tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selftests: forwarding: Add reverse path forwarding (RPF) test cases

In case a packet is routed using a multicast route whose specified
ingress interface does not match the interface from which the packet was
received, the packet is dropped.

Add IPv4 and IPv6 test cases for above mentioned scenario.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Ido Schimmel and committed by
David S. Miller ca059af8 eda3d1b0

+106 -1
+106 -1
tools/testing/selftests/net/forwarding/router_multicast.sh
··· 28 28 # +------------------+ +------------------+ 29 29 # 30 30 31 - ALL_TESTS="mcast_v4 mcast_v6" 31 + ALL_TESTS="mcast_v4 mcast_v6 rpf_v4 rpf_v6" 32 32 NUM_NETIFS=6 33 33 source lib.sh 34 34 source tc_common.sh ··· 46 46 47 47 ip route add 2001:db8:2::/64 vrf v$h1 nexthop via 2001:db8:1::1 48 48 ip route add 2001:db8:3::/64 vrf v$h1 nexthop via 2001:db8:1::1 49 + 50 + tc qdisc add dev $h1 ingress 49 51 } 50 52 51 53 h1_destroy() 52 54 { 55 + tc qdisc del dev $h1 ingress 56 + 53 57 ip route del 2001:db8:3::/64 vrf v$h1 54 58 ip route del 2001:db8:2::/64 vrf v$h1 55 59 ··· 128 124 ip address add 2001:db8:1::1/64 dev $rp1 129 125 ip address add 2001:db8:2::1/64 dev $rp2 130 126 ip address add 2001:db8:3::1/64 dev $rp3 127 + 128 + tc qdisc add dev $rp3 ingress 131 129 } 132 130 133 131 router_destroy() 134 132 { 133 + tc qdisc del dev $rp3 ingress 134 + 135 135 ip address del 2001:db8:3::1/64 dev $rp3 136 136 ip address del 2001:db8:2::1/64 dev $rp2 137 137 ip address del 2001:db8:1::1/64 dev $rp1 ··· 307 299 tc filter del dev $h2 ingress protocol ipv6 pref 1 handle 122 flower 308 300 309 301 log_test "mcast IPv6" 302 + } 303 + 304 + rpf_v4() 305 + { 306 + # Add a multicast route from first router port to the other two. Send 307 + # matching packets and test that both hosts receive them. Then, send 308 + # the same packets via the third router port and test that they do not 309 + # reach any host due to RPF check. A filter with 'skip_hw' is added to 310 + # test that devices capable of multicast routing offload trap those 311 + # packets. The filter is essentialy a NOP in other scenarios. 312 + 313 + RET=0 314 + 315 + tc filter add dev $h1 ingress protocol ip pref 1 handle 1 flower \ 316 + dst_ip 225.1.2.3 ip_proto udp dst_port 12345 action drop 317 + tc filter add dev $h2 ingress protocol ip pref 1 handle 1 flower \ 318 + dst_ip 225.1.2.3 ip_proto udp dst_port 12345 action drop 319 + tc filter add dev $h3 ingress protocol ip pref 1 handle 1 flower \ 320 + dst_ip 225.1.2.3 ip_proto udp dst_port 12345 action drop 321 + tc filter add dev $rp3 ingress protocol ip pref 1 handle 1 flower \ 322 + skip_hw dst_ip 225.1.2.3 ip_proto udp dst_port 12345 action pass 323 + 324 + create_mcast_sg $rp1 198.51.100.2 225.1.2.3 $rp2 $rp3 325 + 326 + $MZ $h1 -c 5 -p 128 -t udp "ttl=10,sp=54321,dp=12345" \ 327 + -a 00:11:22:33:44:55 -b 01:00:5e:01:02:03 \ 328 + -A 198.51.100.2 -B 225.1.2.3 -q 329 + 330 + tc_check_packets "dev $h2 ingress" 1 5 331 + check_err $? "Multicast not received on first host" 332 + tc_check_packets "dev $h3 ingress" 1 5 333 + check_err $? "Multicast not received on second host" 334 + 335 + $MZ $h3 -c 5 -p 128 -t udp "ttl=10,sp=54321,dp=12345" \ 336 + -a 00:11:22:33:44:55 -b 01:00:5e:01:02:03 \ 337 + -A 198.51.100.2 -B 225.1.2.3 -q 338 + 339 + tc_check_packets "dev $h1 ingress" 1 0 340 + check_err $? "Multicast received on first host when should not" 341 + tc_check_packets "dev $h2 ingress" 1 5 342 + check_err $? "Multicast received on second host when should not" 343 + tc_check_packets "dev $rp3 ingress" 1 5 344 + check_err $? "Packets not trapped due to RPF check" 345 + 346 + delete_mcast_sg $rp1 198.51.100.2 225.1.2.3 $rp2 $rp3 347 + 348 + tc filter del dev $rp3 ingress protocol ip pref 1 handle 1 flower 349 + tc filter del dev $h3 ingress protocol ip pref 1 handle 1 flower 350 + tc filter del dev $h2 ingress protocol ip pref 1 handle 1 flower 351 + tc filter del dev $h1 ingress protocol ip pref 1 handle 1 flower 352 + 353 + log_test "RPF IPv4" 354 + } 355 + 356 + rpf_v6() 357 + { 358 + RET=0 359 + 360 + tc filter add dev $h1 ingress protocol ipv6 pref 1 handle 1 flower \ 361 + dst_ip ff0e::3 ip_proto udp dst_port 12345 action drop 362 + tc filter add dev $h2 ingress protocol ipv6 pref 1 handle 1 flower \ 363 + dst_ip ff0e::3 ip_proto udp dst_port 12345 action drop 364 + tc filter add dev $h3 ingress protocol ipv6 pref 1 handle 1 flower \ 365 + dst_ip ff0e::3 ip_proto udp dst_port 12345 action drop 366 + tc filter add dev $rp3 ingress protocol ipv6 pref 1 handle 1 flower \ 367 + skip_hw dst_ip ff0e::3 ip_proto udp dst_port 12345 action pass 368 + 369 + create_mcast_sg $rp1 2001:db8:1::2 ff0e::3 $rp2 $rp3 370 + 371 + $MZ $h1 -6 -c 5 -p 128 -t udp "ttl=10,sp=54321,dp=12345" \ 372 + -a 00:11:22:33:44:55 -b 33:33:00:00:00:03 \ 373 + -A 2001:db8:1::2 -B ff0e::3 -q 374 + 375 + tc_check_packets "dev $h2 ingress" 1 5 376 + check_err $? "Multicast not received on first host" 377 + tc_check_packets "dev $h3 ingress" 1 5 378 + check_err $? "Multicast not received on second host" 379 + 380 + $MZ $h3 -6 -c 5 -p 128 -t udp "ttl=10,sp=54321,dp=12345" \ 381 + -a 00:11:22:33:44:55 -b 33:33:00:00:00:03 \ 382 + -A 2001:db8:1::2 -B ff0e::3 -q 383 + 384 + tc_check_packets "dev $h1 ingress" 1 0 385 + check_err $? "Multicast received on first host when should not" 386 + tc_check_packets "dev $h2 ingress" 1 5 387 + check_err $? "Multicast received on second host when should not" 388 + tc_check_packets "dev $rp3 ingress" 1 5 389 + check_err $? "Packets not trapped due to RPF check" 390 + 391 + delete_mcast_sg $rp1 2001:db8:1::2 ff0e::3 $rp2 $rp3 392 + 393 + tc filter del dev $rp3 ingress protocol ipv6 pref 1 handle 1 flower 394 + tc filter del dev $h3 ingress protocol ipv6 pref 1 handle 1 flower 395 + tc filter del dev $h2 ingress protocol ipv6 pref 1 handle 1 flower 396 + tc filter del dev $h1 ingress protocol ipv6 pref 1 handle 1 flower 397 + 398 + log_test "RPF IPv6" 310 399 } 311 400 312 401 trap cleanup EXIT