1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4# Test for "tc action mirred egress mirror" when the underlay route points at a
5# vlan device on top of a bridge device with vlan filtering (802.1q).
6#
7#   +---------------------+                             +---------------------+
8#   | H1                  |                             |                  H2 |
9#   |     + $h1           |                             |           $h2 +     |
10#   |     | 192.0.2.1/28  |                             |  192.0.2.2/28 |     |
11#   +-----|---------------+                             +---------------|-----+
12#         |                                                             |
13#   +-----|-------------------------------------------------------------|-----+
14#   | SW  o--> mirred egress mirror dev {gt4,gt6}                       |     |
15#   |     |                                                             |     |
16#   | +---|-------------------------------------------------------------|---+ |
17#   | |   + $swp1                    br1                          $swp2 +   | |
18#   | |                                                                     | |
19#   | |   + $swp3                                                           | |
20#   | +---|-----------------------------------------------------------------+ |
21#   |     |                        |                                          |
22#   |     |                        + br1.555                                  |
23#   |     |                          192.0.2.130/28                           |
24#   |     |                          2001:db8:2::2/64                         |
25#   |     |                                                                   |
26#   |     |                     + gt6 (ip6gretap)      + gt4 (gretap)         |
27#   |     |                     : loc=2001:db8:2::1    : loc=192.0.2.129      |
28#   |     |                     : rem=2001:db8:2::2    : rem=192.0.2.130      |
29#   |     |                     : ttl=100              : ttl=100              |
30#   |     |                     : tos=inherit          : tos=inherit          |
31#   |     |                     :                      :                      |
32#   +-----|---------------------:----------------------:----------------------+
33#         |                     :                      :
34#   +-----|---------------------:----------------------:----------------------+
35#   | H3  + $h3                 + h3-gt6 (ip6gretap)   + h3-gt4 (gretap)      |
36#   |     |                       loc=2001:db8:2::2      loc=192.0.2.130      |
37#   |     + $h3.555               rem=2001:db8:2::1      rem=192.0.2.129      |
38#   |       192.0.2.130/28        ttl=100                ttl=100              |
39#   |       2001:db8:2::2/64      tos=inherit            tos=inherit          |
40#   |                                                                         |
41#   +-------------------------------------------------------------------------+
42
43ALL_TESTS="
44	test_gretap
45	test_ip6gretap
46	test_gretap_forbidden_cpu
47	test_ip6gretap_forbidden_cpu
48	test_gretap_forbidden_egress
49	test_ip6gretap_forbidden_egress
50	test_gretap_untagged_egress
51	test_ip6gretap_untagged_egress
52	test_gretap_fdb_roaming
53	test_ip6gretap_fdb_roaming
54	test_gretap_stp
55	test_ip6gretap_stp
56"
57
58NUM_NETIFS=6
59source lib.sh
60source mirror_lib.sh
61source mirror_gre_lib.sh
62source mirror_gre_topo_lib.sh
63
64require_command $ARPING
65
66h3_addr_add_del()
67{
68	local add_del=$1; shift
69	local dev=$1; shift
70
71	ip addr $add_del dev $dev 192.0.2.130/28
72	ip addr $add_del dev $dev 2001:db8:2::2/64
73}
74
75setup_prepare()
76{
77	h1=${NETIFS[p1]}
78	swp1=${NETIFS[p2]}
79
80	swp2=${NETIFS[p3]}
81	h2=${NETIFS[p4]}
82
83	swp3=${NETIFS[p5]}
84	h3=${NETIFS[p6]}
85
86	# gt4's remote address is at $h3.555, not $h3. Thus the packets arriving
87	# directly to $h3 for test_gretap_untagged_egress() are rejected by
88	# rp_filter and the test spuriously fails.
