1 #!/bin/bash 2 # SPDX-License-Identifier: GPL-2.0 3 # 4 # This test is for checking bridge neighbor suppression functionality. The 5 # topology consists of two bridges (VTEPs) connected using VXLAN. A single 6 # host is connected to each bridge over multiple VLANs. The test checks that 7 # ARP/NS messages from the first host are suppressed on the VXLAN port when 8 # should. 9 # 10 # +-----------------------+ +------------------------+ 11 # | h1 | | h2 | 12 # | | | | 13 # | + eth0.10 | | + eth0.10 | 14 # | | 192.0.2.1/28 | | | 192.0.2.2/28 | 15 # | | 2001:db8:1::1/64 | | | 2001:db8:1::2/64 | 16 # | | | | | | 17 # | | + eth0.20 | | | + eth0.20 | 18 # | \ | 192.0.2.17/28 | | \ | 192.0.2.18/28 | 19 # | \ | 2001:db8:2::1/64 | | \ | 2001:db8:2::2/64 | 20 # | \| | | \| | 21 # | + eth0 | | + eth0 | 22 # +----|------------------+ +----|-------------------+ 23 # | | 24 # | | 25 # +----|-------------------------------+ +----|-------------------------------+ 26 # | + swp1 + vx0 | | + swp1 + vx0 | 27 # | | | | | | | | 28 # | | br0 | | | | | | 29 # | +------------+-----------+ | | +------------+-----------+ | 30 # | | | | | | 31 # | | | | | | 32 # | +---+---+ | | +---+---+ | 33 # | | | | | | | | 34 # | | | | | | | | 35 # | + + | | + + | 36 # | br0.10 br0.20 | | br0.10 br0.20 | 37 # | | | | 38 # | 192.0.2.33 | | 192.0.2.34 | 39 # | + lo | | + lo | 40 # | | | | 41 # | | | | 42 # | 192.0.2.49/28 | | 192.0.2.50/28 | 43 # | veth0 +-------+ veth0 | 44 # | | | | 45 # | sw1 | | sw2 | 46 # +------------------------------------+ +------------------------------------+ 47 48 source lib.sh 49 ret=0 50 51 # All tests in this script. Can be overridden with -t option. 52 TESTS=" 53 neigh_suppress_arp 54 neigh_suppress_ns 55 neigh_vlan_suppress_arp 56 neigh_vlan_suppress_ns 57 " 58 VERBOSE=0 59 PAUSE_ON_FAIL=no 60 PAUSE=no 61 62 ################################################################################ 63 # Utilities 64 65 log_test() 66 { 67 local rc=$1 68 local expected=$2 69 local msg="$3" 70 71 if [ ${rc} -eq ${expected} ]; then 72 printf "TEST: %-60s [ OK ]\n" "${msg}" 73 nsuccess=$((nsuccess+1)) 74 else 75 ret=1 76 nfail=$((nfail+1)) 77 printf "TEST: %-60s [FAIL]\n" "${msg}" 78 if [ "$VERBOSE" = "1" ]; then 79 echo " rc=$rc, expected $expected" 80 fi 81 82 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 83 echo 84 echo "hit enter to continue, 'q' to quit" 85 read a 86 [ "$a" = "q" ] && exit 1 87 fi 88 fi 89 90 if [ "${PAUSE}" = "yes" ]; then 91 echo 92 echo "hit enter to continue, 'q' to quit" 93 read a 94 [ "$a" = "q" ] && exit 1 95 fi 96 97 [ "$VERBOSE" = "1" ] && echo 98 } 99 100 run_cmd() 101 { 102 local cmd="$1" 103 local out 104 local stderr="2>/dev/null" 105 106 if [ "$VERBOSE" = "1" ]; then 107 printf "COMMAND: $cmd\n" 108 stderr= 109 fi 110 111 out=$(eval $cmd $stderr) 112 rc=$? 113 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 114 echo " $out" 115 fi 116 117 return $rc 118 } 119 120 tc_check_packets() 121 { 122 local ns=$1; shift 123 local id=$1; shift 124 local handle=$1; shift 125 local count=$1; shift 126 local pkts 127 128 sleep 0.1 129 pkts=$(tc -n $ns -j -s filter show $id \ 130 | jq ".