mirror second packet"
	tc_check_packets "dev $swp1 ingress" 111 1
	check_fail $? "didn't redirect second packet"
	tc_check_packets "dev $swp1 ingress" 112 2
	check_err $? "didn't receive reply to second packet"

	tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
	tc filter del dev $swp1 ingress protocol ip pref 11 handle 111 flower
	tc filter del dev $swp1 ingress protocol ip pref 12 handle 112 flower

	log_test "mirred_egress_to_ingress ($tcflags)"
}

setup_prepare()
{
	h1=${NETIFS[p1]}
	swp1=${NETIFS[p2]}

	swp2=${NETIFS[p3]}
	h2=${NETIFS[p4]}

	h1mac=$(mac_get $h1)
	h2mac=$(mac_get $h2)

	swp1origmac=$(mac_get $swp1)
	swp2origmac=$(mac_get $swp2)
	ip link set $swp1 address $h2mac
	ip link set $swp2 address $h1mac

	vrf_prepare

	h1_create
	h2_create
	switch_create
}

cleanup()
{
	pre_cleanup

	switch_destroy
	h2_destroy
	h1_destroy

	vrf_cleanup

	ip link set $swp2 address $swp2origmac
	ip link set $swp1 address $swp1origmac
}

mirred_egress_redirect_test()
{
	mirred_egress_test "redirect" "ip" "flower" "dst_ip 192.0.2.2"
}

mirred_egress_mirror_test()
{
	mirred_egress_test "mirror" "ip" "flower" "dst_ip 192.0.2.2"
}

matchall_mirred_egress_mirror_test()
{
	mirred_egress_test "mirror" "all" "matchall" ""
}

trap cleanup EXIT

setup_prepare
setup_wait

tests_run

tc_offload_check
if [[ $? -ne 0 ]]; then
	log_info "Could not test offloaded functionality"
else
	tcflags="skip_sw"
	tests_run
fi

