| #!/bin/bash |
| # SPDX-License-Identifier: GPL-2.0 |
| # Copyright 2020 NXP |
| |
| WAIT_TIME=1 |
| NUM_NETIFS=4 |
| STABLE_MAC_ADDRS=yes |
| lib_dir=$(dirname $0)/../../../net/forwarding |
| source $lib_dir/tc_common.sh |
| source $lib_dir/lib.sh |
| |
| require_command tcpdump |
| |
| h1=${NETIFS[p1]} |
| swp1=${NETIFS[p2]} |
| swp2=${NETIFS[p3]} |
| h2=${NETIFS[p4]} |
| |
| # Helpers to map a VCAP IS1 and VCAP IS2 lookup and policy to a chain number |
| # used by the kernel driver. The numbers are: |
| # VCAP IS1 lookup 0: 10000 |
| # VCAP IS1 lookup 1: 11000 |
| # VCAP IS1 lookup 2: 12000 |
| # VCAP IS2 lookup 0 policy 0: 20000 |
| # VCAP IS2 lookup 0 policy 1: 20001 |
| # VCAP IS2 lookup 0 policy 255: 20255 |
| # VCAP IS2 lookup 1 policy 0: 21000 |
| # VCAP IS2 lookup 1 policy 1: 21001 |
| # VCAP IS2 lookup 1 policy 255: 21255 |
| IS1() |
| { |
| local lookup=$1 |
| |
| echo $((10000 + 1000 * lookup)) |
| } |
| |
| IS2() |
| { |
| local lookup=$1 |
| local pag=$2 |
| |
| echo $((20000 + 1000 * lookup + pag)) |
| } |
| |
| ES0() |
| { |
| echo 0 |
| } |
| |
| # The Ocelot switches have a fixed ingress pipeline composed of: |
| # |
| # +----------------------------------------------+ +-----------------------------------------+ |
| # | VCAP IS1 | | VCAP IS2 | |
| # | | | | |
| # | +----------+ +----------+ +----------+ | | +----------+ +----------+ | |
| # | | Lookup 0 | | Lookup 1 | | Lookup 2 | | --+------> PAG 0: | Lookup 0 | -> | Lookup 1 | | |
| # | +----------+ -> +----------+ -> +----------+ | | | +----------+ +----------+ | |
| # | |key&action| |key&action| |key&action| | | | |key&action| |key&action| | |
| # | |key&action| |key&action| |key&action| | | | | .. | | .. | | |
| # | | .. | | .. | | .. | | | | +----------+ +----------+ | |
| # | +----------+ +----------+ +----------+ | | | | |
| # | selects PAG | | | +----------+ +----------+ | |
| # +----------------------------------------------+ +------> PAG 1: | Lookup 0 | -> | Lookup 1 | | |
| # | | +----------+ +----------+ | |
| # | | |key&action| |key&action| | |
| # | | | .. | | .. | | |
| # | | +----------+ +----------+ | |
| # | | ... | |
| # | | | |
| # | | +----------+ +----------+ | |
| # +----> PAG 254: | Lookup 0 | -> | Lookup 1 | | |
| # | | +----------+ +----------+ | |
| # | | |key&action| |key&action| | |
| # | | | .. | | .. | | |
| # | | +----------+ +----------+ | |
| # | | | |
| # | | +----------+ +----------+ | |
| # +----> PAG 255: | Lookup 0 | -> | Lookup 1 | | |
| # | +----------+ +----------+ | |
| # | |key&action| |key&action| | |
| # | | .. | | .. | | |
| # | +----------+ +----------+ | |
| # +-----------------------------------------+ |
| # |
| # Both the VCAP IS1 (Ingress Stage 1) and IS2 (Ingress Stage 2) are indexed |
| # (looked up) multiple times: IS1 3 times, and IS2 2 times. Each filter |
| # (key and action pair) can be configured to only match during the first, or |
| # second, etc, lookup. |
| # |
| # During one TCAM lookup, the filter processing stops at the first entry that |
| # matches, then the pipeline jumps to the next lookup. |
| # The driver maps each individual lookup of each individual ingress TCAM to a |
| # separate chain number. For correct rule offloading, it is mandatory that each |
| # filter installed in one TCAM is terminated by a non-optional GOTO action to |