[] | select(.options.handle == $handle) | \ 131 .options.actions[0].stats.packets") 132 [[ $pkts == $count ]] 133 } 134 135 ################################################################################ 136 # Setup 137 138 setup_topo_ns() 139 { 140 local ns=$1; shift 141 142 ip netns exec $ns sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 143 ip netns exec $ns sysctl -qw net.ipv6.conf.default.ignore_routes_with_linkdown=1 144 ip netns exec $ns sysctl -qw net.ipv6.conf.all.accept_dad=0 145 ip netns exec $ns sysctl -qw net.ipv6.conf.default.accept_dad=0 146 } 147 148 setup_topo() 149 { 150 local ns 151 152 setup_ns h1 h2 sw1 sw2 153 for ns in $h1 $h2 $sw1 $sw2; do 154 setup_topo_ns $ns 155 done 156 157 ip -n $h1 link add name eth0 type veth peer name swp1 netns $sw1 158 ip -n $sw1 link add name veth0 type veth peer name veth0 netns $sw2 159 ip -n $h2 link add name eth0 type veth peer name swp1 netns $sw2 160 } 161 162 setup_host_common() 163 { 164 local ns=$1; shift 165 local v4addr1=$1; shift 166 local v4addr2=$1; shift 167 local v6addr1=$1; shift 168 local v6addr2=$1; shift 169 170 ip -n $ns link set dev eth0 up 171 ip -n $ns link add link eth0 name eth0.10 up type vlan id 10 172 ip -n $ns link add link eth0 name eth0.20 up type vlan id 20 173 174 ip -n $ns address add $v4addr1 dev eth0.10 175 ip -n $ns address add $v4addr2 dev eth0.20 176 ip -n $ns address add $v6addr1 dev eth0.10 177 ip -n $ns address add $v6addr2 dev eth0.20 178 } 179 180 setup_h1() 181 { 182 local ns=$h1 183 local v4addr1=192.0.2.1/28 184 local v4addr2=192.0.2.17/28 185 local v6addr1=2001:db8:1::1/64 186 local v6addr2=2001:db8:2::1/64 187 188 setup_host_common $ns $v4addr1 $v4addr2 $v6addr1 $v6addr2 189 } 190 191 setup_h2() 192 { 193 local ns=$h2 194 local v4addr1=192.0.2.2/28 195 local v4addr2=192.0.2.18/28 196 local v6addr1=2001:db8:1::2/64 197 local v6addr2=2001:db8:2::2/64 198 199 setup_host_common $ns $v4addr1 $v4addr2 $v6addr1 $v6addr2 200 } 201 202 setup_sw_common() 203 { 204 local ns=$1; shift 205 local local_addr=$1; shift 206 local remote_addr=$1; shift 207 local veth_addr=$1; shift 208 local gw_addr=$1; shift 209 210 ip -n $ns address add $local_addr/32 dev lo 211 212 ip -n $ns link set dev veth0 up 213 ip -n $ns address add $veth_addr/28 dev veth0 214 ip -n $ns route add default via $gw_addr 215 216 ip -n $ns link add name br0 up type bridge vlan_filtering 1 \ 217 vlan_default_pvid 0 mcast_snooping 0 218 219 ip -n $ns link add link br0 name br0.10 up type vlan id 10 220 bridge -n $ns vlan add vid 10 dev br0 self 221 222 ip -n $ns link add link br0 name br0.20 up type vlan id 20 223 bridge -n $ns vlan add vid 20 dev br0 self 224 225 ip -n $ns link set dev swp1 up master br0 226 bridge -n $ns vlan add vid 10 dev swp1 227 bridge -n $ns vlan add vid 20 dev swp1 228 229 ip -n $ns link add name vx0 up master br0 type vxlan \ 230 local $local_addr dstport 4789 nolearning external 231 bridge -n $ns fdb add 00:00:00:00:00:00 dev vx0 self static \ 232 dst $remote_addr src_vni 10010 233 bridge -n $ns fdb add 00:00:00:00:00:00 dev vx0 self static \ 234 dst $remote_addr src_vni 10020 235 bridge -n $ns link set dev vx0 vlan_tunnel on learning off 236 237 bridge -n $ns vlan add vid 10 dev vx0 238 bridge -n $ns vlan add vid 10 dev vx0 tunnel_info id 10010 239 240 bridge -n $ns vlan add vid 20 dev vx0 241 bridge -n $ns vlan add vid 20 dev vx0 tunnel_info id 10020 242 } 243 244 setup_sw1() 245 { 246 local ns=$sw1 247 local local_addr=192.0.2.33 248 local remote_addr=192.0.2.34 249 local veth_addr=192.0.2.49 250 local gw_addr=192.0.2.50 251 252 setup_sw_common $ns $local_addr $remote_addr $veth_addr $gw_addr 253 } 254 255 setup_sw2() 256 { 257 local ns=$sw2 258 local local_addr=192.0.2.34 259 local remote_addr=192.0.2.33 260 local veth_addr=192.0.2.50 261 local gw_addr=192.0.2.49 262 263 setup_sw_common $ns $local_addr $remote_addr $veth_addr $gw_addr 264 } 265 266 setup() 267 { 268 set -e 269 270 setup_topo 271 setup_h1 272 setup_h2 273 setup_sw1 274 setup_sw2 275 276 sleep 5 277 278 set +e 279 } 280 281 cleanup() 282 { 283 cleanup_ns $h1 $h2 $sw1 $sw2 284 } 285 286 ################################################################################ 287 # Tests 288 289 neigh_suppress_arp_common() 290 { 291 local vid=$1; shift 292 local sip=$1; shift 293 local tip=$1; shift 294 local h2_mac 295 296 echo 297 echo "Per-port ARP suppression - VLAN $vid" 298 echo "----------------------------------" 299 300 run_cmd "tc -n $sw1 qdisc replace dev vx0 clsact" 301 run_cmd "tc -n $sw1 filter replace dev vx0 egress pref 1 handle 101 proto 0x0806 flower indev swp1 arp_tip $tip arp_sip $sip arp_op request action pass" 302 303 # Initial state - check that ARP requests are not suppressed and that 304 # ARP replies are received. 