exit $EXIT_STATUS
Commit	Line	Data
bc13af29 JP	1	#!/bin/bash
	2	# SPDX-License-Identifier: GPL-2.0
	3
0eb8053c	4	ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \
075c8aa7	5	mirred_egress_mirror_test matchall_mirred_egress_mirror_test \
1d127eff	6	gact_trap_test mirred_egress_to_ingress_test"
bc13af29	7	NUM_NETIFS=4
bc13af29	8	source tc_common.sh
198979be	9	source lib.sh
bc13af29 JP	10
	11	tcflags="skip_hw"
	12
	13	h1_create()
	14	{
	15	simple_if_init $h1 192.0.2.1/24
1d127eff	16	tc qdisc add dev $h1 clsact
bc13af29 JP	17	}
	18
	19	h1_destroy()
	20	{
1d127eff	21	tc qdisc del dev $h1 clsact
bc13af29 JP	22	simple_if_fini $h1 192.0.2.1/24
	23	}
	24
	25	h2_create()
	26	{
	27	simple_if_init $h2 192.0.2.2/24
	28	tc qdisc add dev $h2 clsact
	29	}
	30
	31	h2_destroy()
	32	{
	33	tc qdisc del dev $h2 clsact
	34	simple_if_fini $h2 192.0.2.2/24
	35	}
	36
	37	switch_create()
	38	{
	39	simple_if_init $swp1 192.0.2.2/24
	40	tc qdisc add dev $swp1 clsact
	41
	42	simple_if_init $swp2 192.0.2.1/24
	43	}
	44
	45	switch_destroy()
	46	{
	47	simple_if_fini $swp2 192.0.2.1/24
	48
	49	tc qdisc del dev $swp1 clsact
	50	simple_if_fini $swp1 192.0.2.2/24
	51	}
	52
200066a5	53	mirred_egress_test()
bc13af29	54	{
200066a5	55	local action=$1
075c8aa7 JP	56	local protocol=$2
	57	local classifier=$3
	58	local classifier_args=$4
200066a5	59
bc13af29 JP	60	RET=0
	61
	62	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
b57c7e8b	63	dst_ip 192.0.2.2 action drop
bc13af29 JP	64
	65	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	66	-t ip -q
	67
	68	tc_check_packets "dev $h2 ingress" 101 1
	69	check_fail $? "Matched without redirect rule inserted"
	70
075c8aa7 JP	71	tc filter add dev $swp1 ingress protocol $protocol pref 1 handle 101 \
	72	$classifier $tcflags $classifier_args \
	73	action mirred egress $action dev $swp2
bc13af29 JP	74
	75	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	76	-t ip -q
	77
	78	tc_check_packets "dev $h2 ingress" 101 1
200066a5	79	check_err $? "Did not match incoming $action packet"
bc13af29	80
075c8aa7 JP	81	tc filter del dev $swp1 ingress protocol $protocol pref 1 handle 101 \
075c8aa7 JP	82	$classifier
bc13af29 JP	83	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
bc13af29 JP	84
075c8aa7	85	log_test "mirred egress $classifier $action ($tcflags)"
bc13af29 JP	86	}
	87
	88	gact_drop_and_ok_test()
	89	{
	90	RET=0
	91
	92	tc filter add dev $swp1 ingress protocol ip pref 2 handle 102 flower \
dff58a09	93	$tcflags dst_ip 192.0.2.2 action drop
bc13af29 JP	94
	95	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	96	-t ip -q
	97
	98	tc_check_packets "dev $swp1 ingress" 102 1
	99	check_err $? "Packet was not dropped"
	100
	101	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
	102	$tcflags dst_ip 192.0.2.2 action ok
	103
	104	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	105	-t ip -q
	106
	107	tc_check_packets "dev $swp1 ingress" 101 1
0c17db05 JP	108	check_err $? "Did not see passed packet"
	109
	110	tc_check_packets "dev $swp1 ingress" 102 2
	111	check_fail $? "Packet was dropped and it should not reach here"
bc13af29 JP	112
	113	tc filter del dev $swp1 ingress protocol ip pref 2 handle 102 flower
	114	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
	115
	116	log_test "gact drop and ok ($tcflags)"
	117	}
	118
	119	gact_trap_test()
	120	{
	121	RET=0
	122
0eb8053c IS	123	if [[ "$tcflags" != "skip_sw" ]]; then
	124	return 0;
	125	fi
	126
bc13af29 JP	127	tc filter add dev $swp1 ingress protocol ip pref 1 handle 101 flower \
	128	skip_hw dst_ip 192.0.2.2 action drop
	129	tc filter add dev $swp1 ingress protocol ip pref 3 handle 103 flower \
	130	$tcflags dst_ip 192.0.2.2 action mirred egress redirect \
	131	dev $swp2
	132
	133	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	134	-t ip -q
	135
	136	tc_check_packets "dev $swp1 ingress" 101 1
