#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

# Test for "tc action mirred egress mirror" when the underlay route points at a
# vlan device on top of a bridge device with vlan filtering (802.1q).
#
#   +---------------------+                             +---------------------+
#   | H1                  |                             |                  H2 |
#   |     + $h1           |                             |           $h2 +     |
#   |     | 192.0.2.1/28  |                             |  192.0.2.2/28 |     |
#   +-----|---------------+                             +---------------|-----+
#         |                                                             |
#   +-----|-------------------------------------------------------------|-----+
#   | SW  o--> mirred egress mirror dev {gt4,gt6}                       |     |
#   |     |                                                             |     |
#   | +---|-------------------------------------------------------------|---+ |
#   | |   + $swp1                    br1                          $swp2 +   | |
#   | |                                                                     | |
#   | |   + $swp3                                                           | |
#   | +---|-----------------------------------------------------------------+ |
#   |     |                        |                                          |
#   |     |                        + br1.555                                  |
#   |     |                          192.0.2.130/28                           |
#   |     |                          2001:db8:2::2/64                         |
#   |     |                                                                   |
#   |     |                     + gt6 (ip6gretap)      + gt4 (gretap)         |
#   |     |                     : loc=2001:db8:2::1    : loc=192.0.2.129      |
#   |     |                     : rem=2001:db8:2::2    : rem=192.0.2.130      |
#   |     |                     : ttl=100              : ttl=100              |
#   |     |                     : tos=inherit          : tos=inherit          |
#   |     |                     :                      :                      |
#   +-----|---------------------:----------------------:----------------------+
#         |                     :                      :
#   +-----|---------------------:----------------------:----------------------+
#   | H3  + $h3                 + h3-gt6 (ip6gretap)   + h3-gt4 (gretap)      |
#   |     |                       loc=2001:db8:2::2      loc=192.0.2.130      |
#   |     + $h3.555               rem=2001:db8:2::1      rem=192.0.2.129      |
#   |       192.0.2.130/28        ttl=100                ttl=100              |
#   |       2001:db8:2::2/64      tos=inherit            tos=inherit          |
#   |                                                                         |
#   +-------------------------------------------------------------------------+

ALL_TESTS="
	test_gretap
	test_ip6gretap
	test_gretap_forbidden_cpu
	test_ip6gretap_forbidden_cpu
	test_gretap_forbidden_egress
	test_ip6gretap_forbidden_egress
	test_gretap_untagged_egress
	test_ip6gretap_untagged_egress
	test_gretap_fdb_roaming
	test_ip6gretap_fdb_roaming
	test_gretap_stp
	test_ip6gretap_stp
"

NUM_NETIFS=6
source lib.sh
source mirror_lib.sh
source mirror_gre_lib.sh
source mirror_gre_topo_lib.sh

require_command $ARPING

h3_addr_add_del()
{
	local add_del=$1; shift
	local dev=$1; shift

	ip addr $add_del dev $dev 192.0.2.130/28
	ip addr $add_del dev $dev 2001:db8:2::2/64
}

setup_prepare()
{
	h1=${NETIFS[p1]}
	swp1=${NETIFS[p2]}

	swp2=${NETIFS[p3]}
	h2=${NETIFS[p4]}

	swp3=${NETIFS[p5]}
	h3=${NETIFS[p6]}

	# gt4's remote address is at $h3.555, not $h3. Thus the packets arriving
	# directly to $h3 for test_gretap_untagged_egress() are rejected by
	# rp_filter and the test spuriously fails.
	sysctl_set net.ipv4.conf.all.rp_filter 0
	sysctl_set net.ipv4.conf.$h3.rp_filter 0

	vrf_prepare
	mirror_gre_topo_create

	vlan_create br1 555 "" 192.0.2.129/32 2001:db8:2::1/128
	bridge vlan add dev br1 vid 555 self
	ip route rep 192.0.2.130/32 dev br1.555
	ip -6 route rep 2001:db8:2::2/128 dev br1.555

	vlan_create $h3 555 v$h3
	h3_addr_add_del add $h3.555

	ip link set dev $swp3 master br1
	bridge vlan add dev $swp3 vid 555
	bridge vlan add dev $swp2 vid 555
}

cleanup()
{
	pre_cleanup

	ip link set dev $swp2 nomaster
	ip link set dev $swp3 nomaster

	h3_addr_add_del del $h3.555
	vlan_destroy $h3 555
	vlan_destroy br1 555

	mirror_gre_topo_destroy
	vrf_cleanup

	sysctl_restore net.ipv4.conf.$h3.rp_filter
	sysctl_restore net.ipv4.conf.all.rp_filter
}

test_vlan_match()
{
	local tundev=$1; shift
	local vlan_match=$1; shift
	local what=$1; shift

	full_test_span_gre_dir_vlan $tundev ingress "$vlan_match" 8 0 "$what"
	full_test_span_gre_dir_vlan $tundev egress "$vlan_match" 0 8 "$what"
}

test_gretap()
{
	test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \
			"mirror to gretap"
}

test_ip6gretap()
{
	test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ipv6' \
			"mirror to ip6gretap"
}

test_span_gre_forbidden_cpu()
{
	local tundev=$1; shift
	local what=$1; shift

	RET=0

	# Run the pass-test first, to prime neighbor table.
	mirror_install $swp1 ingress $tundev "matchall $tcflags"
	quick_test_span_gre_dir $tundev ingress

