#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # Copyright 2020 NXP WAIT_TIME=1 NUM_NETIFS=4 STABLE_MAC_ADDRS=yes lib_dir=$(dirname $0)/../../../net/forwarding source $lib_dir/tc_common.sh source $lib_dir/lib.sh require_command tcpdump h1=${NETIFS[p1]} swp1=${NETIFS[p2]} swp2=${NETIFS[p3]} h2=${NETIFS[p4]} # Helpers to map a VCAP IS1 and VCAP IS2 lookup and policy to a chain number # used by the kernel driver. The numbers are: # VCAP IS1 lookup 0: 10000 # VCAP IS1 lookup 1: 11000 # VCAP IS1 lookup 2: 12000 # VCAP IS2 lookup 0 policy 0: 20000 # VCAP IS2 lookup 0 policy 1: 20001 # VCAP IS2 lookup 0 policy 255: 20255 # VCAP IS2 lookup 1 policy 0: 21000 # VCAP IS2 lookup 1 policy 1: 21001 # VCAP IS2 lookup 1 policy 255: 21255 IS1() { local lookup=$1 echo $((10000 + 1000 * lookup)) } IS2() { local lookup=$1 local pag=$2 echo $((20000 + 1000 * lookup + pag)) } ES0() { echo 0 } # The Ocelot switches have a fixed ingress pipeline composed of: # # +----------------------------------------------+ +-----------------------------------------+ # | VCAP IS1 | | VCAP IS2 | # | | | | # | +----------+ +----------+ +----------+ | | +----------+ +----------+ | # | | Lookup 0 | | Lookup 1 | | Lookup 2 | | --+------> PAG 0: | Lookup 0 | -> | Lookup 1 | | # | +----------+ -> +----------+ -> +----------+ | | | +----------+ +----------+ | # | |key&action| |key&action| |key&action| | | | |key&action| |key&action| | # | |key&action| |key&action| |key&action| | | | | .. | | .. | | # | | .. | | .. | | .. | | | | +----------+ +----------+ | # | +----------+ +----------+ +----------+ | | | | # | selects PAG | | | +----------+ +----------+ | # +----------------------------------------------+ +------> PAG 1: | Lookup 0 | -> | Lookup 1 | | # | | +----------+ +----------+ | # | | |key&action| |key&action| | # | | | .. | | .. | | # | | +----------+ +----------+ | # | | ... | # | | | # | | +----------+ +----------+ | # +----> PAG 254: | Lookup 0 | -> | Lookup 1 | | # | | +----------+ +----------+ | # | | |key&action| |key&action| | # | | | .. | | .. | | # | | +----------+ +----------+ | # | | | # | | +----------+ +----------+ | # +----> PAG 255: | Lookup 0 | -> | Lookup 1 | | # | +----------+ +----------+ | # | |key&action| |key&action| | # | | .. | | .. | | # | +----------+ +----------+ | # +-----------------------------------------+ # # Both the VCAP IS1 (Ingress Stage 1) and IS2 (Ingress Stage 2) are indexed # (looked up) multiple times: IS1 3 times, and IS2 2 times. Each filter # (key and action pair) can be configured to only match during the first, or # second, etc, lookup. # # During one TCAM lookup, the filter processing stops at the first entry that # matches, then the pipeline jumps to the next lookup. # The driver maps each individual lookup of each individual ingress TCAM to a # separate chain number. For correct rule offloading, it is mandatory that each # filter installed in one TCAM is terminated by a non-optional GOTO action to # the next lookup from the fixed pipeline. # # A chain can only be used if there is a GOTO action correctly set up from the # prior lookup in the processing pipeline. Setting up all chains is not # mandatory. # NOTE: VCAP IS1 currently uses only S1_NORMAL half keys and VCAP IS2 # dynamically chooses between MAC_ETYPE, ARP, IP4_TCP_UDP, IP4_OTHER, which are # all half keys as well. create_tcam_skeleton() { local eth=$1 tc qdisc add dev $eth clsact # VCAP IS1 is the Ingress Classification TCAM and can offload the # following actions: # - skbedit priority # - vlan pop # - vlan modify # - goto (only in lookup 2, the last IS1 lookup) tc filter add dev $eth ingress chain 0 pref 49152 flower \ skip_sw action goto chain $(IS1 0) tc filter add dev $eth ingress chain $(IS1 0) pref 49152 \ flower skip_sw action goto chain $(IS1 1) tc filter add dev $eth ingress chain $(IS1 1) pref 49152 \ flower skip_sw action goto chain $(IS1 2) tc filter add dev $eth ingress chain $(IS1 2) pref 49152 \ flower skip_sw action goto chain $(IS2 0 0) # VCAP IS2 is the Security Enforcement ingress TCAM and can offload the # following actions: # - trap # - drop # - police # The two VCAP IS2 lookups can be segmented into up to 256 groups of # rules, called Policies. A Policy is selected through the Policy # Association Group (PAG) action of VCAP