89	sysctl_set net.ipv4.conf.all.rp_filter 0
90	sysctl_set net.ipv4.conf.$h3.rp_filter 0
91
92	vrf_prepare
93	mirror_gre_topo_create
94
95	vlan_create br1 555 "" 192.0.2.129/32 2001:db8:2::1/128
96	bridge vlan add dev br1 vid 555 self
97	ip route rep 192.0.2.130/32 dev br1.555
98	ip -6 route rep 2001:db8:2::2/128 dev br1.555
99
100	vlan_create $h3 555 v$h3
101	h3_addr_add_del add $h3.555
102
103	ip link set dev $swp3 master br1
104	bridge vlan add dev $swp3 vid 555
105	bridge vlan add dev $swp2 vid 555
106}
107
108cleanup()
109{
110	pre_cleanup
111
112	ip link set dev $swp2 nomaster
113	ip link set dev $swp3 nomaster
114
115	h3_addr_add_del del $h3.555
116	vlan_destroy $h3 555
117	vlan_destroy br1 555
118
119	mirror_gre_topo_destroy
120	vrf_cleanup
121
122	sysctl_restore net.ipv4.conf.$h3.rp_filter
123	sysctl_restore net.ipv4.conf.all.rp_filter
124}
125
126test_vlan_match()
127{
128	local tundev=$1; shift
129	local vlan_match=$1; shift
130	local what=$1; shift
131
132	full_test_span_gre_dir_vlan $tundev ingress "$vlan_match" 8 0 "$what"
133	full_test_span_gre_dir_vlan $tundev egress "$vlan_match" 0 8 "$what"
134}
135
136test_gretap()
137{
138	test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \
139			"mirror to gretap"
140}
141
142test_ip6gretap()
143{
144	test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ipv6' \
145			"mirror to ip6gretap"
146}
147
148test_span_gre_forbidden_cpu()
149{
150	local tundev=$1; shift
151	local what=$1; shift
152
153	RET=0
154
155	# Run the pass-test first, to prime neighbor table.
156	mirror_install $swp1 ingress $tundev "matchall $tcflags"
157	quick_test_span_gre_dir $tundev ingress
158
159	# Now forbid the VLAN at the bridge and see it fail.
160	bridge vlan del dev br1 vid 555 self
161	sleep 1
162	fail_test_span_gre_dir $tundev ingress
163
164	bridge vlan add dev br1 vid 555 self
165	sleep 1
166	quick_test_span_gre_dir $tundev ingress
167
168	mirror_uninstall $swp1 ingress
169
170	log_test "$what: vlan forbidden at a bridge ($tcflags)"
171}
172
173test_gretap_forbidden_cpu()
174{
175	test_span_gre_forbidden_cpu gt4 "mirror to gretap"
176}
177
178test_ip6gretap_forbidden_cpu()
179{
180	test_span_gre_forbidden_cpu gt6 "mirror to ip6gretap"
181}
182
183test_span_gre_forbidden_egress()
184{
185	local tundev=$1; shift
186	local what=$1; shift
187
188	RET=0
189
190	mirror_install $swp1 ingress $tundev "matchall $tcflags"
191	quick_test_span_gre_dir $tundev ingress
192
193	bridge vlan del dev $swp3 vid 555
194	sleep 1
195	fail_test_span_gre_dir $tundev ingress
196
197	bridge vlan add dev $swp3 vid 555
198	# Re-prime FDB
199	$ARPING -I br1.555 192.0.2.130 -fqc 1
200	sleep 1
201	quick_test_span_gre_dir $tundev ingress
202
203	mirror_uninstall $swp1 ingress
204
205	log_test "$what: vlan forbidden at a bridge egress ($tcflags)"
206}
207
208test_gretap_forbidden_egress()
209{
210	test_span_gre_forbidden_egress gt4 "mirror to gretap"
211}
212
213test_ip6gretap_forbidden_egress()
214{
215	test_span_gre_forbidden_egress gt6 "mirror to ip6gretap"
216}