| # the next lookup from the fixed pipeline. |
| # |
| # A chain can only be used if there is a GOTO action correctly set up from the |
| # prior lookup in the processing pipeline. Setting up all chains is not |
| # mandatory. |
| |
| # NOTE: VCAP IS1 currently uses only S1_NORMAL half keys and VCAP IS2 |
| # dynamically chooses between MAC_ETYPE, ARP, IP4_TCP_UDP, IP4_OTHER, which are |
| # all half keys as well. |
| |
| create_tcam_skeleton() |
| { |
| local eth=$1 |
| |
| tc qdisc add dev $eth clsact |
| |
| # VCAP IS1 is the Ingress Classification TCAM and can offload the |
| # following actions: |
| # - skbedit priority |
| # - vlan pop |
| # - vlan modify |
| # - goto (only in lookup 2, the last IS1 lookup) |
| tc filter add dev $eth ingress chain 0 pref 49152 flower \ |
| skip_sw action goto chain $(IS1 0) |
| tc filter add dev $eth ingress chain $(IS1 0) pref 49152 \ |
| flower skip_sw action goto chain $(IS1 1) |
| tc filter add dev $eth ingress chain $(IS1 1) pref 49152 \ |
| flower skip_sw action goto chain $(IS1 2) |
| tc filter add dev $eth ingress chain $(IS1 2) pref 49152 \ |
| flower skip_sw action goto chain $(IS2 0 0) |
| |
| # VCAP IS2 is the Security Enforcement ingress TCAM and can offload the |
| # following actions: |
| # - trap |
| # - drop |
| # - police |
| # The two VCAP IS2 lookups can be segmented into up to 256 groups of |
| # rules, called Policies. A Policy is selected through the Policy |
| # Association Group (PAG) action of VCAP IS1 (which is the |
| # GOTO offload). |
| tc filter add dev $eth ingress chain $(IS2 0 0) pref 49152 \ |
| flower skip_sw action goto chain $(IS2 1 0) |
| } |
| |
| setup_prepare() |
| { |
| ip link set $swp1 up |
| ip link set $swp2 up |
| ip link set $h2 up |
| ip link set $h1 up |
| |
| create_tcam_skeleton $swp1 |
| |
| ip link add br0 type bridge |
| ip link set $swp1 master br0 |
| ip link set $swp2 master br0 |
| ip link set br0 up |
| |
| ip link add link $h1 name $h1.100 type vlan id 100 |
| ip link set $h1.100 up |
| |
| ip link add link $h1 name $h1.200 type vlan id 200 |
| ip link set $h1.200 up |
| |
| tc filter add dev $swp1 ingress chain $(IS1 1) pref 1 \ |
| protocol 802.1Q flower skip_sw vlan_id 100 \ |
| action vlan pop \ |
| action goto chain $(IS1 2) |
| |
| tc filter add dev $swp1 egress chain $(ES0) pref 1 \ |
| flower skip_sw indev $swp2 \ |
| action vlan push protocol 802.1Q id 100 |
| |
| tc filter add dev $swp1 ingress chain $(IS1 0) pref 2 \ |
| protocol ipv4 flower skip_sw src_ip 10.1.1.2 \ |
| action skbedit priority 7 \ |
| action goto chain $(IS1 1) |
| |
| tc filter add dev $swp1 ingress chain $(IS2 0 0) pref 1 \ |
| protocol ipv4 flower skip_sw ip_proto udp dst_port 5201 \ |
| action police rate 50mbit burst 64k conform-exceed drop/pipe \ |
| action goto chain $(IS2 1 0) |
| } |
| |
| cleanup() |
| { |
| ip link del $h1.200 |
| ip link del $h1.100 |
| tc qdisc del dev $swp1 clsact |
| ip link del br0 |
| } |
| |
| test_vlan_pop() |
| { |
| local h1_mac=$(mac_get $h1) |
| local h2_mac=$(mac_get $h2) |
| |
| RET=0 |
| |
| tcpdump_start $h2 |
| |
| # Work around Mausezahn VLAN builder bug |
| # (https://github.com/netsniff-ng/netsniff-ng/issues/225) by using |
| # an 8021q upper |
| $MZ $h1.100 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip |
| |
| sleep 1 |
| |
| tcpdump_stop $h2 |
