#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Test devlink-trap L3 drops functionality over mlxsw. Each registered L3 drop
# packet trap is tested to make sure it is triggered under the right
# conditions.
# +---------------------------------+
# | H1 (vrf) |
# | + $h1 |
# | | 192.0.2.1/24 |
# | | 2001:db8:1::1/64 |
# | | |
# | | default via 192.0.2.2 |
# | | default via 2001:db8:1::2 |
# +----|----------------------------+
# |
# +----|----------------------------------------------------------------------+
# | SW | |
# | + $rp1 |
# | 192.0.2.2/24 |
# | 2001:db8:1::2/64 |
# | |
# | 2001:db8:2::2/64 |
# | 198.51.100.2/24 |
# | + $rp2 |
# | | |
# +----|----------------------------------------------------------------------+
# |
# +----|----------------------------+
# | | default via 198.51.100.2 |
# | | default via 2001:db8:2::2 |
# | | |
# | | 2001:db8:2::1/64 |
# | | 198.51.100.1/24 |
# | + $h2 |
# | H2 (vrf) |
# +---------------------------------+
lib_dir=$(dirname $0)/../../../net/forwarding
ALL_TESTS="
non_ip_test
uc_dip_over_mc_dmac_test
dip_is_loopback_test
sip_is_mc_test
sip_is_loopback_test
ip_header_corrupted_test
ipv4_sip_is_limited_bc_test
ipv6_mc_dip_reserved_scope_test
ipv6_mc_dip_interface_local_scope_test
blackhole_route_test
irif_disabled_test
erif_disabled_test
blackhole_nexthop_test
"
NUM_NETIFS=4
source $lib_dir/lib.sh
source $lib_dir/tc_common.sh
source $lib_dir/devlink_lib.sh
h1_create()
{
simple_if_init $h1 192.0.2.1/24 2001:db8:1::1/64
ip -4 route add default vrf v$h1 nexthop via 192.0.2.2
ip -6 route add default vrf v$h1 nexthop via 2001:db8:1::2
}
h1_destroy()
{
ip -6 route del default vrf v$h1 nexthop via 2001:db8:1::2
ip -4 route del default vrf v$h1 nexthop via 192.0.2.2
simple_if_fini $h1 192.0.2.1/24 2001:db8:1::1/64
}
h2_create()
{
simple_if_init $h2 $h2_ipv4/24 $h2_ipv6/64
ip -4 route add default vrf v$h2 nexthop via 198.51.100.2
ip -6 route add default vrf v$h2 nexthop via 2001:db8:2::2
}
h2_destroy()
{
ip -6 route del default vrf v$h2 nexthop via 2001:db8:2::2
ip -4 route del default vrf v$h2 nexthop via 198.51.100.2
simple_if_fini $h2 $h2_ipv4/24 $h2_ipv6/64
}
router_create()
{
ip link set dev $rp1 up
ip link set dev $rp2 up
tc qdisc add dev $rp2 clsact
__addr_add_del $rp1 add 192.0.2.2/24 2001:db8:1::2/64
__addr_add_del $rp2 add 198.51.100.2/24 2001:db8:2::2/64
}
router_destroy()
{
__addr_add_del $rp2 del 198.51.100.2/24 2001:db8:2::2/64
__addr_add_del $rp1 del 192.0.2.2/24 2001:db8:1::2/64
tc qdisc del dev $rp2 clsact
ip link set dev $rp2 down
ip link set dev $rp1 down
}
setup_prepare()
{
h1=${NETIFS[p1]}
rp1=${NETIFS[p2]}
rp2=${NETIFS[p3]}
h2=${NETIFS[p4]}
h1mac=$(mac_get $h1)
rp1mac=$(mac_get $rp1)
h1_ipv4=192.0.2.1
h2_ipv4=198.51.100.1
h1_ipv6=2001:db8:1::1
h2_ipv6=2001:db8:2::1
vrf_prepare
forwarding_enable
h1_create
h2_create
router_create
}
cleanup()
{
pre_cleanup
router_destroy
h2_destroy
h1_destroy
forwarding_restore
vrf_cleanup
}
ping_check()
{
trap_name=$1; shift
devlink_trap_action_set $trap_name "trap"
ping_do $h1 $h2_ipv4
check_err $? "Packets that should not be trapped were trapped"
devlink_trap_action_set $trap_name "drop"
}
non_ip_test()
{
local trap_name="non_ip"
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol ip pref 1 handle 101 \
flower dst_ip $h2_ipv4 action drop
# Generate non-IP packets to the router
$MZ $h1 -c 0 -p 100 -d 1msec -B $h2_ipv4 -q "$rp1mac $h1mac \
00:00 de:ad:be:ef" &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Non IP"
devlink_trap_drop_cleanup $mz_pid $rp2 "ip" 1 101
}
__uc_dip_over_mc_dmac_test()
{
local desc=$1; shift
local proto=$1; shift
local dip=$1; shift
local flags=${1:-""}; shift
local trap_name="uc_dip_over_mc_dmac"
