[PATCH net 0/2] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP

[PATCH net 0/2] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP

[Petr Machata]

By default, Spectrum devices do not forward IPv4 packets with a link-local
source IP (i.e., 169.254.0.0/16). This behavior does not align with the
kernel which does forward them. Fix the issue and add a selftest.

Ido Schimmel (2):
  mlxsw: spectrum: Forward packets with an IPv4 link-local source IP
  selftest: forwarding: router: Add a test case for IPv4 link-local
    source IP

 .../net/ethernet/mellanox/mlxsw/spectrum.c    |  2 ++
 drivers/net/ethernet/mellanox/mlxsw/trap.h    |  1 +
 .../selftests/net/forwarding/router.sh        | 23 +++++++++++++++++++
 3 files changed, 26 insertions(+)

-- 
2.49.0

[PATCH net 1/2] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP

[Petr Machata]

From: Ido Schimmel <idosch@nvidia.com>

By default, the device does not forward IPv4 packets with a link-local
source IP (i.e., 169.254.0.0/16). This behavior does not align with the
kernel which does forward them.

Fix by instructing the device to forward such packets instead of
dropping them.

Fixes: ca360db4b825 ("mlxsw: spectrum: Disable DIP_LINK_LOCAL check in hardware pipeline")
Reported-by: Zoey Mertes <zoey@cloudflare.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 ++
 drivers/net/ethernet/mellanox/mlxsw/trap.h     | 1 +
 2 files changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
index 618957d65663..9a2d64a0a858 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -2375,6 +2375,8 @@ static const struct mlxsw_listener mlxsw_sp_listener[] = {
 			     ROUTER_EXP, false),
 	MLXSW_SP_RXL_NO_MARK(DISCARD_ING_ROUTER_DIP_LINK_LOCAL, FORWARD,
 			     ROUTER_EXP, false),
+	MLXSW_SP_RXL_NO_MARK(DISCARD_ING_ROUTER_SIP_LINK_LOCAL, FORWARD,
+			     ROUTER_EXP, false),
 	/* Multicast Router Traps */
 	MLXSW_SP_RXL_MARK(ACL1, TRAP_TO_CPU, MULTICAST, false),
 	MLXSW_SP_RXL_L3_MARK(ACL2, TRAP_TO_CPU, MULTICAST, false),
diff --git a/drivers/net/ethernet/mellanox/mlxsw/trap.h b/drivers/net/ethernet/mellanox/mlxsw/trap.h
index 80ee5c4825dc..9962dc157901 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/trap.h
+++ b/drivers/net/ethernet/mellanox/mlxsw/trap.h
@@ -94,6 +94,7 @@ enum {
 	MLXSW_TRAP_ID_DISCARD_ING_ROUTER_IPV4_SIP_BC = 0x16A,
 	MLXSW_TRAP_ID_DISCARD_ING_ROUTER_IPV4_DIP_LOCAL_NET = 0x16B,
 	MLXSW_TRAP_ID_DISCARD_ING_ROUTER_DIP_LINK_LOCAL = 0x16C,
+	MLXSW_TRAP_ID_DISCARD_ING_ROUTER_SIP_LINK_LOCAL = 0x16D,
 	MLXSW_TRAP_ID_DISCARD_ROUTER_IRIF_EN = 0x178,
 	MLXSW_TRAP_ID_DISCARD_ROUTER_ERIF_EN = 0x179,
 	MLXSW_TRAP_ID_DISCARD_ROUTER_LPM4 = 0x17B,
-- 
2.49.0

[PATCH net 2/2] selftest: forwarding: router: Add a test case for IPv4 link-local source IP

[Petr Machata]

From: Ido Schimmel <idosch@nvidia.com>

Add a test case which checks that packets with an IPv4 link-local source
IP are forwarded and not dropped.

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
---
 .../selftests/net/forwarding/router.sh        | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/tools/testing/selftests/net/forwarding/router.sh b/tools/testing/selftests/net/forwarding/router.sh
index b98ea9449b8b..95ded264328f 100755
--- a/tools/testing/selftests/net/forwarding/router.sh
+++ b/tools/testing/selftests/net/forwarding/router.sh
@@ -18,6 +18,8 @@
 # | 2001:db8:1::1/64                             2001:db8:2::1/64   |
 # |                                                                 |
 # +-----------------------------------------------------------------+
+#
+#shellcheck disable=SC2034 # SC doesn't see our uses of global variables
 
 ALL_TESTS="
 	ping_ipv4
@@ -27,6 +29,7 @@ ALL_TESTS="
 	ipv4_sip_equal_dip
 	ipv6_sip_equal_dip
 	ipv4_dip_link_local
+	ipv4_sip_link_local
 "
 
 NUM_NETIFS=4
@@ -330,6 +333,26 @@ ipv4_dip_link_local()
 	tc filter del dev $rp2 egress protocol ip pref 1 handle 101 flower
 }
 
