linux/tools/testing/selftests/drivers/net/mlxsw/spectrum-2/tc_flower.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-2.0

# This test is for checking the A-TCAM and C-TCAM operation in Spectrum-2.
# It tries to exercise as many code paths in the eRP state machine as
# possible.

lib_dir=$(dirname $0)/../../../../net/forwarding

ALL_TESTS="single_mask_test identical_filters_test two_masks_test \
	multiple_masks_test ctcam_edge_cases_test delta_simple_test \
	delta_two_masks_one_key_test delta_simple_rehash_test \
	bloom_simple_test bloom_complex_test bloom_delta_test \
	max_erp_entries_test max_group_size_test collision_test"
NUM_NETIFS=2
source $lib_dir/lib.sh
source $lib_dir/tc_common.sh
source $lib_dir/devlink_lib.sh

tcflags="skip_hw"

h1_create()
{
	simple_if_init $h1 192.0.2.1/24 198.51.100.1/24
}

h1_destroy()
{
	simple_if_fini $h1 192.0.2.1/24 198.51.100.1/24
}

h2_create()
{
	simple_if_init $h2 192.0.2.2/24 198.51.100.2/24
	tc qdisc add dev $h2 clsact
}

h2_destroy()
{
	tc qdisc del dev $h2 clsact
	simple_if_fini $h2 192.0.2.2/24 198.51.100.2/24
}

tp_record()
{
	local tracepoint=$1
	local cmd=$2

	perf record -q -e $tracepoint $cmd
	return $?
}

tp_record_all()
{
	local tracepoint=$1
	local seconds=$2

	perf record -a -q -e $tracepoint sleep $seconds
	return $?
}

__tp_hit_count()
{
	local tracepoint=$1

	local perf_output=`perf script -F trace:event,trace`
	return `echo $perf_output | grep "$tracepoint:" | wc -l`
}

tp_check_hits()
{
	local tracepoint=$1
	local count=$2

	__tp_hit_count $tracepoint
	if [[ "$?" -ne "$count" ]]; then
		return 1
	fi
	return 0
}

tp_check_hits_any()
{
	local tracepoint=$1

	__tp_hit_count $tracepoint
	if [[ "$?" -eq "0" ]]; then
		return 1
	fi
	return 0
}

single_mask_test()
{
	# When only a single mask is required, the device uses the master
	# mask and not the eRP table. Verify that under this mode the right
	# filter is matched

	RET=0

	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Single filter - did not match"

	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 198.51.100.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 2
	check_err $? "Two filters - did not match highest priority"

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Two filters - did not match lowest priority"

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 2
	check_err $? "Single filter - did not match after delete"

	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	log_test "single mask test ($tcflags)"
}

identical_filters_test()
{
	# When two filters that only differ in their priority are used,
	# one needs to be inserted into the C-TCAM. This test verifies
	# that filters are correctly spilled to C-TCAM and that the right
	# filter is matched

	RET=0

	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Did not match A-TCAM filter"

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match C-TCAM filter after A-TCAM delete"

	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.0.2.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 2
	check_err $? "Did not match C-TCAM filter after A-TCAM add"

	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 103 1
	check_err $? "Did not match A-TCAM filter after C-TCAM delete"

	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower

	log_test "identical filters test ($tcflags)"
}

two_masks_test()
{
	# When more than one mask is required, the eRP table is used. This
	# test verifies that the eRP table is correctly allocated and used

	RET=0

	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.0.0.0/8 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Two filters - did not match highest priority"

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 103 1
	check_err $? "Single filter - did not match"

	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.0/24 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Two filters - did not match highest priority after add"

	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	log_test "two masks test ($tcflags)"
}

multiple_masks_test()
{
	# The number of masks in a region is limited. Once the maximum
	# number of masks has been reached filters that require new
	# masks are spilled to the C-TCAM. This test verifies that
	# spillage is performed correctly and that the right filter is
	# matched

