Add macsec_traffic.py using NetDrvEpEnv to verify VLAN filter propagation through offloaded macsec devices via actual traffic.
Test creates macsec tunnels with matching SAs on both endpoints, stacks VLANs on top, and verifies connectivity with ping. Covers: - Offloaded macsec with VLAN (filters propagate to HW) - Software macsec with VLAN (no HW filter propagation) - Toggle offload on/off and verify traffic still works On netdevsim this is a smoke test (stub offload, no real encryption). On real hardware this validates actual VLAN filter propagation. Signed-off-by: Cosmin Ratiu <[email protected]> --- tools/testing/selftests/drivers/net/macsec.py | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) diff --git a/tools/testing/selftests/drivers/net/macsec.py b/tools/testing/selftests/drivers/net/macsec.py index a17b9f7ef584..68915caca7fd 100755 --- a/tools/testing/selftests/drivers/net/macsec.py +++ b/tools/testing/selftests/drivers/net/macsec.py @@ -6,10 +6,14 @@ import os from lib.py import ksft_run, ksft_exit, ksft_eq, ksft_raises +from lib.py import ksft_variants, KsftNamedVariant from lib.py import CmdExitFailure, KsftSkipEx from lib.py import NetDrvEpEnv from lib.py import cmd, ip, defer, ethtool +MACSEC_KEY = "12345678901234567890123456789012" +MACSEC_VLAN_VID = 10 + # Unique prefix per run to avoid collisions in the shared netns. # Keep it short: IFNAMSIZ is 16 (incl. NUL), and VLAN names append ".<vid>". MACSEC_PFX = f"ms{os.getpid()}_" @@ -25,6 +29,16 @@ def _get_macsec_offload(dev): return info.get("linkinfo", {}).get("info_data", {}).get("offload") +def _require_ip_macsec(cfg): + """SKIP if iproute2 on local or remote lacks 'ip macsec' support.""" + for host in [None, cfg.remote]: + out = cmd("ip macsec help", fail=False, host=host) + if "macsec" not in out.stdout + out.stderr: + where = "remote" if host else "local" + raise KsftSkipEx(f"iproute2 too old on {where}," + " missing macsec support") + + def _require_ip_macsec_offload(): """SKIP if local iproute2 doesn't understand 'ip macsec offload'.""" out = cmd("ip macsec help", fail=False) @@ -44,6 +58,78 @@ def _require_macsec_offload(cfg): raise KsftSkipEx("macsec-hw-offload not supported") +def _get_mac(ifname, host=None): + """Gets MAC address of an interface.""" + dev = ip(f"-d link show dev {ifname}", json=True, host=host) + return dev[0]["address"] + + +def _setup_macsec_sa(cfg, name): + """Adds matching TX/RX SAs on both ends.""" + local_mac = _get_mac(name) + remote_mac = _get_mac(name, host=cfg.remote) + + ip(f"macsec add {name} tx sa 0 pn 1 on key 01 {MACSEC_KEY}") + ip(f"macsec add {name} rx port 1 address {remote_mac}") + ip(f"macsec add {name} rx port 1 address {remote_mac} " + f"sa 0 pn 1 on key 02 {MACSEC_KEY}") + + ip(f"macsec add {name} tx sa 0 pn 1 on key 02 {MACSEC_KEY}", + host=cfg.remote) + ip(f"macsec add {name} rx port 1 address {local_mac}", host=cfg.remote) + ip(f"macsec add {name} rx port 1 address {local_mac} " + f"sa 0 pn 1 on key 01 {MACSEC_KEY}", host=cfg.remote) + + +def _setup_macsec_devs(cfg, name, offload): + """Creates macsec devices on both ends. + + Only the local device gets HW offload; the remote always uses software + MACsec since it may not support offload at all. + """ + offload_arg = "mac" if offload else "off" + + ip(f"link add link {cfg.ifname} {name} " + f"type macsec encrypt on offload {offload_arg}") + defer(ip, f"link del {name}") + ip(f"link add link {cfg.remote_ifname} {name} " + f"type macsec encrypt on", host=cfg.remote) + defer(ip, f"link del {name}", host=cfg.remote) + + +def _set_offload(name, offload): + """Sets offload on the local macsec device only.""" + offload_arg = "mac" if offload else "off" + + ip(f"link set {name} type macsec encrypt on offload {offload_arg}") + + +def _setup_vlans(cfg, name, vid): + """Adds VLANs on top of existing macsec devs.""" + vlan_name = f"{name}.{vid}" + + ip(f"link add link {name} {vlan_name} type vlan id {vid}") + defer(ip, f"link del {vlan_name}") + ip(f"link add link {name} {vlan_name} type vlan id {vid}", host=cfg.remote) + defer(ip, f"link del {vlan_name}", host=cfg.remote) + + +def _setup_vlan_ips(cfg, name, vid): + """Adds VLANs and IPs and brings up the macsec + VLAN devices.""" + local_ip = "198.51.100.1" + remote_ip = "198.51.100.2" + vlan_name = f"{name}.{vid}" + + ip(f"addr add {local_ip}/24 dev {vlan_name}") + ip(f"addr add {remote_ip}/24 dev {vlan_name}", host=cfg.remote) + ip(f"link set {name} up") + ip(f"link set {name} up", host=cfg.remote) + ip(f"link set {vlan_name} up") + ip(f"link set {vlan_name} up", host=cfg.remote) + + return vlan_name, remote_ip + + def test_offload_api(cfg) -> None: """MACsec offload API: create SecY, add SA/rx, toggle offload.""" @@ -164,6 +250,44 @@ def test_offload_state(cfg) -> None: "offload enabled after create: should be mac") +@ksft_variants([ + KsftNamedVariant("offloaded", True), + KsftNamedVariant("software", False), +]) +def test_vlan(cfg, offload) -> None: + """Ping through VLAN-over-macsec.""" + + _require_ip_macsec(cfg) + if offload: + _require_macsec_offload(cfg) + else: + _require_ip_macsec_offload() + name = _macsec_name() + _setup_macsec_devs(cfg, name, offload=offload) + _setup_macsec_sa(cfg, name) + _setup_vlans(cfg, name, MACSEC_VLAN_VID) + vlan_name, remote_ip = _setup_vlan_ips(cfg, name, MACSEC_VLAN_VID) + cmd(f"ping -I {vlan_name} -c 1 -W 5 {remote_ip}") + + +@ksft_variants([ + KsftNamedVariant("on_to_off", True), + KsftNamedVariant("off_to_on", False), +]) +def test_vlan_toggle(cfg, offload) -> None: + """Toggle offload: VLAN filters propagate/remove correctly.""" + + _require_ip_macsec(cfg) + _require_macsec_offload(cfg) + name = _macsec_name() + _setup_macsec_devs(cfg, name, offload=offload) + _setup_vlans(cfg, name, MACSEC_VLAN_VID) + _set_offload(name, offload=not offload) + vlan_name, remote_ip = _setup_vlan_ips(cfg, name, MACSEC_VLAN_VID) + _setup_macsec_sa(cfg, name) + cmd(f"ping -I {vlan_name} -c 1 -W 5 {remote_ip}") + + def main() -> None: """Main program.""" with NetDrvEpEnv(__file__) as cfg: @@ -171,6 +295,8 @@ def main() -> None: test_max_secy, test_max_sc, test_offload_state, + test_vlan, + test_vlan_toggle, ], args=(cfg,)) ksft_exit() -- 2.53.0
