Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp28532rwb; Thu, 22 Sep 2022 13:55:27 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5J7jRma6rNW9N6N9+epx+28qqmagFRry+4/1wog0Ns5on7nPeEXx5Kg1i7Y7zrgkfAlHba X-Received: by 2002:a17:907:7e8c:b0:77d:fecf:c24a with SMTP id qb12-20020a1709077e8c00b0077dfecfc24amr4419554ejc.134.1663880127458; Thu, 22 Sep 2022 13:55:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663880127; cv=none; d=google.com; s=arc-20160816; b=S3S2OSE92mLfgXUJsld3HHsL/jUGfR3Hfhd1u3Xer5m7WTHZxl7AgWrD1s/WNflyRM o39/l/KEgK2O6trAW+meaYNKC/EjZsC059IcSqkfNHTcm4I1VVZMXodhcuqscgBwIP5V T71TIjSCBQR+NXSy7u6jZbl5i/vYr8bK0sAGklF2Osq8omVlmaCRXfnZWwIn80jDE+Bz Y5zMaZcUADN/p95di1uXRR3RxWmcCJ0Wcv7DPZr37dRyEoFzfgGAq9TdSECSmlPPcr50 isOUg55i3YI9Bq16R29up0F/I6IDfN6PuFTF00LwWSlH7rl1CKcdCeO9aaGKVGoL5bhB JByw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:user-agent :references:in-reply-to:subject:cc:to:from:date:mime-version; bh=aOjvF38y1NaRkX7evUTEzCmZ9vNF/5jZ+t/aEEcUOj8=; b=O3tOj1VEp6FO9x5qOUA8UPRYJ17sR8wRuxrrpsB52OF1IYJqjOqRs2GGDuHYSKaM5W VoJiItvGLMwcNdplulU4GHOl4a1PTzpcQPlb2mlxN6ARQwGBefVJh/4pWGHlI2yfqbfY M3rcmhIknOt8hMDujNqNw4rwEyTmcFRxD3EX+cpAOc5e3TJrpUTjtfaJ2E+UUuaDk1Q4 fZ133DxT6MMnVi8ieG/XSJCY5YpX9EXxA4JUxyQBkZJmeDi/GS6HwGqIvYMKFeNm+AnA /05Vpa72ZoKdNEBDuIMPobPSodrtNyjsVP+0r8fe7CahTgXVpt7kGey2JsQhdVa773z7 F13g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r14-20020a05640251ce00b004515a8c347dsi6410581edd.500.2022.09.22.13.55.02; Thu, 22 Sep 2022 13:55:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229706AbiIVUfP (ORCPT + 99 others); Thu, 22 Sep 2022 16:35:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229551AbiIVUfM (ORCPT ); Thu, 22 Sep 2022 16:35:12 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F3C22F67E; Thu, 22 Sep 2022 13:35:05 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id 26825188497F; Thu, 22 Sep 2022 20:35:03 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id 18FB6250007B; Thu, 22 Sep 2022 20:35:03 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id ECB6C9EC0002; Thu, 22 Sep 2022 20:35:02 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 MIME-Version: 1.0 Date: Thu, 22 Sep 2022 22:35:02 +0200 From: netdev@kapio-technology.com To: Ido Schimmel Cc: Vladimir Oltean , davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, Florian Fainelli , Andrew Lunn , Vivien Didelot , Eric Dumazet , Paolo Abeni , Kurt Kanzenbach , Hauke Mehrtens , Woojung Huh , UNGLinuxDriver@microchip.com, Sean Wang , Landen Chao , DENG Qingfang , Matthias Brugger , Claudiu Manoil , Alexandre Belloni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Christian Marangi , Daniel Borkmann , Yuwei Wang , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests In-Reply-To: References: <5cee059b65f6f7671e099150f9da79c1@kapio-technology.com> <8dfc9b525f084fa5ad55019f4418a35e@kapio-technology.com> <20220908112044.czjh3xkzb4r27ohq@skbuf> <152c0ceadefbd742331c340bec2f50c0@kapio-technology.com> <20220911001346.qno33l47i6nvgiwy@skbuf> <15ee472a68beca4a151118179da5e663@kapio-technology.com> <086704ce7f323cc1b3cca78670b42095@kapio-technology.com> User-Agent: Gigahost Webmail Message-ID: X-Sender: netdev@kapio-technology.