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	local index

	RET=0

	NUM_MASKS=32
	NUM_ERPS=16
	BASE_INDEX=100

	for i in $(eval echo {1..$NUM_MASKS}); do
		index=$((BASE_INDEX - i))

		if ((i > NUM_ERPS)); then
			exp_hits=1
			err_msg="$i filters - C-TCAM spill did not happen when it was expected"
		else
			exp_hits=0
			err_msg="$i filters - C-TCAM spill happened when it should not"
		fi

		tp_record "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" \
			"tc filter add dev $h2 ingress protocol ip pref $index \
				handle $index \
				flower $tcflags \
				dst_ip 192.0.2.2/${i} src_ip 192.0.2.1/${i} \
				action drop"
		tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" \
				$exp_hits
		check_err $? "$err_msg"

		$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 \
			-B 192.0.2.2 -t ip -q

		tc_check_packets "dev $h2 ingress" $index 1
		check_err $? "$i filters - did not match highest priority (add)"
	done

	for i in $(eval echo {$NUM_MASKS..1}); do
		index=$((BASE_INDEX - i))

		$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 \
			-B 192.0.2.2 -t ip -q

		tc_check_packets "dev $h2 ingress" $index 2
		check_err $? "$i filters - did not match highest priority (del)"

		tc filter del dev $h2 ingress protocol ip pref $index \
			handle $index flower
	done

	log_test "multiple masks test ($tcflags)"
}

ctcam_two_atcam_masks_test()
{
	RET=0

	# First case: C-TCAM is disabled when there are two A-TCAM masks.
	# We push a filter into the C-TCAM by using two identical filters
	# as in identical_filters_test()

	# Filter goes into A-TCAM
	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	# Filter goes into C-TCAM
	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	# Filter goes into A-TCAM
	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.0.0.0/16 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Did not match A-TCAM filter"

	# Delete both A-TCAM and C-TCAM filters and make sure the remaining
	# A-TCAM filter still works
	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 103 1
	check_err $? "Did not match A-TCAM filter"

	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower

	log_test "ctcam with two atcam masks test ($tcflags)"
}

ctcam_one_atcam_mask_test()
{
	RET=0

	# Second case: C-TCAM is disabled when there is one A-TCAM mask.
	# The test is similar to identical_filters_test()

	# Filter goes into A-TCAM
	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	# Filter goes into C-TCAM
	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Did not match C-TCAM filter"

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match A-TCAM filter"

	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	log_test "ctcam with one atcam mask test ($tcflags)"
}

ctcam_no_atcam_masks_test()
{
	RET=0

	# Third case: C-TCAM is disabled when there are no A-TCAM masks
	# This test exercises the code path that transitions the eRP table
	# to its initial state after deleting the last C-TCAM mask

	# Filter goes into A-TCAM
	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	# Filter goes into C-TCAM
	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action drop

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	log_test "ctcam with no atcam masks test ($tcflags)"
}

ctcam_edge_cases_test()
{
	# When the C-TCAM is disabled after deleting the last C-TCAM
	# mask, we want to make sure the eRP state machine is put in
	# the correct state

	ctcam_two_atcam_masks_test
	ctcam_one_atcam_mask_test
	ctcam_no_atcam_masks_test
}

delta_simple_test()
{
	# The first filter will create eRP, the second filter will fit into
	# the first eRP with delta. Remove the first rule then and check that
        # the eRP stays (referenced by the second filter).

	RET=0

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	tp_record "objagg:*" "tc filter add dev $h2 ingress protocol ip \
		   pref 1 handle 101 flower $tcflags dst_ip 192.0.0.0/24 \
		   action drop"
	tp_check_hits "objagg:objagg_obj_root_create" 1
	check_err $? "eRP was not created"

	tp_record "objagg:*" "tc filter add dev $h2 ingress protocol ip \
		   pref 2 handle 102 flower $tcflags dst_ip 192.0.2.2 \
		   action drop"
	tp_check_hits "objagg:objagg_obj_root_create" 0
	check_err $? "eRP was incorrectly created"
	tp_check_hits "objagg:objagg_obj_parent_assign" 1
	check_err $? "delta was not created"