305 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 306 log_test $? 0 "arping" 307 tc_check_packets $sw1 "dev vx0 egress" 101 1 308 log_test $? 0 "ARP suppression" 309 310 # Enable neighbor suppression and check that nothing changes compared 311 # to the initial state. 312 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress on" 313 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress on\"" 314 log_test $? 0 "\"neigh_suppress\" is on" 315 316 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 317 log_test $? 0 "arping" 318 tc_check_packets $sw1 "dev vx0 egress" 101 2 319 log_test $? 0 "ARP suppression" 320 321 # Install an FDB entry for the remote host and check that nothing 322 # changes compared to the initial state. 323 h2_mac=$(ip -n $h2 -j -p link show eth0.$vid | jq -r '.[]["address"]') 324 run_cmd "bridge -n $sw1 fdb replace $h2_mac dev vx0 master static vlan $vid" 325 log_test $? 0 "FDB entry installation" 326 327 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 328 log_test $? 0 "arping" 329 tc_check_packets $sw1 "dev vx0 egress" 101 3 330 log_test $? 0 "ARP suppression" 331 332 # Install a neighbor on the matching SVI interface and check that ARP 333 # requests are suppressed. 334 run_cmd "ip -n $sw1 neigh replace $tip lladdr $h2_mac nud permanent dev br0.$vid" 335 log_test $? 0 "Neighbor entry installation" 336 337 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 338 log_test $? 0 "arping" 339 tc_check_packets $sw1 "dev vx0 egress" 101 3 340 log_test $? 0 "ARP suppression" 341 342 # Take the second host down and check that ARP requests are suppressed 343 # and that ARP replies are received. 344 run_cmd "ip -n $h2 link set dev eth0.$vid down" 345 log_test $? 0 "H2 down" 346 347 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 348 log_test $? 0 "arping" 349 tc_check_packets $sw1 "dev vx0 egress" 101 3 350 log_test $? 0 "ARP suppression" 351 352 run_cmd "ip -n $h2 link set dev eth0.$vid up" 353 log_test $? 0 "H2 up" 354 355 # Disable neighbor suppression and check that ARP requests are no 356 # longer suppressed. 357 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress off" 358 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress off\"" 359 log_test $? 0 "\"neigh_suppress\" is off" 360 361 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 362 log_test $? 0 "arping" 363 tc_check_packets $sw1 "dev vx0 egress" 101 4 364 log_test $? 0 "ARP suppression" 365 366 # Take the second host down and check that ARP requests are not 367 # suppressed and that ARP replies are not received. 368 run_cmd "ip -n $h2 link set dev eth0.$vid down" 369 log_test $? 0 "H2 down" 370 371 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip -I eth0.$vid $tip" 372 log_test $? 1 "arping" 373 tc_check_packets $sw1 "dev vx0 egress" 101 5 374 log_test $? 