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-09-21 09:15, Ido Schimmel wrote: > On Tue, Sep 20, 2022 at 11:29:12PM +0200, netdev@kapio-technology.com > wrote: >> I have made a blackhole selftest, which looks like this: >> >> test_blackhole_fdb() >> { >> RET=0 >> >> check_blackhole_fdb_support || return 0 >> >> tcpdump_start $h2 >> $MZ $h1 -q -t udp -a $h1 -b $h2 > > I don't think you can give an interface name to '-a' and '-b'? > >> tcpdump_stop >> tcpdump_show | grep -q udp >> check_err $? "test_blackhole_fdb: No packet seen on initial" >> tcpdump_cleanup >> >> bridge fdb add `mac_get $h2` dev br0 blackhole >> bridge fdb show dev br0 | grep -q "blackhole" > > Make this grep more specific so that we are sure it is the entry user > space installed. Something like this: > > bridge fdb get `mac_get $h2` br br0 | grep -q blackhole > >> check_err $? "test_blackhole_fdb: No blackhole FDB entry >> found" >> >> tcpdump_start $h2 >> $MZ $h1 -q -t udp -a $h1 -b $h2 >> tcpdump_stop >> tcpdump_show | grep -q udp >> check_fail $? "test_blackhole_fdb: packet seen with blackhole >> fdb >> entry" >> tcpdump_cleanup > > The tcpdump filter is not specific enough. It can catch other UDP > packets (e.g., multicast) being received by $h2. Anyway, to be sure the > feature works as expected we need to make sure that the packets are not > even egressing $swp2. Checking that they are not received by $h2 is not > enough. See this (untested) suggestion [1] that uses a tc filter on the > egress of $swp2. > >> >> bridge fdb del `mac_get $h2` dev br0 blackhole >> bridge fdb show dev br0 | grep -q "blackhole" >> check_fail $? "test_blackhole_fdb: Blackhole FDB entry not >> deleted" >> >> tcpdump_start $h2 >> $MZ $h1 -q -t udp -a $h1 -b $h2 >> tcpdump_stop >> tcpdump_show | grep -q udp >> check_err $? "test_blackhole_fdb: No packet seen after >> removing >> blackhole FDB entry" >> tcpdump_cleanup >> >> log_test "Blackhole FDB entry test" >> } >> >> the setup is simple and is the same as in bridge_sticky_fdb.sh. >> >> Does the test look sound or is there obvious mistakes? > > [1] > blackhole_fdb() > { > RET=0 > > tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \ > dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass > > $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ > -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q > > tc_check_packets "dev $swp2 egress" 1 1 > check_err $? "Packet not seen on egress before adding blackhole entry" > > bridge fdb add `mac_get $h2` dev br0 blackhole > bridge fdb get `mac_get $h2` br br0 | grep -q blackhole > check_err $? "Blackhole entry not found" > > $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ > -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q > > tc_check_packets "dev $swp2 egress" 1 1 > check_err $? "Packet seen on egress after adding blackhole entry" > > # Check blackhole entries can be replaced. > bridge fdb replace `mac_get $h2` dev $swp2 master static > bridge fdb get `mac_get $h2` br br0 | grep -q blackhole > check_fail $? "Blackhole entry found after replacement" > > $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ > -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q > > tc_check_packets "dev $swp2 egress" 1 2 > check_err $? "Packet not seen on egress after replacing blackhole > entry" > > bridge fdb del `mac_get $h2` dev $swp2 master static > tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower > > log_test "Blackhole FDB entry" > } Thx, looks good. I have tried to run the test as far as I can manually, but I don't seem to have 'busywait' in the system, which tc_check_packets() depends on, and I couldn't find any 'busywait' in Buildroot.