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match on correct filter"

	tp_record "objagg:*" "tc filter del dev $h2 ingress protocol ip \
		   pref 1 handle 101 flower"
	tp_check_hits "objagg:objagg_obj_root_destroy" 0
	check_err $? "eRP was incorrectly destroyed"
	tp_check_hits "objagg:objagg_obj_parent_unassign" 0
	check_err $? "delta was incorrectly destroyed"

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 2
	check_err $? "Did not match on correct filter after the first was removed"

	tp_record "objagg:*" "tc filter del dev $h2 ingress protocol ip \
		   pref 2 handle 102 flower"
	tp_check_hits "objagg:objagg_obj_parent_unassign" 1
	check_err $? "delta was not destroyed"
	tp_check_hits "objagg:objagg_obj_root_destroy" 1
	check_err $? "eRP was not destroyed"

	log_test "delta simple test ($tcflags)"
}

delta_two_masks_one_key_test()
{
	# If 2 keys are the same and only differ in mask in a way that
	# they belong under the same ERP (second is delta of the first),
	# there should be C-TCAM spill.

	RET=0

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	tp_record "mlxsw:*" "tc filter add dev $h2 ingress protocol ip \
		   pref 1 handle 101 flower $tcflags dst_ip 192.0.2.0/24 \
		   action drop"
	tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" 0
	check_err $? "incorrect C-TCAM spill while inserting the first rule"

	tp_record "mlxsw:*" "tc filter add dev $h2 ingress protocol ip \
		   pref 2 handle 102 flower $tcflags dst_ip 192.0.2.2 \
		   action drop"
	tp_check_hits "mlxsw:mlxsw_sp_acl_atcam_entry_add_ctcam_spill" 1
	check_err $? "C-TCAM spill did not happen while inserting the second rule"

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Did not match on correct filter"

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match on correct filter"

	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	log_test "delta two masks one key test ($tcflags)"
}

delta_simple_rehash_test()
{
	RET=0

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 0
	check_err $? "Failed to set ACL region rehash interval"

	tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_fail $? "Rehash trace was hit even when rehash should be disabled"

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 3000
	check_err $? "Failed to set ACL region rehash interval"

	sleep 1

	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.1.0/25 action drop
	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.0.3.0/24 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 103 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match on correct filter"

	tp_record_all mlxsw:* 3
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_err $? "Rehash trace was not hit"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate
	check_err $? "Migrate trace was not hit"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end
	check_err $? "Migrate end trace was not hit"
	tp_record_all mlxsw:* 3
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_err $? "Rehash trace was not hit"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate
	check_fail $? "Migrate trace was hit when no migration should happen"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end
	check_fail $? "Migrate end trace was hit when no migration should happen"

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter after rehash"

	tc_check_packets "dev $h2 ingress" 103 1
	check_fail $? "Matched a wrong filter after rehash"

	tc_check_packets "dev $h2 ingress" 102 2
	check_err $? "Did not match on correct filter after rehash"

	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	log_test "delta simple rehash test ($tcflags)"
}

delta_simple_ipv6_rehash_test()
{
	RET=0

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 0
	check_err $? "Failed to set ACL region rehash interval"

	tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_fail $? "Rehash trace was hit even when rehash should be disabled"

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 3000
	check_err $? "Failed to set ACL region rehash interval"

	sleep 1

	tc filter add dev $h2 ingress protocol ipv6 pref 1 handle 101 flower \
		$tcflags dst_ip 2001:db8:1::0/121 action drop
	tc filter add dev $h2 ingress protocol ipv6 pref 2 handle 102 flower \
		$tcflags dst_ip 2001:db8:2::2 action drop
	tc filter add dev $h2 ingress protocol ipv6 pref 3 handle 103 flower \
		$tcflags dst_ip 2001:db8:3::0/120 action drop

	$MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \
		-A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 103 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match on correct filter"

	tp_record_all mlxsw:* 3
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_err $? "Rehash trace was not hit"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate
	check_err $? "Migrate trace was not hit"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end
	check_err $? "Migrate end trace was not hit"
	tp_record_all mlxsw:* 3
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_err $? "Rehash trace was not hit"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate
	check_fail $? "Migrate trace was hit when no migration should happen"
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_migrate_end
	check_fail $? "Migrate end trace was hit when no migration should happen"