0 "ARP suppression" 375 } 376 377 neigh_suppress_arp() 378 { 379 local vid=10 380 local sip=192.0.2.1 381 local tip=192.0.2.2 382 383 neigh_suppress_arp_common $vid $sip $tip 384 385 vid=20 386 sip=192.0.2.17 387 tip=192.0.2.18 388 neigh_suppress_arp_common $vid $sip $tip 389 } 390 391 neigh_suppress_ns_common() 392 { 393 local vid=$1; shift 394 local saddr=$1; shift 395 local daddr=$1; shift 396 local maddr=$1; shift 397 local h2_mac 398 399 echo 400 echo "Per-port NS suppression - VLAN $vid" 401 echo "---------------------------------" 402 403 run_cmd "tc -n $sw1 qdisc replace dev vx0 clsact" 404 run_cmd "tc -n $sw1 filter replace dev vx0 egress pref 1 handle 101 proto ipv6 flower indev swp1 ip_proto icmpv6 dst_ip $maddr src_ip $saddr type 135 code 0 action pass" 405 406 # Initial state - check that NS messages are not suppressed and that ND 407 # messages are received. 408 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 409 log_test $? 0 "ndisc6" 410 tc_check_packets $sw1 "dev vx0 egress" 101 1 411 log_test $? 0 "NS suppression" 412 413 # Enable neighbor suppression and check that nothing changes compared 414 # to the initial state. 415 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress on" 416 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress on\"" 417 log_test $? 0 "\"neigh_suppress\" is on" 418 419 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 420 log_test $? 0 "ndisc6" 421 tc_check_packets $sw1 "dev vx0 egress" 101 2 422 log_test $? 0 "NS suppression" 423 424 # Install an FDB entry for the remote host and check that nothing 425 # changes compared to the initial state. 426 h2_mac=$(ip -n $h2 -j -p link show eth0.$vid | jq -r '.[]["address"]') 427 run_cmd "bridge -n $sw1 fdb replace $h2_mac dev vx0 master static vlan $vid" 428 log_test $? 0 "FDB entry installation" 429 430 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 431 log_test $? 0 "ndisc6" 432 tc_check_packets $sw1 "dev vx0 egress" 101 3 433 log_test $? 0 "NS suppression" 434 435 # Install a neighbor on the matching SVI interface and check that NS 436 # messages are suppressed. 437 run_cmd "ip -n $sw1 neigh replace $daddr lladdr $h2_mac nud permanent dev br0.$vid" 438 log_test $? 0 "Neighbor entry installation" 439 440 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 441 log_test $? 0 "ndisc6" 442 tc_check_packets $sw1 "dev vx0 egress" 101 3 443 log_test $? 0 "NS suppression" 444 445 # Take the second host down and check that NS messages are suppressed 446 # and that ND messages are received. 447 run_cmd "ip -n $h2 link set dev eth0.$vid down" 448 log_test $? 0 "H2 down" 449 450 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 451 log_test $? 0 "ndisc6" 452 tc_check_packets $sw1 "dev vx0 egress" 101 3 453 log_test $? 0 "NS suppression" 454 455 run_cmd "ip -n $h2 link set dev eth0.$vid up" 456 log_test $? 0 "H2 up" 457 458 # Disable neighbor suppression and check that NS messages are no longer 459 # suppressed. 460 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress off" 461 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress off\"" 462 log_test $? 0 "\"neigh_suppress\" is off" 463 464 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 465 log_test $? 0 "ndisc6" 466 tc_check_packets $sw1 "dev vx0 egress" 101 4 467 log_test $? 0 "NS suppression" 468 469 # Take the second host down and check that NS messages are not 470 # suppressed and that ND messages are not received. 471 run_cmd "ip -n $h2 link set dev eth0.$vid down" 472 log_test $? 0 "H2 down" 473 474 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr -w 5000 $daddr eth0.$vid" 475 log_test $? 2 "ndisc6" 476 tc_check_packets $sw1 "dev vx0 egress" 101 5 477 log_test $? 