| |
| tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, ethertype IPv4" |
| check_err "$?" "untagged reception" |
| |
| tcpdump_cleanup $h2 |
| |
| log_test "VLAN pop" |
| } |
| |
| test_vlan_push() |
| { |
| local h1_mac=$(mac_get $h1) |
| local h2_mac=$(mac_get $h2) |
| |
| RET=0 |
| |
| tcpdump_start $h1.100 |
| |
| $MZ $h2 -q -c 1 -p 64 -a $h2_mac -b $h1_mac -t ip |
| |
| sleep 1 |
| |
| tcpdump_stop $h1.100 |
| |
| tcpdump_show $h1.100 | grep -q "$h2_mac > $h1_mac" |
| check_err "$?" "tagged reception" |
| |
| tcpdump_cleanup $h1.100 |
| |
| log_test "VLAN push" |
| } |
| |
| test_vlan_ingress_modify() |
| { |
| local h1_mac=$(mac_get $h1) |
| local h2_mac=$(mac_get $h2) |
| |
| RET=0 |
| |
| ip link set br0 type bridge vlan_filtering 1 |
| bridge vlan add dev $swp1 vid 200 |
| bridge vlan add dev $swp1 vid 300 |
| bridge vlan add dev $swp2 vid 300 |
| |
| tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \ |
| protocol 802.1Q flower skip_sw vlan_id 200 \ |
| action vlan modify id 300 \ |
| action goto chain $(IS2 0 0) |
| |
| tcpdump_start $h2 |
| |
| $MZ $h1.200 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip |
| |
| sleep 1 |
| |
| tcpdump_stop $h2 |
| |
| tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, .* vlan 300" |
| check_err "$?" "tagged reception" |
| |
| tcpdump_cleanup $h2 |
| |
| tc filter del dev $swp1 ingress chain $(IS1 2) pref 3 |
| |
| bridge vlan del dev $swp1 vid 200 |
| bridge vlan del dev $swp1 vid 300 |
| bridge vlan del dev $swp2 vid 300 |
| ip link set br0 type bridge vlan_filtering 0 |
| |
| log_test "Ingress VLAN modification" |
| } |
| |
| test_vlan_egress_modify() |
| { |
| local h1_mac=$(mac_get $h1) |
| local h2_mac=$(mac_get $h2) |
| |
| RET=0 |
| |
| tc qdisc add dev $swp2 clsact |
| |
| ip link set br0 type bridge vlan_filtering 1 |
| bridge vlan add dev $swp1 vid 200 |
| bridge vlan add dev $swp2 vid 200 |
| |
| tc filter add dev $swp2 egress chain $(ES0) pref 3 \ |
| protocol 802.1Q flower skip_sw vlan_id 200 vlan_prio 0 \ |
| action vlan modify id 300 priority 7 |
| |
| tcpdump_start $h2 |
| |
| $MZ $h1.200 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip |
| |
| sleep 1 |
| |
| tcpdump_stop $h2 |
| |
| tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, .* vlan 300" |
| check_err "$?" "tagged reception" |
| |
| tcpdump_cleanup $h2 |
| |
| tc filter del dev $swp2 egress chain $(ES0) pref 3 |
| tc qdisc del dev $swp2 clsact |
| |
| bridge vlan del dev $swp1 vid 200 |
| bridge vlan del dev $swp2 vid 200 |
| ip link set br0 type bridge vlan_filtering 0 |
| |
| log_test "Egress VLAN modification" |
| } |
| |
| test_skbedit_priority() |
| { |
| local h1_mac=$(mac_get $h1) |
| local h2_mac=$(mac_get $h2) |
| local num_pkts=100 |
| |
| before=$(ethtool_stats_get $swp1 'rx_green_prio_7') |
| |
| $MZ $h1 -q -c $num_pkts -p 64 -a $h1_mac -b $h2_mac -t ip -A 10.1.1.2 |
| |
| after=$(ethtool_stats_get $swp1 'rx_green_prio_7') |
| |
| if [ $((after - before)) = $num_pkts ]; then |
| RET=0 |
| else |
| RET=1 |
| fi |
| |
| log_test "Frame prioritization" |
| } |
| |
| trap cleanup EXIT |
| |
| ALL_TESTS=" |
| test_vlan_pop |
| test_vlan_push |
| test_vlan_ingress_modify |
| test_vlan_egress_modify |
| test_skbedit_priority |
| " |
| |
| setup_prepare |
| setup_wait |
| |
| tests_run |
| |
| exit $EXIT_STATUS |