	$MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \
		-A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter after rehash"

	tc_check_packets "dev $h2 ingress" 103 1
	check_fail $? "Matched a wrong filter after rehash"

	tc_check_packets "dev $h2 ingress" 102 2
	check_err $? "Did not match on correct filter after rehash"

	tc filter del dev $h2 ingress protocol ipv6 pref 3 handle 103 flower
	tc filter del dev $h2 ingress protocol ipv6 pref 2 handle 102 flower
	tc filter del dev $h2 ingress protocol ipv6 pref 1 handle 101 flower

	log_test "delta simple IPv6 rehash test ($tcflags)"
}

TEST_RULE_BASE=256
declare -a test_rules_inserted

test_rule_add()
{
	local iface=$1
	local tcflags=$2
	local index=$3

	if ! [ ${test_rules_inserted[$index]} ] ; then
		test_rules_inserted[$index]=false
	fi
	if ${test_rules_inserted[$index]} ; then
		return
	fi

	local number=$(( $index + $TEST_RULE_BASE ))
	printf -v hexnumber '%x' $number

	batch="${batch}filter add dev $iface ingress protocol ipv6 pref 1 \
		handle $number flower $tcflags \
		src_ip 2001:db8:1::$hexnumber action drop\n"
	test_rules_inserted[$index]=true
}

test_rule_del()
{
	local iface=$1
	local index=$2

	if ! [ ${test_rules_inserted[$index]} ] ; then
		test_rules_inserted[$index]=false
	fi
	if ! ${test_rules_inserted[$index]} ; then
		return
	fi

	local number=$(( $index + $TEST_RULE_BASE ))
	printf -v hexnumber '%x' $number

	batch="${batch}filter del dev $iface ingress protocol ipv6 pref 1 \
		handle $number flower\n"
	test_rules_inserted[$index]=false
}

test_rule_add_or_remove()
{
	local iface=$1
	local tcflags=$2
	local index=$3

	if ! [ ${test_rules_inserted[$index]} ] ; then
		test_rules_inserted[$index]=false
	fi
	if ${test_rules_inserted[$index]} ; then
		test_rule_del $iface $index
	else
		test_rule_add $iface $tcflags $index
	fi
}

test_rule_add_or_remove_random_batch()
{
	local iface=$1
	local tcflags=$2
	local total_count=$3
	local skip=0
	local count=0
	local MAXSKIP=20
	local MAXCOUNT=20

	for ((i=1;i<=total_count;i++)); do
		if (( $skip == 0 )) && (($count == 0)); then
			((skip=$RANDOM % $MAXSKIP + 1))
			((count=$RANDOM % $MAXCOUNT + 1))
		fi
		if (( $skip != 0 )); then
			((skip-=1))
		else
			((count-=1))
			test_rule_add_or_remove $iface $tcflags $i
		fi
	done
}

delta_massive_ipv6_rehash_test()
{
	RET=0

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 0
	check_err $? "Failed to set ACL region rehash interval"

	tp_record_all mlxsw:mlxsw_sp_acl_tcam_vregion_rehash 7
	tp_check_hits_any mlxsw:mlxsw_sp_acl_tcam_vregion_rehash
	check_fail $? "Rehash trace was hit even when rehash should be disabled"

	RANDOM=4432897
	declare batch=""
	test_rule_add_or_remove_random_batch $h2 $tcflags 5000

	echo -n -e $batch | tc -b -

	declare batch=""
	test_rule_add_or_remove_random_batch $h2 $tcflags 5000

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 3000
	check_err $? "Failed to set ACL region rehash interval"

	sleep 1

	tc filter add dev $h2 ingress protocol ipv6 pref 1 handle 101 flower \
		$tcflags dst_ip 2001:db8:1::0/121 action drop
	tc filter add dev $h2 ingress protocol ipv6 pref 2 handle 102 flower \
		$tcflags dst_ip 2001:db8:2::2 action drop
	tc filter add dev $h2 ingress protocol ipv6 pref 3 handle 103 flower \
		$tcflags dst_ip 2001:db8:3::0/120 action drop