	# Now forbid the VLAN at the bridge and see it fail.
	bridge vlan del dev br1 vid 555 self
	sleep 1
	fail_test_span_gre_dir $tundev ingress

	bridge vlan add dev br1 vid 555 self
	sleep 1
	quick_test_span_gre_dir $tundev ingress

	mirror_uninstall $swp1 ingress

	log_test "$what: vlan forbidden at a bridge ($tcflags)"
}

test_gretap_forbidden_cpu()
{
	test_span_gre_forbidden_cpu gt4 "mirror to gretap"
}

test_ip6gretap_forbidden_cpu()
{
	test_span_gre_forbidden_cpu gt6 "mirror to ip6gretap"
}

test_span_gre_forbidden_egress()
{
	local tundev=$1; shift
	local what=$1; shift

	RET=0

	mirror_install $swp1 ingress $tundev "matchall $tcflags"
	quick_test_span_gre_dir $tundev ingress

	bridge vlan del dev $swp3 vid 555
	sleep 1
	fail_test_span_gre_dir $tundev ingress

	bridge vlan add dev $swp3 vid 555
	# Re-prime FDB
	$ARPING -I br1.555 192.0.2.130 -fqc 1
	sleep 1
	quick_test_span_gre_dir $tundev ingress

	mirror_uninstall $swp1 ingress

	log_test "$what: vlan forbidden at a bridge egress ($tcflags)"
}

test_gretap_forbidden_egress()
{
	test_span_gre_forbidden_egress gt4 "mirror to gretap"
}

test_ip6gretap_forbidden_egress()
{
	test_span_gre_forbidden_egress gt6 "mirror to ip6gretap"
}

test_span_gre_untagged_egress()
{
	local tundev=$1; shift
	local ul_proto=$1; shift
	local what=$1; shift

	RET=0

	mirror_install $swp1 ingress $tundev "matchall $tcflags"

	quick_test_span_gre_dir $tundev ingress
	quick_test_span_vlan_dir $h3 555 ingress "$ul_proto"

	h3_addr_add_del del $h3.555
	bridge vlan add dev $swp3 vid 555 pvid untagged
	h3_addr_add_del add $h3
	sleep 5

	quick_test_span_gre_dir $tundev ingress
	fail_test_span_vlan_dir $h3 555 ingress "$ul_proto"

	h3_addr_add_del del $h3
	bridge vlan add dev $swp3 vid 555
	h3_addr_add_del add $h3.555
	sleep 5

	quick_test_span_gre_dir $tundev ingress
	quick_test_span_vlan_dir $h3 555 ingress "$ul_proto"

	mirror_uninstall $swp1 ingress

	log_test "$what: vlan untagged at a bridge egress ($tcflags)"
}

test_gretap_untagged_egress()
{
	test_span_gre_untagged_egress gt4 ip "mirror to gretap"
}

test_ip6gretap_untagged_egress()
{
	test_span_gre_untagged_egress gt6 ipv6 "mirror to ip6gretap"
}

test_span_gre_fdb_roaming()
{
	local tundev=$1; shift
	local what=$1; shift
	local h3mac=$(mac_get $h3)

	RET=0

	mirror_install $swp1 ingress $tundev "matchall $tcflags"
	quick_test_span_gre_dir $tundev ingress

	while ((RET == 0)); do
		bridge fdb del dev $swp3 $h3mac vlan 555 master 2>/dev/null
		bridge fdb add dev $swp2 $h3mac vlan 555 master static
		sleep 1
		fail_test_span_gre_dir $tundev ingress

		if ! bridge fdb sh dev $swp2 vlan 555 master \
		    | grep -q $h3mac; then
			printf "TEST: %-60s  [RETRY]\n" \
				"$what: MAC roaming ($tcflags)"
			# ARP or ND probably reprimed the FDB while the test
			# was running. We would get a spurious failure.
			RET=0
			continue
		fi
		break
	done

	bridge fdb del dev $swp2 $h3mac vlan 555 master 2>/dev/null
	# Re-prime FDB
	$ARPING -I br1.555 192.0.2.130 -fqc 1
	sleep 1
	quick_test_span_gre_dir $tundev ingress

	mirror_uninstall $swp1 ingress

	log_test "$what: MAC roaming ($tcflags)"
}

test_gretap_fdb_roaming()
{
	test_span_gre_fdb_roaming gt4 "mirror to gretap"
}

test_ip6gretap_fdb_roaming()
{
	test_span_gre_fdb_roaming gt6 "mirror to ip6gretap"
}

test_gretap_stp()
{
	full_test_span_gre_stp gt4 $swp3 "mirror to gretap"
}

test_ip6gretap_stp()
{
	full_test_span_gre_stp gt6 $swp3 "mirror to ip6gretap"
}

test_all()
{
	slow_path_trap_install $swp1 ingress
	slow_path_trap_install $swp1 egress

	tests_run

	slow_path_trap_uninstall $swp1 egress
	slow_path_trap_uninstall $swp1 ingress
}

trap cleanup EXIT

setup_prepare
setup_wait

tcflags="skip_hw"
test_all

if ! tc_offload_check; then
	echo "WARN: Could not test offloaded functionality"
else
	tcflags="skip_sw"
	test_all
fi

exit $EXIT_STATUS