diff mbox series

[net,13/17] selftests: forwarding: tc_tunnel_key: Make filters more specific

Message ID 20230802075118.409395-14-idosch@nvidia.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series selftests: forwarding: Various fixes | expand

Checks

Context Check Description
netdev/series_format fail Series longer than 15 patches (and no cover letter)
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 9 this patch: 9
netdev/cc_maintainers warning 2 maintainers not CCed: shuah@kernel.org linux-kselftest@vger.kernel.org
netdev/build_clang success Errors and warnings before: 9 this patch: 9
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success net selftest script(s) already in Makefile
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 9 this patch: 9
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 17 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Ido Schimmel Aug. 2, 2023, 7:51 a.m. UTC 
The test installs filters that match on various IP fragments (e.g., no
fragment, first fragment) and expects a certain amount of packets to hit
each filter. This is problematic as the filters are not specific enough
and can match IP packets (e.g., IGMP) generated by the stack, resulting
in failures [1].

Fix by making the filters more specific and match on more fields in the
IP header: Source IP, destination IP and protocol.

[1]
 # timeout set to 0
 # selftests: net/forwarding: tc_tunnel_key.sh
 # TEST: tunnel_key nofrag (skip_hw)                                   [FAIL]
 #       packet smaller than MTU was not tunneled
 # INFO: Could not test offloaded functionality
 not ok 89 selftests: net/forwarding: tc_tunnel_key.sh # exit=1

Fixes: 533a89b1940f ("selftests: forwarding: add tunnel_key "nofrag" test case")
Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
---
Cc: dcaratti@redhat.com
---
 tools/testing/selftests/net/forwarding/tc_tunnel_key.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

Comments

Davide Caratti Aug. 2, 2023, 8:30 a.m. UTC | #1 
On Wed, Aug 02, 2023 at 10:51:14AM +0300, Ido Schimmel wrote:
> The test installs filters that match on various IP fragments (e.g., no
> fragment, first fragment) and expects a certain amount of packets to hit
> each filter. This is problematic as the filters are not specific enough
> and can match IP packets (e.g., IGMP) generated by the stack, resulting
> in failures [1].

[...]

> --- a/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
> +++ b/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
> @@ -104,11 +104,14 @@ tunnel_key_nofrag_test()
>  	local i
>  
>  	tc filter add dev $swp1 ingress protocol ip pref 100 handle 100 \
> -		flower ip_flags nofrag action drop
> +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> +		ip_flags nofrag action drop
>  	tc filter add dev $swp1 ingress protocol ip pref 101 handle 101 \
> -		flower ip_flags firstfrag action drop
> +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> +		ip_flags firstfrag action drop
>  	tc filter add dev $swp1 ingress protocol ip pref 102 handle 102 \
> -		flower ip_flags nofirstfrag action drop
> +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> +		ip_flags nofirstfrag action drop


hello Ido, my 2 cents:

is it safe to match on the UDP protocol without changing the mausezahn
command line? I see that it's generating generic IP packets at the
moment (i.e. it does '-t ip'). Maybe it's more robust to change
the test to generate ICMP and then match on the ICMP protocol?

thanks!
Ido Schimmel Aug. 2, 2023, 8:37 a.m. UTC | #2 
On Wed, Aug 02, 2023 at 10:30:52AM +0200, Davide Caratti wrote:
> On Wed, Aug 02, 2023 at 10:51:14AM +0300, Ido Schimmel wrote:
> > The test installs filters that match on various IP fragments (e.g., no
> > fragment, first fragment) and expects a certain amount of packets to hit
> > each filter. This is problematic as the filters are not specific enough
> > and can match IP packets (e.g., IGMP) generated by the stack, resulting
> > in failures [1].
> 
> [...]
> 
> > --- a/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
> > +++ b/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
> > @@ -104,11 +104,14 @@ tunnel_key_nofrag_test()
> >  	local i
> >  
> >  	tc filter add dev $swp1 ingress protocol ip pref 100 handle 100 \
> > -		flower ip_flags nofrag action drop
> > +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> > +		ip_flags nofrag action drop
> >  	tc filter add dev $swp1 ingress protocol ip pref 101 handle 101 \
> > -		flower ip_flags firstfrag action drop
> > +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> > +		ip_flags firstfrag action drop
> >  	tc filter add dev $swp1 ingress protocol ip pref 102 handle 102 \
> > -		flower ip_flags nofirstfrag action drop
> > +		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
> > +		ip_flags nofirstfrag action drop
> 
> 
> hello Ido, my 2 cents:
> 
> is it safe to match on the UDP protocol without changing the mausezahn
> command line? I see that it's generating generic IP packets at the
> moment (i.e. it does '-t ip'). Maybe it's more robust to change
> the test to generate ICMP and then match on the ICMP protocol?

My understanding of the test is that it's transmitting IP packets on the
VXLAN device and what $swp1 sees are the encapsulated packets (UDP).
Davide Caratti Aug. 2, 2023, 8:52 a.m. UTC | #3 
On Wed, Aug 2, 2023 at 10:38 AM Ido Schimmel <idosch@idosch.org> wrote:
>
> On Wed, Aug 02, 2023 at 10:30:52AM +0200, Davide Caratti wrote:

[...]

> >
> > hello Ido, my 2 cents:
> >
> > is it safe to match on the UDP protocol without changing the mausezahn
> > command line? I see that it's generating generic IP packets at the
> > moment (i.e. it does '-t ip'). Maybe it's more robust to change
> > the test to generate ICMP and then match on the ICMP protocol?
>
> My understanding of the test is that it's transmitting IP packets on the
> VXLAN device and what $swp1 sees are the encapsulated packets (UDP).
>

Ah, right :) sorry for the noise!

Acked-by: Davide Caratti <dcaratti@redhat.com>
diff mbox series

Patch

diff --git a/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh b/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
index 5ac184d51809..5a5dd9034819 100755
--- a/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
+++ b/tools/testing/selftests/net/forwarding/tc_tunnel_key.sh
@@ -104,11 +104,14 @@  tunnel_key_nofrag_test()
 	local i
 
 	tc filter add dev $swp1 ingress protocol ip pref 100 handle 100 \
-		flower ip_flags nofrag action drop
+		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
+		ip_flags nofrag action drop
 	tc filter add dev $swp1 ingress protocol ip pref 101 handle 101 \
-		flower ip_flags firstfrag action drop
+		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
+		ip_flags firstfrag action drop
 	tc filter add dev $swp1 ingress protocol ip pref 102 handle 102 \
-		flower ip_flags nofirstfrag action drop
+		flower src_ip 192.0.2.1 dst_ip 192.0.2.2 ip_proto udp \
+		ip_flags nofirstfrag action drop
 
 	# test 'nofrag' set
 	tc filter add dev h1-et egress protocol all pref 1 handle 1 matchall $tcflags \