	137	check_fail $? "Saw packet without trap rule inserted"
	138
	139	tc filter add dev $swp1 ingress protocol ip pref 2 handle 102 flower \
	140	$tcflags dst_ip 192.0.2.2 action trap
	141
	142	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	143	-t ip -q
	144
	145	tc_check_packets "dev $swp1 ingress" 102 1
	146	check_err $? "Packet was not trapped"
	147
	148	tc_check_packets "dev $swp1 ingress" 101 1
	149	check_err $? "Did not see trapped packet"
	150
	151	tc filter del dev $swp1 ingress protocol ip pref 3 handle 103 flower
	152	tc filter del dev $swp1 ingress protocol ip pref 2 handle 102 flower
	153	tc filter del dev $swp1 ingress protocol ip pref 1 handle 101 flower
	154
	155	log_test "trap ($tcflags)"
	156	}
	157
1d127eff DC	158	mirred_egress_to_ingress_test()
	159	{
	160	RET=0
	161
	162	tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \
	163	ip_proto icmp src_ip 192.0.2.1 dst_ip 192.0.2.2 type 8 action \
	164	ct commit nat src addr 192.0.2.2 pipe \
	165	ct clear pipe \
	166	ct commit nat dst addr 192.0.2.1 pipe \
	167	mirred ingress redirect dev $h1
	168
	169	tc filter add dev $swp1 protocol ip pref 11 handle 111 ingress flower \
	170	ip_proto icmp src_ip 192.0.2.1 dst_ip 192.0.2.2 type 8 action drop
	171	tc filter add dev $swp1 protocol ip pref 12 handle 112 ingress flower \
	172	ip_proto icmp src_ip 192.0.2.1 dst_ip 192.0.2.2 type 0 action pass
	173
	174	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
	175	-t icmp "ping,id=42,seq=10" -q
	176
	177	tc_check_packets "dev $h1 egress" 100 1
	178	check_err $? "didn't mirror first packet"
	179
	180	tc_check_packets "dev $swp1 ingress" 111 1
	181	check_fail $? "didn't redirect first packet"
	182	tc_check_packets "dev $swp1 ingress" 112 1
	183	check_err $? "didn't receive reply to first packet"
	184
	185	ping 192.0.2.2 -I$h1 -c1 -w1 -q 1>/dev/null 2>&1
	186
	187	tc_check_packets "dev $h1 egress" 100 2
	188	check_err $? "didn't mirror second packet"
	189	tc_check_packets "dev $swp1 ingress" 111 1
	190	check_fail $? "didn't redirect second packet"
	191	tc_check_packets "dev $swp1 ingress" 112 2
	192	check_err $? "didn't receive reply to second packet"
	193
	194	tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
	195	tc filter del dev $swp1 ingress protocol ip pref 11 handle 111 flower
	196	tc filter del dev $swp1 ingress protocol ip pref 12 handle 112 flower
	197
	198	log_test "mirred_egress_to_ingress ($tcflags)"
	199	}
	200
bc13af29 JP	201	setup_prepare()
	202	{
	203	h1=${NETIFS[p1]}
	204	swp1=${NETIFS[p2]}
	205
	206	swp2=${NETIFS[p3]}
	207	h2=${NETIFS[p4]}
	208
	209	h1mac=$(mac_get $h1)
	210	h2mac=$(mac_get $h2)
	211
	212	swp1origmac=$(mac_get $swp1)
	213	swp2origmac=$(mac_get $swp2)
	214	ip link set $swp1 address $h2mac
	215	ip link set $swp2 address $h1mac
	216
	217	vrf_prepare
	218
	219	h1_create
	220	h2_create
	221	switch_create
	222	}
	223
	224	cleanup()
	225	{
	226	pre_cleanup
	227
	228	switch_destroy
	229	h2_destroy
	230	h1_destroy
	231
	232	vrf_cleanup
	233
	234	ip link set $swp2 address $swp2origmac
	235	ip link set $swp1 address $swp1origmac
	236	}
	237
0eb8053c IS	238	mirred_egress_redirect_test()
0eb8053c IS	239	{
075c8aa7	240	mirred_egress_test "redirect" "ip" "flower" "dst_ip 192.0.2.2"
0eb8053c IS	241	}
	242
	243	mirred_egress_mirror_test()
	244	{
075c8aa7 JP	245	mirred_egress_test "mirror" "ip" "flower" "dst_ip 192.0.2.2"
	246	}
	247
	248	matchall_mirred_egress_mirror_test()
	249	{
	250	mirred_egress_test "mirror" "all" "matchall" ""
0eb8053c IS	251	}
0eb8053c IS	252
bc13af29 JP	253	trap cleanup EXIT
	254
	255	setup_prepare
	256	setup_wait
	257
0eb8053c	258	tests_run
bc13af29 JP	259
	260	tc_offload_check
	261	if [[ $? -ne 0 ]]; then
	262	log_info "Could not test offloaded functionality"
	263	else
	264	tcflags="skip_sw"
0eb8053c	265	tests_run
bc13af29 JP	266	fi
	267
	268	exit $EXIT_STATUS