0 "NS suppression" 478 } 479 480 neigh_suppress_ns() 481 { 482 local vid=10 483 local saddr=2001:db8:1::1 484 local daddr=2001:db8:1::2 485 local maddr=ff02::1:ff00:2 486 487 neigh_suppress_ns_common $vid $saddr $daddr $maddr 488 489 vid=20 490 saddr=2001:db8:2::1 491 daddr=2001:db8:2::2 492 maddr=ff02::1:ff00:2 493 494 neigh_suppress_ns_common $vid $saddr $daddr $maddr 495 } 496 497 neigh_vlan_suppress_arp() 498 { 499 local vid1=10 500 local vid2=20 501 local sip1=192.0.2.1 502 local sip2=192.0.2.17 503 local tip1=192.0.2.2 504 local tip2=192.0.2.18 505 local h2_mac1 506 local h2_mac2 507 508 echo 509 echo "Per-{Port, VLAN} ARP suppression" 510 echo "--------------------------------" 511 512 run_cmd "tc -n $sw1 qdisc replace dev vx0 clsact" 513 run_cmd "tc -n $sw1 filter replace dev vx0 egress pref 1 handle 101 proto 0x0806 flower indev swp1 arp_tip $tip1 arp_sip $sip1 arp_op request action pass" 514 run_cmd "tc -n $sw1 filter replace dev vx0 egress pref 1 handle 102 proto 0x0806 flower indev swp1 arp_tip $tip2 arp_sip $sip2 arp_op request action pass" 515 516 h2_mac1=$(ip -n $h2 -j -p link show eth0.$vid1 | jq -r '.[]["address"]') 517 h2_mac2=$(ip -n $h2 -j -p link show eth0.$vid2 | jq -r '.[]["address"]') 518 run_cmd "bridge -n $sw1 fdb replace $h2_mac1 dev vx0 master static vlan $vid1" 519 run_cmd "bridge -n $sw1 fdb replace $h2_mac2 dev vx0 master static vlan $vid2" 520 run_cmd "ip -n $sw1 neigh replace $tip1 lladdr $h2_mac1 nud permanent dev br0.$vid1" 521 run_cmd "ip -n $sw1 neigh replace $tip2 lladdr $h2_mac2 nud permanent dev br0.$vid2" 522 523 # Enable per-{Port, VLAN} neighbor suppression and check that ARP 524 # requests are not suppressed and that ARP replies are received. 525 run_cmd "bridge -n $sw1 link set dev vx0 neigh_vlan_suppress on" 526 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_vlan_suppress on\"" 527 log_test $? 0 "\"neigh_vlan_suppress\" is on" 528 529 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip1 -I eth0.$vid1 $tip1" 530 log_test $? 0 "arping (VLAN $vid1)" 531 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip2 -I eth0.$vid2 $tip2" 532 log_test $? 0 "arping (VLAN $vid2)" 533 534 tc_check_packets $sw1 "dev vx0 egress" 101 1 535 log_test $? 0 "ARP suppression (VLAN $vid1)" 536 tc_check_packets $sw1 "dev vx0 egress" 102 1 537 log_test $? 0 "ARP suppression (VLAN $vid2)" 538 539 # Enable neighbor suppression on VLAN 10 and check that only on this 540 # VLAN ARP requests are suppressed. 541 run_cmd "bridge -n $sw1 vlan set vid $vid1 dev vx0 neigh_suppress on" 542 run_cmd "bridge -n $sw1 -d vlan show dev vx0 vid $vid1 | grep \"neigh_suppress on\"" 543 log_test $? 0 "\"neigh_suppress\" is on (VLAN $vid1)" 544 run_cmd "bridge -n $sw1 -d vlan show dev vx0 vid $vid2 | grep \"neigh_suppress off\"" 545 log_test $? 0 "\"neigh_suppress\" is off (VLAN $vid2)" 546 547 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip1 -I eth0.$vid1 $tip1" 548 log_test $? 0 "arping (VLAN $vid1)" 549 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip2 -I eth0.$vid2 $tip2" 550 log_test $? 0 "arping (VLAN $vid2)" 551 552 tc_check_packets $sw1 "dev vx0 egress" 101 1 553 log_test $? 0 "ARP suppression (VLAN $vid1)" 554 tc_check_packets $sw1 "dev vx0 egress" 102 2 555 log_test $? 0 "ARP suppression (VLAN $vid2)" 556 557 # Enable neighbor suppression on the port and check that it has no 558 # effect compared to previous state. 559 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress on" 560 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress on\"" 561 log_test $? 0 "\"neigh_suppress\" is on" 562 563 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip1 -I eth0.$vid1 $tip1" 564 log_test $? 0 "arping (VLAN $vid1)" 565 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip2 -I eth0.$vid2 $tip2" 566 log_test $? 0 "arping (VLAN $vid2)" 567 568 tc_check_packets $sw1 "dev vx0 egress" 101 1 569 log_test $? 0 "ARP suppression (VLAN $vid1)" 570 tc_check_packets $sw1 "dev vx0 egress" 102 3 571 log_test $? 