#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # Test for "tc action mirred egress mirror" when the underlay route points at a # vlan device on top of a bridge device with vlan filtering (802.1q). # # +---------------------+ +---------------------+ # | H1 | | H2 | # | + $h1 | | $h2 + | # | | 192.0.2.1/28 | | 192.0.2.2/28 | | # +-----|---------------+ +---------------|-----+ # | | # +-----|-------------------------------------------------------------|-----+ # | SW o--> mirred egress mirror dev {gt4,gt6} | | # | | | | # | +---|-------------------------------------------------------------|---+ | # | | + $swp1 br1 $swp2 + | | # | | | | # | | + $swp3 | | # | +---|-----------------------------------------------------------------+ | # | | | | # | | + br1.555 | # | | 192.0.2.130/28 | # | | 2001:db8:2::2/64 | # | | | # | | + gt6 (ip6gretap) + gt4 (gretap) | # | | : loc=2001:db8:2::1 : loc=192.0.2.129 | # | | : rem=2001:db8:2::2 : rem=192.0.2.130 | # | | : ttl=100 : ttl=100 | # | | : tos=inherit : tos=inherit | # | | : : | # +-----|---------------------:----------------------:----------------------+ # | : : # +-----|---------------------:----------------------:----------------------+ # | H3 + $h3 + h3-gt6 (ip6gretap) + h3-gt4 (gretap) | # | | loc=2001:db8:2::2 loc=192.0.2.130 | # | + $h3.555 rem=2001:db8:2::1 rem=192.0.2.129 | # | 192.0.2.130/28 ttl=100 ttl=100 | # | 2001:db8:2::2/64 tos=inherit tos=inherit | # | | # +-------------------------------------------------------------------------+ ALL_TESTS=" test_gretap test_ip6gretap test_gretap_forbidden_cpu test_ip6gretap_forbidden_cpu test_gretap_forbidden_egress test_ip6gretap_forbidden_egress test_gretap_untagged_egress test_ip6gretap_untagged_egress test_gretap_fdb_roaming test_ip6gretap_fdb_roaming test_gretap_stp test_ip6gretap_stp " NUM_NETIFS=6 source lib.sh source mirror_lib.sh source mirror_gre_lib.sh source mirror_gre_topo_lib.sh require_command $ARPING h3_addr_add_del() { local add_del=$1; shift local dev=$1; shift ip addr $add_del dev $dev 192.0.2.130/28 ip addr $add_del dev $dev 2001:db8:2::2/64 } setup_prepare() { h1=${NETIFS[p1]} swp1=${NETIFS[p2]} swp2=${NETIFS[p3]} h2=${NETIFS[p4]} swp3=${NETIFS[p5]} h3=${NETIFS[p6]} # gt4's remote address is at $h3.555, not $h3. Thus the packets arriving # directly to $h3 for test_gretap_untagged_egress() are rejected by # rp_filter and the test spuriously fails. sysctl_set net.ipv4.conf.all.rp_filter 0 sysctl_set net.ipv4.conf.$h3.rp_filter 0 vrf_prepare mirror_gre_topo_create vlan_create br1 555 "" 192.0.2.129/32 2001:db8:2::1/128 bridge vlan add dev br1 vid 555 self ip route rep 192.0.2.130/32 dev br1.555 ip -6 route rep 2001:db8:2::2/128 dev br1.555 vlan_create $h3 555 v$h3 h3_addr_add_del add $h3.555 ip link set dev $swp3 master br1 bridge vlan add dev $swp3 vid 555 bridge vlan add dev $swp2 vid 555 } cleanup() { pre_cleanup ip link set dev $swp2 nomaster ip link set dev $swp3 nomaster h3_addr_add_del del $h3.555 vlan_destroy $h3 555 vlan_destroy br1 555 mirror_gre_topo_destroy vrf_cleanup sysctl_restore net.ipv4.conf.$h3.rp_filter sysctl_restore net.ipv4.conf.all.rp_filter } test_vlan_match() { local tundev=$1; shift local vlan_match=$1; shift local what=$1; shift full_test_span_gre_dir_vlan $tundev ingress "$vlan_match" 8 0 "$what" full_test_span_gre_dir_vlan $tundev egress "$vlan_match" 0 8 "$what" } test_gretap() { test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \ "mirror to gretap" } test_ip6gretap() { test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ipv6' \ "mirror to ip6gretap" } test_span_gre_forbidden_cpu() { local tundev=$1; shift local what=$1; shift RET=0 # Run the pass-test first, to prime neighbor table. mirror_install $swp1 ingress $tundev "matchall $tcflags" quick_test_span_gre_dir $tundev ingress # Now forbid the VLAN at the bridge and see it fail. bridge vlan del dev br1 vid 555 self sleep 1 fail_test_span_gre_dir $tundev ingress bridge vlan add dev br1 vid 555 self sleep 1 quick_test_span_gre_dir $tundev ingress mirror_uninstall $swp1 ingress log_test "$what: vlan forbidden at a bridge ($tcflags)" } test_gretap_forbidden_cpu() { test_span_gre_forbidden_cpu gt4 "mirror to gretap" } test_ip6gretap_forbidden_cpu() { test_span_gre_forbidden_cpu gt6 "mirror to ip6gretap" } test_span_gre_forbidden_egress() { local tundev=$1; shift local what=$1; shift RET=0 mirror_install $swp1 ingress $tundev "matchall $tcflags" quick_test_span_gre_dir $tundev ingress bridge vlan del dev $swp3 vid 555 sleep 1 fail_test_span_gre_dir $tundev ingress bridge vlan add dev $swp3 vid 555 # Re-prime FDB $ARPING -I br1.555 192.0.2.130 -fqc 1 sleep 1 quick_test_span_gre_dir $tundev ingress mirror_uninstall $swp1 ingress log_test "$what: vlan forbidden at a bridge egress ($tcflags)" } test_gretap_forbidden_egress() { test_span_gre_forbidden_egress gt4 "mirror to gretap" } test_ip6gretap_forbidden_egress() { test_span_gre_forbidden_egress gt6 "mirror to ip6gretap" } test_span_gre_untagged_egress() { local tundev=$1; shift local ul_proto=$1; shift local what=$1; shift RET=0 mirror_install $swp1 ingress $tundev "matchall $tcflags" quick_test_span_gre_dir $tundev ingress quick_test_span_vlan_dir $h3 555 ingress "$ul_proto" h3_addr_add_del del $h3.555 bridge vlan add dev $swp3 vid 555 pvid untagged h3_addr_add_del add $h3 sleep 5 quick_test_span_gre_dir $tundev ingress fail_test_span_vlan_dir $h3 555 ingress "$ul_proto" h3_addr_add_del del $h3 bridge vlan add dev $swp3 vid 555 h3_addr_add_del add $h3.555 sleep 5 quick_test_span_gre_dir $tundev ingress quick_test_span_vlan_dir $h3 555 ingress "$ul_proto" mirror_uninstall $swp1 ingress log_test "$what: vlan untagged at a bridge egress ($tcflags)" } test_gretap_untagged_egress() { test_span_gre_untagged_egress gt4 ip "mirror to gretap" } test_ip6gretap_untagged_egress() { test_span_gre_untagged_egress gt6 ipv6 "mirror to ip6gretap" } test_span_gre_fdb_roaming() { local tundev=$1; shift local what=$1; shift local h3mac=$(mac_get $h3) RET=0 mirror_install $swp1 ingress $tundev "matchall $tcflags" quick_test_span_gre_dir $tundev ingress while ((RET == 0)); do bridge fdb del dev $swp3 $h3mac vlan 555 master 2>/dev/null bridge fdb add dev $swp2 $h3mac vlan 555 master static sleep 1 fail_test_span_gre_dir $tundev ingress if ! bridge fdb sh dev $swp2 vlan 555 master \ | grep -q $h3mac; then printf "TEST: %-60s [RETRY]\n" \ "$what: MAC roaming ($tcflags)" # ARP or ND probably reprimed the FDB while the test # was running. We would get a spurious failure. RET=0 continue fi break done bridge fdb del dev $swp2 $h3mac vlan 555 master 2>/dev/null # Re-prime FDB $ARPING -I br1.555 192.0.2.130 -fqc 1 sleep 1 quick_test_span_gre_dir $tundev ingress mirror_uninstall $swp1 ingress log_test "$what: MAC roaming ($tcflags)" } test_gretap_fdb_roaming() { test_span_gre_fdb_roaming gt4 "mirror to gretap" } test_ip6gretap_fdb_roaming() { test_span_gre_fdb_roaming gt6 "mirror to ip6gretap" } test_gretap_stp() { full_test_span_gre_stp gt4 $swp3 "mirror to gretap" } test_ip6gretap_stp() { full_test_span_gre_stp gt6 $swp3 "mirror to ip6gretap" } test_all() { slow_path_trap_install $swp1 ingress slow_path_trap_install $swp1 egress tests_run slow_path_trap_uninstall $swp1 egress slow_path_trap_uninstall $swp1 ingress } trap cleanup EXIT setup_prepare setup_wait tcflags="skip_hw" test_all if ! tc_offload_check; then echo "WARN: Could not test offloaded functionality" else tcflags="skip_sw" test_all fi exit $EXIT_STATUS