local dmac=01:02:03:04:05:06
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol $proto pref 1 handle 101 \
flower ip_proto udp src_port 54321 dst_port 12345 action drop
# Generate IP packets with a unicast IP and a multicast destination MAC
$MZ $h1 $flags -t udp "sp=54321,dp=12345" -c 0 -p 100 -b $dmac \
-B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Unicast destination IP over multicast destination MAC: $desc"
devlink_trap_drop_cleanup $mz_pid $rp2 $proto 1 101
}
uc_dip_over_mc_dmac_test()
{
__uc_dip_over_mc_dmac_test "IPv4" "ip" $h2_ipv4
__uc_dip_over_mc_dmac_test "IPv6" "ipv6" $h2_ipv6 "-6"
}
__sip_is_loopback_test()
{
local desc=$1; shift
local proto=$1; shift
local sip=$1; shift
local dip=$1; shift
local flags=${1:-""}; shift
local trap_name="sip_is_loopback_address"
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol $proto pref 1 handle 101 \
flower src_ip $sip action drop
# Generate packets with loopback source IP
$MZ $h1 $flags -t udp "sp=54321,dp=12345" -c 0 -p 100 -A $sip \
-b $rp1mac -B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Source IP is loopback address: $desc"
devlink_trap_drop_cleanup $mz_pid $rp2 $proto 1 101
}
sip_is_loopback_test()
{
__sip_is_loopback_test "IPv4" "ip" "127.0.0.0/8" $h2_ipv4
__sip_is_loopback_test "IPv6" "ipv6" "::1" $h2_ipv6 "-6"
}
__dip_is_loopback_test()
{
local desc=$1; shift
local proto=$1; shift
local dip=$1; shift
local flags=${1:-""}; shift
local trap_name="dip_is_loopback_address"
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol $proto pref 1 handle 101 \
flower dst_ip $dip action drop
# Generate packets with loopback destination IP
$MZ $h1 $flags -t udp "sp=54321,dp=12345" -c 0 -p 100 -b $rp1mac \
-B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Destination IP is loopback address: $desc"
devlink_trap_drop_cleanup $mz_pid $rp2 $proto 1 101
}
dip_is_loopback_test()
{
__dip_is_loopback_test "IPv4" "ip" "127.0.0.0/8"
__dip_is_loopback_test "IPv6" "ipv6" "::1" "-6"
}
__sip_is_mc_test()
{
local desc=$1; shift
local proto=$1; shift
local sip=$1; shift
local dip=$1; shift
local flags=${1:-""}; shift
local trap_name="sip_is_mc"
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol $proto pref 1 handle 101 \
flower src_ip $sip action drop
# Generate packets with multicast source IP
$MZ $h1 $flags -t udp "sp=54321,dp=12345" -c 0 -p 100 -A $sip \
-b $rp1mac -B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Source IP is multicast: $desc"
devlink_trap_drop_cleanup $mz_pid $rp2 $proto 1 101
}
sip_is_mc_test()
{
__sip_is_mc_test "IPv4" "ip" "239.1.1.1" $h2_ipv4
__sip_is_mc_test "IPv6" "ipv6" "FF02::2" $h2_ipv6 "-6"
}
ipv4_sip_is_limited_bc_test()
{
local trap_name="ipv4_sip_is_limited_bc"
local sip=255.255.255.255
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol ip pref 1 handle 101 \
flower src_ip $sip action drop
# Generate packets with limited broadcast source IP
$MZ $h1 -t udp "sp=54321,dp=12345" -c 0 -p 100 -A $sip -b $rp1mac \
-B $h2_ipv4 -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "IPv4 source IP is limited broadcast"
devlink_trap_drop_cleanup $mz_pid $rp2 "ip" 1 101
}
ipv4_payload_get()
{
local ipver=$1; shift
local ihl=$1; shift
local checksum=$1; shift
p=$(:
)"08:00:"$( : ETH type
)"$ipver"$( : IP version
)"$ihl:"$( : IHL
)"00:"$( : IP TOS
)"00:F4:"$( : IP total length
)"00:00:"$( : IP identification
)"20:00:"$( : IP flags + frag off
)"30:"$( : IP TTL
)"01:"$( : IP proto
)"$checksum:"$( : IP header csum
)"$h1_ipv4:"$( : IP saddr
)"$h2_ipv4:"$( : IP daddr
)
echo $p
}
__ipv4_header_corrupted_test()
{
local desc=$1; shift
local ipver=$1; shift
local ihl=$1; shift
local checksum=$1; shift
local trap_name="ip_header_corrupted"