0 "ARP suppression (VLAN $vid2)" 572 573 # Disable neighbor suppression on the port and check that it has no 574 # effect compared to previous state. 575 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress off" 576 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress off\"" 577 log_test $? 0 "\"neigh_suppress\" is off" 578 579 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip1 -I eth0.$vid1 $tip1" 580 log_test $? 0 "arping (VLAN $vid1)" 581 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip2 -I eth0.$vid2 $tip2" 582 log_test $? 0 "arping (VLAN $vid2)" 583 584 tc_check_packets $sw1 "dev vx0 egress" 101 1 585 log_test $? 0 "ARP suppression (VLAN $vid1)" 586 tc_check_packets $sw1 "dev vx0 egress" 102 4 587 log_test $? 0 "ARP suppression (VLAN $vid2)" 588 589 # Disable neighbor suppression on VLAN 10 and check that ARP requests 590 # are no longer suppressed on this VLAN. 591 run_cmd "bridge -n $sw1 vlan set vid $vid1 dev vx0 neigh_suppress off" 592 run_cmd "bridge -n $sw1 -d vlan show dev vx0 vid $vid1 | grep \"neigh_suppress off\"" 593 log_test $? 0 "\"neigh_suppress\" is off (VLAN $vid1)" 594 595 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip1 -I eth0.$vid1 $tip1" 596 log_test $? 0 "arping (VLAN $vid1)" 597 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip2 -I eth0.$vid2 $tip2" 598 log_test $? 0 "arping (VLAN $vid2)" 599 600 tc_check_packets $sw1 "dev vx0 egress" 101 2 601 log_test $? 0 "ARP suppression (VLAN $vid1)" 602 tc_check_packets $sw1 "dev vx0 egress" 102 5 603 log_test $? 0 "ARP suppression (VLAN $vid2)" 604 605 # Disable per-{Port, VLAN} neighbor suppression, enable neighbor 606 # suppression on the port and check that on both VLANs ARP requests are 607 # suppressed. 608 run_cmd "bridge -n $sw1 link set dev vx0 neigh_vlan_suppress off" 609 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_vlan_suppress off\"" 610 log_test $? 0 "\"neigh_vlan_suppress\" is off" 611 612 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress on" 613 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress on\"" 614 log_test $? 0 "\"neigh_suppress\" is on" 615 616 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip1 -I eth0.$vid1 $tip1" 617 log_test $? 0 "arping (VLAN $vid1)" 618 run_cmd "ip netns exec $h1 arping -q -b -c 1 -w 5 -s $sip2 -I eth0.$vid2 $tip2" 619 log_test $? 0 "arping (VLAN $vid2)" 620 621 tc_check_packets $sw1 "dev vx0 egress" 101 2 622 log_test $? 0 "ARP suppression (VLAN $vid1)" 623 tc_check_packets $sw1 "dev vx0 egress" 102 5 624 log_test $? 0 "ARP suppression (VLAN $vid2)" 625 } 626 627 neigh_vlan_suppress_ns() 628 { 629 local vid1=10 630 local vid2=20 631 local saddr1=2001:db8:1::1 632 local saddr2=2001:db8:2::1 633 local daddr1=2001:db8:1::2 634 local daddr2=2001:db8:2::2 635 local maddr=ff02::1:ff00:2 636 local h2_mac1 637 local h2_mac2 638 639 echo 640 echo "Per-{Port, VLAN} NS suppression" 641 echo "-------------------------------" 642 643 run_cmd "tc -n $sw1 qdisc replace dev vx0 clsact" 644 run_cmd "tc -n $sw1 filter replace dev vx0 egress pref 1 handle 101 proto ipv6 flower indev swp1 ip_proto icmpv6 dst_ip $maddr src_ip $saddr1 type 135 code 0 action pass" 645 run_cmd "tc -n $sw1 filter replace dev vx0 egress pref 1 handle 102 proto ipv6 flower indev swp1 ip_proto icmpv6 dst_ip $maddr src_ip $saddr2 type 135 code 0 action pass" 646 647 h2_mac1=$(ip -n $h2 -j -p link show eth0.$vid1 | jq -r '.[]["address"]') 648 h2_mac2=$(ip -n $h2 -j -p link show eth0.$vid2 | jq -r '.[]["address"]') 649 run_cmd "bridge -n $sw1 fdb replace $h2_mac1 dev vx0 master static vlan $vid1" 650 run_cmd "bridge -n $sw1 fdb replace $h2_mac2 dev vx0 master static vlan $vid2" 651 run_cmd "ip -n $sw1 neigh replace $daddr1 lladdr $h2_mac1 nud permanent dev br0.