217
218test_span_gre_untagged_egress()
219{
220	local tundev=$1; shift
221	local ul_proto=$1; shift
222	local what=$1; shift
223
224	RET=0
225
226	mirror_install $swp1 ingress $tundev "matchall $tcflags"
227
228	quick_test_span_gre_dir $tundev ingress
229	quick_test_span_vlan_dir $h3 555 ingress "$ul_proto"
230
231	h3_addr_add_del del $h3.555
232	bridge vlan add dev $swp3 vid 555 pvid untagged
233	h3_addr_add_del add $h3
234	sleep 5
235
236	quick_test_span_gre_dir $tundev ingress
237	fail_test_span_vlan_dir $h3 555 ingress "$ul_proto"
238
239	h3_addr_add_del del $h3
240	bridge vlan add dev $swp3 vid 555
241	h3_addr_add_del add $h3.555
242	sleep 5
243
244	quick_test_span_gre_dir $tundev ingress
245	quick_test_span_vlan_dir $h3 555 ingress "$ul_proto"
246
247	mirror_uninstall $swp1 ingress
248
249	log_test "$what: vlan untagged at a bridge egress ($tcflags)"
250}
251
252test_gretap_untagged_egress()
253{
254	test_span_gre_untagged_egress gt4 ip "mirror to gretap"
255}
256
257test_ip6gretap_untagged_egress()
258{
259	test_span_gre_untagged_egress gt6 ipv6 "mirror to ip6gretap"
260}
261
262test_span_gre_fdb_roaming()
263{
264	local tundev=$1; shift
265	local what=$1; shift
266	local h3mac=$(mac_get $h3)
267
268	RET=0
269
270	mirror_install $swp1 ingress $tundev "matchall $tcflags"
271	quick_test_span_gre_dir $tundev ingress
272
273	while ((RET == 0)); do
274		bridge fdb del dev $swp3 $h3mac vlan 555 master 2>/dev/null
275		bridge fdb add dev $swp2 $h3mac vlan 555 master static
276		sleep 1
277		fail_test_span_gre_dir $tundev ingress
278
279		if ! bridge fdb sh dev $swp2 vlan 555 master \
280		    | grep -q $h3mac; then
281			printf "TEST: %-60s  [RETRY]\n" \
282				"$what: MAC roaming ($tcflags)"
283			# ARP or ND probably reprimed the FDB while the test
284			# was running. We would get a spurious failure.
285			RET=0
286			continue
287		fi
288		break
289	done
290
291	bridge fdb del dev $swp2 $h3mac vlan 555 master 2>/dev/null
292	# Re-prime FDB
293	$ARPING -I br1.555 192.0.2.130 -fqc 1
294	sleep 1
295	quick_test_span_gre_dir $tundev ingress
296
297	mirror_uninstall $swp1 ingress
298
299	log_test "$what: MAC roaming ($tcflags)"
300}
301
302test_gretap_fdb_roaming()
303{
304	test_span_gre_fdb_roaming gt4 "mirror to gretap"
305}
306
307test_ip6gretap_fdb_roaming()
308{
309	test_span_gre_fdb_roaming gt6 "mirror to ip6gretap"
310}
311
312test_gretap_stp()
313{
314	full_test_span_gre_stp gt4 $swp3 "mirror to gretap"
315}
316
317test_ip6gretap_stp()
318{
319	full_test_span_gre_stp gt6 $swp3 "mirror to ip6gretap"
320}
321
322test_all()
323{
324	slow_path_trap_install $swp1 ingress
325	slow_path_trap_install $swp1 egress
326
327	tests_run
328
329	slow_path_trap_uninstall $swp1 egress
330	slow_path_trap_uninstall $swp1 ingress
331}
332
333trap cleanup EXIT
334
335setup_prepare
336setup_wait
337
338tcflags="skip_hw"
339test_all
340
341if ! tc_offload_check; then
342	echo "WARN: Could not test offloaded functionality"
343else
344	tcflags="skip_sw"
345	test_all
346fi
347
348exit $EXIT_STATUS
349