	$MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \
		-A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 103 1
	check_fail $? "Matched a wrong filter"

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Did not match on correct filter"

	echo -n -e $batch | tc -b -

	devlink dev param set $DEVLINK_DEV \
		name acl_region_rehash_interval cmode runtime value 0
	check_err $? "Failed to set ACL region rehash interval"

	$MZ $h1 -6 -c 1 -p 64 -a $h1mac -b $h2mac \
		-A 2001:db8:2::1 -B 2001:db8:2::2 -t udp -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_fail $? "Matched a wrong filter after rehash"

	tc_check_packets "dev $h2 ingress" 103 1
	check_fail $? "Matched a wrong filter after rehash"

	tc_check_packets "dev $h2 ingress" 102 2
	check_err $? "Did not match on correct filter after rehash"

	tc filter del dev $h2 ingress protocol ipv6 pref 3 handle 103 flower
	tc filter del dev $h2 ingress protocol ipv6 pref 2 handle 102 flower
	tc filter del dev $h2 ingress protocol ipv6 pref 1 handle 101 flower

	declare batch=""
	for i in {1..5000}; do
		test_rule_del $h2 $tcflags $i
	done
	echo -e $batch | tc -b -

	log_test "delta massive IPv6 rehash test ($tcflags)"
}

bloom_simple_test()
{
	# Bloom filter requires that the eRP table is used. This test
	# verifies that Bloom filter is not harming correctness of ACLs.
	# First, make sure that eRP table is used and then set rule patterns
	# which are distant enough and will result skipping a lookup after
	# consulting the Bloom filter. Although some eRP lookups are skipped,
	# the correct filter should be hit.

	RET=0

	tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
		$tcflags dst_ip 192.0.2.2 action drop
	tc filter add dev $h2 ingress protocol ip pref 5 handle 104 flower \
		$tcflags dst_ip 198.51.100.2 action drop
	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.0.0.0/8 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 101 1
	check_err $? "Two filters - did not match highest priority"

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 104 1
	check_err $? "Single filter - did not match"

	tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 103 1
	check_err $? "Low prio filter - did not match"

	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 198.0.0.0/8 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 198.51.100.1 -B 198.51.100.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Two filters - did not match highest priority after add"

	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
	tc filter del dev $h2 ingress protocol ip pref 5 handle 104 flower

	log_test "bloom simple test ($tcflags)"
}

bloom_complex_test()
{
	# Bloom filter index computation is affected from region ID, eRP
	# ID and from the region key size. In order to exercise those parts
	# of the Bloom filter code, use a series of regions, each with a
	# different key size and send packet that should hit all of them.
	local index

	RET=0
	NUM_CHAINS=4
	BASE_INDEX=100

	# Create chain with up to 2 key blocks (ip_proto only)
	tc chain add dev $h2 ingress chain 1 protocol ip flower \
		ip_proto tcp &> /dev/null
	# Create chain with 2-4 key blocks (ip_proto, src MAC)
	tc chain add dev $h2 ingress chain 2 protocol ip flower \
		ip_proto tcp \
		src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF &> /dev/null
	# Create chain with 4-8 key blocks (ip_proto, src & dst MAC, IPv4 dest)
	tc chain add dev $h2 ingress chain 3 protocol ip flower \
		ip_proto tcp \
		dst_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF \
		src_mac 00:00:00:00:00:00/FF:FF:FF:FF:FF:FF \
		dst_ip 0.0.0.0/32 &> /dev/null
	# Default chain contains all fields and therefore is 8-12 key blocks
	tc chain add dev $h2 ingress chain 4

	# We need at least 2 rules in every region to have eRP table active
	# so create a dummy rule per chain using a different pattern
	for i in $(eval echo {0..$NUM_CHAINS}); do
		index=$((BASE_INDEX - 1 - i))
		tc filter add dev $h2 ingress chain $i protocol ip \
			pref 2 handle $index flower \
			$tcflags ip_proto tcp action drop
	done