+ipv4_sip_link_local()
+{
+	local sip=169.254.1.1
+
+	RET=0
+
+	tc filter add dev "$rp2" egress protocol ip pref 1 handle 101 \
+		flower src_ip "$sip" action pass
+
+	$MZ "$h1" -t udp "sp=54321,dp=12345" -c 5 -d 1msec -b "$rp1mac" \
+		-A "$sip" -B 198.51.100.2 -q
+
+	tc_check_packets "dev $rp2 egress" 101 5
+	check_err $? "Packets were dropped"
+
+	log_test "IPv4 source IP is link-local"
+
+	tc filter del dev "$rp2" egress protocol ip pref 1 handle 101 flower
+}
+
 trap cleanup EXIT
 
 setup_prepare
-- 
2.49.0

Re: [PATCH net 2/2] selftest: forwarding: router: Add a test case for IPv4 link-local source IP

[Jakub Kicinski]

On Wed, 13 Aug 2025 13:47:09 +0200 Petr Machata wrote:
> From: Ido Schimmel <idosch@nvidia.com>
> 
> Add a test case which checks that packets with an IPv4 link-local source
> IP are forwarded and not dropped.

The new test case doesn't pass for us:

# 22.73 [+2.13] TEST: IPv4 source IP is link-local                                  [FAIL]
# 22.74 [+0.01] Packets were dropped
not ok 1 selftests: net/forwarding: router.sh # exit=1

https://netdev-3.bots.linux.dev/vmksft-forwarding-dbg/results/251622/97-router-sh/stdout

LMK if this is an infra problem, I'll hide the series for now:
pw-bot: cr

Re: [PATCH net 2/2] selftest: forwarding: router: Add a test case for IPv4 link-local source IP

[Ido Schimmel]

On Wed, Aug 13, 2025 at 01:40:37PM -0700, Jakub Kicinski wrote:
> On Wed, 13 Aug 2025 13:47:09 +0200 Petr Machata wrote:
> > From: Ido Schimmel <idosch@nvidia.com>
> > 
> > Add a test case which checks that packets with an IPv4 link-local source
> > IP are forwarded and not dropped.
> 
> The new test case doesn't pass for us:
> 
> # 22.73 [+2.13] TEST: IPv4 source IP is link-local                                  [FAIL]
> # 22.74 [+0.01] Packets were dropped
> not ok 1 selftests: net/forwarding: router.sh # exit=1
> 
> https://netdev-3.bots.linux.dev/vmksft-forwarding-dbg/results/251622/97-router-sh/stdout
> 
> LMK if this is an infra problem, I'll hide the series for now:
> pw-bot: cr

Seems that we need to disable rp_filter to prevent packets from getting
dropped on ingress. Can you test the following diff or should we just
post a v2?

diff --git a/tools/testing/selftests/net/forwarding/router.sh b/tools/testing/selftests/net/forwarding/router.sh
index 50d362ced430..b409680bec1d 100755
--- a/tools/testing/selftests/net/forwarding/router.sh
+++ b/tools/testing/selftests/net/forwarding/router.sh
@@ -337,6 +337,10 @@ ipv4_sip_link_local()
 
 	RET=0
 
+	# Disable rpfilter to prevent packets to be dropped because of it.
+	sysctl_set net.ipv4.conf.all.rp_filter 0
+	sysctl_set net.ipv4.conf."$rp1".rp_filter 0
+
 	tc filter add dev "$rp2" egress protocol ip pref 1 handle 101 \
 		flower src_ip "$sip" action pass
 
@@ -349,6 +353,8 @@ ipv4_sip_link_local()
 	log_test "IPv4 source IP is link-local"
 
 	tc filter del dev "$rp2" egress protocol ip pref 1 handle 101 flower
+	sysctl_restore net.ipv4.conf."$rp1".rp_filter
+	sysctl_restore net.ipv4.conf.all.rp_filter
 }
 
 trap cleanup EXIT

Re: [PATCH net 2/2] selftest: forwarding: router: Add a test case for IPv4 link-local source IP

[Jakub Kicinski]

On Thu, 14 Aug 2025 10:35:27 +0300 Ido Schimmel wrote:
> > The new test case doesn't pass for us:
> > 
> > # 22.73 [+2.13] TEST: IPv4 source IP is link-local                                  [FAIL]
> > # 22.74 [+0.01] Packets were dropped
> > not ok 1 selftests: net/forwarding: router.sh # exit=1
> > 
> > https://netdev-3.bots.linux.dev/vmksft-forwarding-dbg/results/251622/97-router-sh/stdout
> > 
> > LMK if this is an infra problem, I'll hide the series for now:
> > pw-bot: cr  
> 
> Seems that we need to disable rp_filter to prevent packets from getting
> dropped on ingress. Can you test the following diff or should we just
> post a v2?

Tested, rp_filter fixes the new case!