local payload
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol ip pref 1 handle 101 \
flower dst_ip $h2_ipv4 action drop
payload=$(ipv4_payload_get $ipver $ihl $checksum)
# Generate packets with corrupted IP header
$MZ $h1 -c 0 -d 1msec -a $h1mac -b $rp1mac -q p=$payload &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "IP header corrupted: $desc: IPv4"
devlink_trap_drop_cleanup $mz_pid $rp2 "ip" 1 101
}
ipv6_payload_get()
{
local ipver=$1; shift
p=$(:
)"86:DD:"$( : ETH type
)"$ipver"$( : IP version
)"0:0:"$( : Traffic class
)"0:00:00:"$( : Flow label
)"00:00:"$( : Payload length
)"01:"$( : Next header
)"04:"$( : Hop limit
)"$h1_ipv6:"$( : IP saddr
)"$h2_ipv6:"$( : IP daddr
)
echo $p
}
__ipv6_header_corrupted_test()
{
local desc=$1; shift
local ipver=$1; shift
local trap_name="ip_header_corrupted"
local payload
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol ip pref 1 handle 101 \
flower dst_ip $h2_ipv4 action drop
payload=$(ipv6_payload_get $ipver)
# Generate packets with corrupted IP header
$MZ $h1 -c 0 -d 1msec -a $h1mac -b $rp1mac -q p=$payload &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "IP header corrupted: $desc: IPv6"
devlink_trap_drop_cleanup $mz_pid $rp2 "ip" 1 101
}
ip_header_corrupted_test()
{
# Each test uses one wrong value. The three values below are correct.
local ipv="4"
local ihl="5"
local checksum="00:F4"
__ipv4_header_corrupted_test "wrong IP version" 5 $ihl $checksum
__ipv4_header_corrupted_test "wrong IHL" $ipv 4 $checksum
__ipv4_header_corrupted_test "wrong checksum" $ipv $ihl "00:00"
__ipv6_header_corrupted_test "wrong IP version" 5
}
ipv6_mc_dip_reserved_scope_test()
{
local trap_name="ipv6_mc_dip_reserved_scope"
local dip=FF00::
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol ipv6 pref 1 handle 101 \
flower dst_ip $dip action drop
# Generate packets with reserved scope destination IP
$MZ $h1 -6 -t udp "sp=54321,dp=12345" -c 0 -p 100 -b \
"33:33:00:00:00:00" -B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "IPv6 multicast destination IP reserved scope"
devlink_trap_drop_cleanup $mz_pid $rp2 "ipv6" 1 101
}
ipv6_mc_dip_interface_local_scope_test()
{
local trap_name="ipv6_mc_dip_interface_local_scope"
local dip=FF01::
local mz_pid
RET=0
ping_check $trap_name
tc filter add dev $rp2 egress protocol ipv6 pref 1 handle 101 \
flower dst_ip $dip action drop
# Generate packets with interface local scope destination IP
$MZ $h1 -6 -t udp "sp=54321,dp=12345" -c 0 -p 100 -b \
"33:33:00:00:00:00" -B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "IPv6 multicast destination IP interface-local scope"
devlink_trap_drop_cleanup $mz_pid $rp2 "ipv6" 1 101
}
__blackhole_route_test()
{
local flags=$1; shift
local subnet=$1; shift
local proto=$1; shift
local dip=$1; shift
local ip_proto=${1:-"icmp"}; shift
local trap_name="blackhole_route"
local mz_pid
RET=0
ping_check $trap_name
ip -$flags route add blackhole $subnet
tc filter add dev $rp2 egress protocol $proto pref 1 handle 101 \
flower skip_hw dst_ip $dip ip_proto $ip_proto action drop
# Generate packets to the blackhole route
$MZ $h1 -$flags -t udp "sp=54321,dp=12345" -c 0 -p 100 -b $rp1mac \
-B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Blackhole route: IPv$flags"
devlink_trap_drop_cleanup $mz_pid $rp2 $proto 1 101
ip -$flags route del blackhole $subnet
}
blackhole_route_test()
{
__blackhole_route_test "4" "198.51.100.0/30" "ip" $h2_ipv4
__blackhole_route_test "6" "2001:db8:2::/120" "ipv6" $h2_ipv6 "icmpv6"
}
irif_disabled_test()
{
local trap_name="irif_disabled"
local t0_packets t0_bytes
local t1_packets t1_bytes
local mz_pid
RET=0
ping_check $trap_name
devlink_trap_action_set $trap_name "trap"