$vid1" 652 run_cmd "ip -n $sw1 neigh replace $daddr2 lladdr $h2_mac2 nud permanent dev br0.$vid2" 653 654 # Enable per-{Port, VLAN} neighbor suppression and check that NS 655 # messages are not suppressed and that ND messages are received. 656 run_cmd "bridge -n $sw1 link set dev vx0 neigh_vlan_suppress on" 657 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_vlan_suppress on\"" 658 log_test $? 0 "\"neigh_vlan_suppress\" is on" 659 660 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr1 -w 5000 $daddr1 eth0.$vid1" 661 log_test $? 0 "ndisc6 (VLAN $vid1)" 662 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr2 -w 5000 $daddr2 eth0.$vid2" 663 log_test $? 0 "ndisc6 (VLAN $vid2)" 664 665 tc_check_packets $sw1 "dev vx0 egress" 101 1 666 log_test $? 0 "NS suppression (VLAN $vid1)" 667 tc_check_packets $sw1 "dev vx0 egress" 102 1 668 log_test $? 0 "NS suppression (VLAN $vid2)" 669 670 # Enable neighbor suppression on VLAN 10 and check that only on this 671 # VLAN NS messages are suppressed. 672 run_cmd "bridge -n $sw1 vlan set vid $vid1 dev vx0 neigh_suppress on" 673 run_cmd "bridge -n $sw1 -d vlan show dev vx0 vid $vid1 | grep \"neigh_suppress on\"" 674 log_test $? 0 "\"neigh_suppress\" is on (VLAN $vid1)" 675 run_cmd "bridge -n $sw1 -d vlan show dev vx0 vid $vid2 | grep \"neigh_suppress off\"" 676 log_test $? 0 "\"neigh_suppress\" is off (VLAN $vid2)" 677 678 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr1 -w 5000 $daddr1 eth0.$vid1" 679 log_test $? 0 "ndisc6 (VLAN $vid1)" 680 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr2 -w 5000 $daddr2 eth0.$vid2" 681 log_test $? 0 "ndisc6 (VLAN $vid2)" 682 683 tc_check_packets $sw1 "dev vx0 egress" 101 1 684 log_test $? 0 "NS suppression (VLAN $vid1)" 685 tc_check_packets $sw1 "dev vx0 egress" 102 2 686 log_test $? 0 "NS suppression (VLAN $vid2)" 687 688 # Enable neighbor suppression on the port and check that it has no 689 # effect compared to previous state. 690 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress on" 691 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress on\"" 692 log_test $? 0 "\"neigh_suppress\" is on" 693 694 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr1 -w 5000 $daddr1 eth0.$vid1" 695 log_test $? 0 "ndisc6 (VLAN $vid1)" 696 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr2 -w 5000 $daddr2 eth0.$vid2" 697 log_test $? 0 "ndisc6 (VLAN $vid2)" 698 699 tc_check_packets $sw1 "dev vx0 egress" 101 1 700 log_test $? 0 "NS suppression (VLAN $vid1)" 701 tc_check_packets $sw1 "dev vx0 egress" 102 3 702 log_test $? 0 "NS suppression (VLAN $vid2)" 703 704 # Disable neighbor suppression on the port and check that it has no 705 # effect compared to previous state. 706 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress off" 707 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress off\"" 708 log_test $? 0 "\"neigh_suppress\" is off" 709 710 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr1 -w 5000 $daddr1 eth0.$vid1" 711 log_test $? 0 "ndisc6 (VLAN $vid1)" 712 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr2 -w 5000 $daddr2 eth0.$vid2" 713 log_test $? 0 "ndisc6 (VLAN $vid2)" 714 715 tc_check_packets $sw1 "dev vx0 egress" 101 1 716 log_test $? 0 "NS suppression (VLAN $vid1)" 717 tc_check_packets $sw1 "dev vx0 egress" 102 4 718 log_test $? 0 "NS suppression (VLAN $vid2)" 719 720 # Disable neighbor suppression on VLAN 10 and check that NS messages 721 # are no longer suppressed on this VLAN. 722 run_cmd "bridge -n $sw1 vlan set vid $vid1 dev vx0 neigh_suppress off" 723 run_cmd "bridge -n $sw1 -d vlan show dev vx0 vid $vid1 | grep \"neigh_suppress off\"" 724 log_test $? 