	# Add rules to test Bloom filter, each in a different chain
	index=$BASE_INDEX
	tc filter add dev $h2 ingress protocol ip \
		pref 1 handle $((++index)) flower \
		$tcflags dst_ip 192.0.0.0/16 action goto chain 1
	tc filter add dev $h2 ingress chain 1 protocol ip \
		pref 1 handle $((++index)) flower \
		$tcflags action goto chain 2
	tc filter add dev $h2 ingress chain 2 protocol ip \
		pref 1 handle $((++index)) flower \
		$tcflags src_mac $h1mac action goto chain 3
	tc filter add dev $h2 ingress chain 3 protocol ip \
		pref 1 handle $((++index)) flower \
		$tcflags dst_ip 192.0.0.0/8 action goto chain 4
	tc filter add dev $h2 ingress chain 4 protocol ip \
		pref 1 handle $((++index)) flower \
		$tcflags src_ip 192.0.2.0/24 action drop

	# Send a packet that is supposed to hit all chains
	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
		-t ip -q

	for i in $(eval echo {0..$NUM_CHAINS}); do
		index=$((BASE_INDEX + i + 1))
		tc_check_packets "dev $h2 ingress" $index 1
		check_err $? "Did not match chain $i"
	done

	# Rules cleanup
	for i in $(eval echo {$NUM_CHAINS..0}); do
		index=$((BASE_INDEX - i - 1))
		tc filter del dev $h2 ingress chain $i \
			pref 2 handle $index flower
		index=$((BASE_INDEX + i + 1))
		tc filter del dev $h2 ingress chain $i \
			pref 1 handle $index flower
	done

	# Chains cleanup
	for i in $(eval echo {$NUM_CHAINS..1}); do
		tc chain del dev $h2 ingress chain $i
	done

	log_test "bloom complex test ($tcflags)"
}


bloom_delta_test()
{
	# When multiple masks are used, the eRP table is activated. When
	# masks are close enough (delta) the masks reside on the same
	# eRP table. This test verifies that the eRP table is correctly
	# allocated and used in delta condition and that Bloom filter is
	# still functional with delta.

	RET=0

	tc filter add dev $h2 ingress protocol ip pref 3 handle 103 flower \
		$tcflags dst_ip 192.1.0.0/16 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.1.2.1 -B 192.1.2.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 103 1
	check_err $? "Single filter - did not match"

	tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
		$tcflags dst_ip 192.2.1.0/24 action drop

	$MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.2.1.1 -B 192.2.1.2 \
		-t ip -q

	tc_check_packets "dev $h2 ingress" 102 1
	check_err $? "Delta filters - did not match second filter"

	tc filter del dev $h2 ingress protocol ip pref 3 handle 103 flower
	tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower

	log_test "bloom delta test ($tcflags)"
}

max_erp_entries_test()
{
	# The number of eRP entries is limited. Once the maximum number of eRPs
	# has been reached, filters cannot be added. This test verifies that
	# when this limit is reached, inserstion fails without crashing.

	RET=0

	local num_masks=32
	local num_regions=15
	local chain_failed
	local mask_failed
	local ret

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	for ((i=1; i < $num_regions; i++)); do
		for ((j=$num_masks; j >= 0; j--)); do
			tc filter add dev $h2 ingress chain $i protocol ip \
				pref $i	handle $j flower $tcflags \
				dst_ip 192.1.0.0/$j &> /dev/null
			ret=$?

			if [ $ret -ne 0 ]; then
				chain_failed=$i
				mask_failed=$j
				break 2
			fi
		done
	done

	# We expect to exceed the maximum number of eRP entries, so that
	# insertion eventually fails. Otherwise, the test should be adjusted to
	# add more filters.
	check_fail $ret "expected to exceed number of eRP entries"

	for ((; i >= 1; i--)); do
		for ((j=0; j <= $num_masks; j++)); do
			tc filter del dev $h2 ingress chain $i protocol ip \
				pref $i handle $j flower &> /dev/null
		done
	done

	log_test "max eRP entries test ($tcflags). " \
		"max chain $chain_failed, mask $mask_failed"
}

max_group_size_test()
{
	# The number of ACLs in an ACL group is limited. Once the maximum
	# number of ACLs has been reached, filters cannot be added. This test
	# verifies that when this limit is reached, insertion fails without
	# crashing.