IS1 (which is the # GOTO offload). tc filter add dev $eth ingress chain $(IS2 0 0) pref 49152 \ flower skip_sw action goto chain $(IS2 1 0) } setup_prepare() { ip link set $swp1 up ip link set $swp2 up ip link set $h2 up ip link set $h1 up create_tcam_skeleton $swp1 ip link add br0 type bridge ip link set $swp1 master br0 ip link set $swp2 master br0 ip link set br0 up ip link add link $h1 name $h1.100 type vlan id 100 ip link set $h1.100 up ip link add link $h1 name $h1.200 type vlan id 200 ip link set $h1.200 up tc filter add dev $swp1 ingress chain $(IS1 1) pref 1 \ protocol 802.1Q flower skip_sw vlan_id 100 \ action vlan pop \ action goto chain $(IS1 2) tc filter add dev $swp1 egress chain $(ES0) pref 1 \ flower skip_sw indev $swp2 \ action vlan push protocol 802.1Q id 100 tc filter add dev $swp1 ingress chain $(IS1 0) pref 2 \ protocol ipv4 flower skip_sw src_ip 10.1.1.2 \ action skbedit priority 7 \ action goto chain $(IS1 1) tc filter add dev $swp1 ingress chain $(IS2 0 0) pref 1 \ protocol ipv4 flower skip_sw ip_proto udp dst_port 5201 \ action police rate 50mbit burst 64k conform-exceed drop/pipe \ action goto chain $(IS2 1 0) } cleanup() { ip link del $h1.200 ip link del $h1.100 tc qdisc del dev $swp1 clsact ip link del br0 } test_vlan_pop() { local h1_mac=$(mac_get $h1) local h2_mac=$(mac_get $h2) RET=0 tcpdump_start $h2 # Work around Mausezahn VLAN builder bug # (https://github.com/netsniff-ng/netsniff-ng/issues/225) by using # an 8021q upper $MZ $h1.100 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip sleep 1 tcpdump_stop $h2 tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, ethertype IPv4" check_err "$?" "untagged reception" tcpdump_cleanup $h2 log_test "VLAN pop" } test_vlan_push() { local h1_mac=$(mac_get $h1) local h2_mac=$(mac_get $h2) RET=0 tcpdump_start $h1.100 $MZ $h2 -q -c 1 -p 64 -a $h2_mac -b $h1_mac -t ip sleep 1 tcpdump_stop $h1.100 tcpdump_show $h1.100 | grep -q "$h2_mac > $h1_mac" check_err "$?" "tagged reception" tcpdump_cleanup $h1.100 log_test "VLAN push" } test_vlan_ingress_modify() { local h1_mac=$(mac_get $h1) local h2_mac=$(mac_get $h2) RET=0 ip link set br0 type bridge vlan_filtering 1 bridge vlan add dev $swp1 vid 200 bridge vlan add dev $swp1 vid 300 bridge vlan add dev $swp2 vid 300 tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \ protocol 802.1Q flower skip_sw vlan_id 200 src_mac $h1_mac \ action vlan modify id 300 \ action goto chain $(IS2 0 0) tcpdump_start $h2 $MZ $h1.200 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip sleep 1 tcpdump_stop $h2 tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, .* vlan 300" check_err "$?" "tagged reception" tcpdump_cleanup $h2 tc filter del dev $swp1 ingress chain $(IS1 2) pref 3 bridge vlan del dev $swp1 vid 200 bridge vlan del dev $swp1 vid 300 bridge vlan del dev $swp2 vid 300 ip link set br0 type bridge vlan_filtering 0 log_test "Ingress VLAN modification" } test_vlan_egress_modify() { local h1_mac=$(mac_get $h1) local h2_mac=$(mac_get $h2) RET=0 tc qdisc add dev $swp2 clsact ip link set br0 type bridge vlan_filtering 1 bridge vlan add dev $swp1 vid 200 bridge vlan add dev $swp2 vid 200 tc filter add dev $swp2 egress chain $(ES0) pref 3 \ protocol 802.1Q flower skip_sw vlan_id 200 vlan_prio 0 \ action vlan modify id 300 priority 7 tcpdump_start $h2 $MZ $h1.200 -q -c 1 -p 64 -a $h1_mac -b $h2_mac -t ip sleep 1 tcpdump_stop $h2 tcpdump_show $h2 | grep -q "$h1_mac > $h2_mac, .* vlan 300" check_err "$?" "tagged reception" tcpdump_cleanup $h2 tc filter del dev $swp2 egress chain $(ES0) pref 3 tc qdisc del dev $swp2 clsact bridge vlan del dev $swp1 vid 200 bridge vlan del dev $swp2 vid 200 ip link set br0 type bridge vlan_filtering 0 log_test "Egress VLAN modification" } test_skbedit_priority() { local h1_mac=$(mac_get $h1) local h2_mac=$(mac_get $h2) local num_pkts=100 before=$(ethtool_stats_get $swp1 'rx_green_prio_7') $MZ $h1 -q -c $num_pkts -p 64 -a $h1_mac -b $h2_mac -t ip -A 10.1.1.2 after=$(ethtool_stats_get $swp1 'rx_green_prio_7') if [ $((after - before)) = $num_pkts ]; then RET=0 else RET=1 fi log_test "Frame prioritization" } trap cleanup EXIT ALL_TESTS=" test_vlan_pop test_vlan_push test_vlan_ingress_modify test_vlan_egress_modify test_skbedit_priority " setup_prepare setup_wait tests_run exit $EXIT_STATUS