0 "\"neigh_suppress\" is off (VLAN $vid1)" 725 726 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr1 -w 5000 $daddr1 eth0.$vid1" 727 log_test $? 0 "ndisc6 (VLAN $vid1)" 728 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr2 -w 5000 $daddr2 eth0.$vid2" 729 log_test $? 0 "ndisc6 (VLAN $vid2)" 730 731 tc_check_packets $sw1 "dev vx0 egress" 101 2 732 log_test $? 0 "NS suppression (VLAN $vid1)" 733 tc_check_packets $sw1 "dev vx0 egress" 102 5 734 log_test $? 0 "NS suppression (VLAN $vid2)" 735 736 # Disable per-{Port, VLAN} neighbor suppression, enable neighbor 737 # suppression on the port and check that on both VLANs NS messages are 738 # suppressed. 739 run_cmd "bridge -n $sw1 link set dev vx0 neigh_vlan_suppress off" 740 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_vlan_suppress off\"" 741 log_test $? 0 "\"neigh_vlan_suppress\" is off" 742 743 run_cmd "bridge -n $sw1 link set dev vx0 neigh_suppress on" 744 run_cmd "bridge -n $sw1 -d link show dev vx0 | grep \"neigh_suppress on\"" 745 log_test $? 0 "\"neigh_suppress\" is on" 746 747 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr1 -w 5000 $daddr1 eth0.$vid1" 748 log_test $? 0 "ndisc6 (VLAN $vid1)" 749 run_cmd "ip netns exec $h1 ndisc6 -q -r 1 -s $saddr2 -w 5000 $daddr2 eth0.$vid2" 750 log_test $? 0 "ndisc6 (VLAN $vid2)" 751 752 tc_check_packets $sw1 "dev vx0 egress" 101 2 753 log_test $? 0 "NS suppression (VLAN $vid1)" 754 tc_check_packets $sw1 "dev vx0 egress" 102 5 755 log_test $? 0 "NS suppression (VLAN $vid2)" 756 } 757 758 ################################################################################ 759 # Usage 760 761 usage() 762 { 763 cat <<EOF 764 usage: ${0##*/} OPTS 765 766 -t <test> Test(s) to run (default: all) 767 (options: $TESTS) 768 -p Pause on fail 769 -P Pause after each test before cleanup 770 -v Verbose mode (show commands and output) 771 EOF 772 } 773 774 ################################################################################ 775 # Main 776 777 trap cleanup EXIT 778 779 while getopts ":t:pPvh" opt; do 780 case $opt in 781 t) TESTS=$OPTARG;; 782 p) PAUSE_ON_FAIL=yes;; 783 P) PAUSE=yes;; 784 v) VERBOSE=$(($VERBOSE + 1));; 785 h) usage; exit 0;; 786 *) usage; exit 1;; 787 esac 788 done 789 790 # Make sure we don't pause twice. 791 [ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 792 793 if [ "$(id -u)" -ne 0 ];then 794 echo "SKIP: Need root privileges" 795 exit $ksft_skip; 796 fi 797 798 if [ ! -x "$(command -v ip)" ]; then 799 echo "SKIP: Could not run test without ip tool" 800 exit $ksft_skip 801 fi 802 803 if [ ! -x "$(command -v bridge)" ]; then 804 echo "SKIP: Could not run test without bridge tool" 805 exit $ksft_skip 806 fi 807 808 if [ ! -x "$(command -v tc)" ]; then 809 echo "SKIP: Could not run test without tc tool" 810 exit $ksft_skip 811 fi 812 813 if [ ! -x "$(command -v arping)" ]; then 814 echo "SKIP: Could not run test without arping tool" 815 exit $ksft_skip 816 fi 817 818 if [ ! -x "$(command -v ndisc6)" ]; then 819 echo "SKIP: Could not run test without ndisc6 tool" 820 exit $ksft_skip 821 fi 822 823 if [ ! -x "$(command -v jq)" ]; then 824 echo "SKIP: Could not run test without jq tool" 825 exit $ksft_skip 826 fi 827 828 bridge link help 2>&1 | grep -q "neigh_vlan_suppress" 829 if [ $? -ne 0 ]; then 830 echo "SKIP: iproute2 bridge too old, missing per-VLAN neighbor suppression support" 831 exit $ksft_skip 832 fi 833 834 # Start clean. 835 cleanup 836 837 for t in $TESTS 838 do 839 setup; $t; cleanup; 840 done 841 842 if [ "$TESTS" != "none" ]; then 843 printf "\nTests passed: %3d\n" ${nsuccess} 844 printf "Tests failed: %3d\n" ${nfail} 845 fi 846 847 exit $ret
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.