	RET=0

	local num_acls=32
	local max_size
	local ret

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	for ((i=1; i < $num_acls; i++)); do
		if [[ $(( i % 2 )) == 1 ]]; then
			tc filter add dev $h2 ingress pref $i proto ipv4 \
				flower $tcflags dst_ip 198.51.100.1/32 \
				ip_proto tcp tcp_flags 0x01/0x01 \
				action drop &> /dev/null
		else
			tc filter add dev $h2 ingress pref $i proto ipv6 \
				flower $tcflags dst_ip 2001:db8:1::1/128 \
				action drop &> /dev/null
		fi

		ret=$?
		[[ $ret -ne 0 ]] && max_size=$((i - 1)) && break
	done

	# We expect to exceed the maximum number of ACLs in a group, so that
	# insertion eventually fails. Otherwise, the test should be adjusted to
	# add more filters.
	check_fail $ret "expected to exceed number of ACLs in a group"

	for ((; i >= 1; i--)); do
		if [[ $(( i % 2 )) == 1 ]]; then
			tc filter del dev $h2 ingress pref $i proto ipv4 \
				flower $tcflags dst_ip 198.51.100.1/32 \
				ip_proto tcp tcp_flags 0x01/0x01 \
				action drop &> /dev/null
		else
			tc filter del dev $h2 ingress pref $i proto ipv6 \
				flower $tcflags dst_ip 2001:db8:1::1/128 \
				action drop &> /dev/null
		fi
	done

	log_test "max ACL group size test ($tcflags). max size $max_size"
}

collision_test()
{
	# Filters cannot share an eRP if in the common unmasked part (i.e.,
	# without the delta bits) they have the same values. If the driver does
	# not prevent such configuration (by spilling into the C-TCAM), then
	# multiple entries will be present in the device with the same key,
	# leading to collisions and a reduced scale.
	#
	# Create such a scenario and make sure all the filters are successfully
	# added.

	RET=0

	local ret

	if [[ "$tcflags" != "skip_sw" ]]; then
		return 0;
	fi

	# Add a single dst_ip/24 filter and multiple dst_ip/32 filters that all
	# have the same values in the common unmasked part (dst_ip/24).

	tc filter add dev $h2 ingress pref 1 proto ipv4 handle 101 \
		flower $tcflags dst_ip 198.51.100.0/24 \
		action drop

	for i in {0..255}; do
		tc filter add dev $h2 ingress pref 2 proto ipv4 \
			handle $((102 + i)) \
			flower $tcflags dst_ip 198.51.100.${i}/32 \
			action drop
		ret=$?
		[[ $ret -ne 0 ]] && break
	done

	check_err $ret "failed to add all the filters"

	for i in {255..0}; do
		tc filter del dev $h2 ingress pref 2 proto ipv4 \
			handle $((102 + i)) flower
	done

	tc filter del dev $h2 ingress pref 1 proto ipv4 handle 101 flower

	log_test "collision test ($tcflags)"
}

setup_prepare()
{
	h1=${NETIFS[p1]}
	h2=${NETIFS[p2]}
	h1mac=$(mac_get $h1)
	h2mac=$(mac_get $h2)

	vrf_prepare

	h1_create
	h2_create
}

cleanup()
{
	pre_cleanup

	h2_destroy
	h1_destroy

	vrf_cleanup
}

trap cleanup EXIT

setup_prepare
setup_wait

tests_run

if ! tc_offload_check; then
	check_err 1 "Could not test offloaded functionality"
	log_test "mlxsw-specific tests for tc flower"
	exit
else
	tcflags="skip_sw"
	tests_run
fi

exit $EXIT_STATUS