# When RIF of a physical port ("Sub-port RIF") is destroyed, we first
# block the STP of the {Port, VLAN} so packets cannot get into the RIF.
# Using bridge enables us to see this trap because when bridge is
# destroyed, there is a small time window that packets can go into the
# RIF, while it is disabled.
ip link add dev br0 type bridge
ip link set dev $rp1 master br0
ip address flush dev $rp1
__addr_add_del br0 add 192.0.2.2/24
ip li set dev br0 up
t0_packets=$(devlink_trap_rx_packets_get $trap_name)
t0_bytes=$(devlink_trap_rx_bytes_get $trap_name)
# Generate packets to h2 through br0 RIF that will be removed later
$MZ $h1 -t udp "sp=54321,dp=12345" -c 0 -p 100 -a own -b $rp1mac \
-B $h2_ipv4 -q &
mz_pid=$!
# Wait before removing br0 RIF to allow packets to go into the bridge.
sleep 1
# Flushing address will dismantle the RIF
ip address flush dev br0
t1_packets=$(devlink_trap_rx_packets_get $trap_name)
t1_bytes=$(devlink_trap_rx_bytes_get $trap_name)
if [[ $t0_packets -eq $t1_packets && $t0_bytes -eq $t1_bytes ]]; then
check_err 1 "Trap stats idle when packets should be trapped"
fi
log_test "Ingress RIF disabled"
kill $mz_pid && wait $mz_pid &> /dev/null
ip link set dev $rp1 nomaster
__addr_add_del $rp1 add 192.0.2.2/24 2001:db8:1::2/64
ip link del dev br0 type bridge
devlink_trap_action_set $trap_name "drop"
}
erif_disabled_test()
{
local trap_name="erif_disabled"
local t0_packets t0_bytes
local t1_packets t1_bytes
local mz_pid
RET=0
ping_check $trap_name
devlink_trap_action_set $trap_name "trap"
ip link add dev br0 type bridge
ip add flush dev $rp1
ip link set dev $rp1 master br0
__addr_add_del br0 add 192.0.2.2/24
ip link set dev br0 up
t0_packets=$(devlink_trap_rx_packets_get $trap_name)
t0_bytes=$(devlink_trap_rx_bytes_get $trap_name)
rp2mac=$(mac_get $rp2)
# Generate packets that should go out through br0 RIF that will be
# removed later
$MZ $h2 -t udp "sp=54321,dp=12345" -c 0 -p 100 -a own -b $rp2mac \
-B 192.0.2.1 -q &
mz_pid=$!
sleep 5
# Unlinking the port from the bridge will disable the RIF associated
# with br0 as it is no longer an upper of any mlxsw port.
ip link set dev $rp1 nomaster
t1_packets=$(devlink_trap_rx_packets_get $trap_name)
t1_bytes=$(devlink_trap_rx_bytes_get $trap_name)
if [[ $t0_packets -eq $t1_packets && $t0_bytes -eq $t1_bytes ]]; then
check_err 1 "Trap stats idle when packets should be trapped"
fi
log_test "Egress RIF disabled"
kill $mz_pid && wait $mz_pid &> /dev/null
__addr_add_del $rp1 add 192.0.2.2/24 2001:db8:1::2/64
ip link del dev br0 type bridge
devlink_trap_action_set $trap_name "drop"
}
__blackhole_nexthop_test()
{
local flags=$1; shift
local subnet=$1; shift
local proto=$1; shift
local dip=$1; shift
local trap_name="blackhole_nexthop"
local mz_pid
RET=0
ip -$flags nexthop add id 1 blackhole
ip -$flags route add $subnet nhid 1
tc filter add dev $rp2 egress protocol $proto pref 1 handle 101 \
flower skip_hw dst_ip $dip ip_proto udp action drop
# Generate packets to the blackhole nexthop
$MZ $h1 -$flags -t udp "sp=54321,dp=12345" -c 0 -p 100 -b $rp1mac \
-B $dip -d 1msec -q &
mz_pid=$!
devlink_trap_drop_test $trap_name $rp2 101
log_test "Blackhole nexthop: IPv$flags"
devlink_trap_drop_cleanup $mz_pid $rp2 $proto 1 101
ip -$flags route del $subnet
ip -$flags nexthop del id 1
}
blackhole_nexthop_test()
{
__blackhole_nexthop_test "4" "198.51.100.0/30" "ip" $h2_ipv4
__blackhole_nexthop_test "6" "2001:db8:2::/120" "ipv6" $h2_ipv6
}
trap cleanup EXIT
setup_prepare
setup_wait
tests_run
exit $EXIT_STATUS