From: Cosmin Ratiu <cratiu@nvidia.com>
To: <netdev@vger.kernel.org>
Cc: Sabrina Dubroca <sd@queasysnail.net>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"Cosmin Ratiu" <cratiu@nvidia.com>,
Dragos Tatulea <dtatulea@nvidia.com>
Subject: [PATCH 2/3] selftests: Add MACsec VLAN propagation traffic test
Date: Fri, 13 Mar 2026 11:52:25 +0100 [thread overview]
Message-ID: <20260313105227.1884391-3-cratiu@nvidia.com> (raw)
In-Reply-To: <20260313105227.1884391-1-cratiu@nvidia.com>
Add macsec_traffic.py using NetDrvEpEnv to verify VLAN filter
propagation through offloaded macsec devices via actual traffic.
Test creates macsec tunnels with matching SAs on both endpoints,
stacks VLANs on top, and verifies connectivity with ping. Covers:
- Offloaded macsec with VLAN (filters propagate to HW)
- Software macsec with VLAN (no HW filter propagation)
- Toggle offload on/off and verify traffic still works
On netdevsim this is a smoke test (stub offload, no real encryption).
On real hardware this validates actual VLAN filter propagation.
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
---
tools/testing/selftests/drivers/net/Makefile | 1 +
.../selftests/drivers/net/macsec_traffic.py | 126 ++++++++++++++++++
2 files changed, 127 insertions(+)
create mode 100755 tools/testing/selftests/drivers/net/macsec_traffic.py
diff --git a/tools/testing/selftests/drivers/net/Makefile b/tools/testing/selftests/drivers/net/Makefile
index 511346b7d9ec..102aba3b2518 100644
--- a/tools/testing/selftests/drivers/net/Makefile
+++ b/tools/testing/selftests/drivers/net/Makefile
@@ -18,6 +18,7 @@ TEST_PROGS := \
gro.py \
hds.py \
macsec_api.py \
+ macsec_traffic.py \
napi_id.py \
napi_threaded.py \
netpoll_basic.py \
diff --git a/tools/testing/selftests/drivers/net/macsec_traffic.py b/tools/testing/selftests/drivers/net/macsec_traffic.py
new file mode 100755
index 000000000000..c446c264a749
--- /dev/null
+++ b/tools/testing/selftests/drivers/net/macsec_traffic.py
@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0
+
+"""MACsec VLAN propagation traffic tests."""
+
+from lib.py import ksft_run, ksft_exit, ksft_pr, ksft_variants, KsftNamedVariant
+from lib.py import CmdExitFailure
+from lib.py import NetDrvEpEnv
+from lib.py import cmd, ip, defer
+from macsec_lib import require_macsec_offload
+
+MACSEC_KEY = "12345678901234567890123456789012"
+MACSEC_NAME = "macsec_t"
+MACSEC_VLAN_VID = 10
+
+
+def _get_mac(ifname, host=None):
+ """Gets MAC address of an interface."""
+ dev = ip(f"-d link show dev {ifname}", json=True, host=host)
+ return dev[0]["address"]
+
+
+def _setup_macsec_sa(cfg, name):
+ """Adds matching TX/RX SAs on both ends."""
+ local_mac = _get_mac(name)
+ remote_mac = _get_mac(name, host=cfg.remote)
+
+ ip(f"macsec add {name} tx sa 0 pn 1 on key 01 {MACSEC_KEY}")
+ ip(f"macsec add {name} rx port 1 address {remote_mac}")
+ ip(f"macsec add {name} rx port 1 address {remote_mac} "
+ f"sa 0 pn 1 on key 02 {MACSEC_KEY}")
+
+ ip(f"macsec add {name} tx sa 0 pn 1 on key 02 {MACSEC_KEY}",
+ host=cfg.remote)
+ ip(f"macsec add {name} rx port 1 address {local_mac}", host=cfg.remote)
+ ip(f"macsec add {name} rx port 1 address {local_mac} "
+ f"sa 0 pn 1 on key 01 {MACSEC_KEY}", host=cfg.remote)
+
+
+def _setup_macsec_devs(cfg, name, offload):
+ """Creates macsec devices on both ends."""
+ offload_arg = "mac" if offload else "off"
+ macsec_args = f"type macsec encrypt on offload {offload_arg}"
+
+ ip(f"link add link {cfg.ifname} {name} {macsec_args}")
+ defer(ip, f"link del {name}")
+ ip(f"link add link {cfg.remote_ifname} {name} {macsec_args}",
+ host=cfg.remote)
+ defer(ip, f"link del {name}", host=cfg.remote)
+
+
+def _set_offload(cfg, name, offload):
+ """Sets offload on both macsec devices."""
+ offload_arg = "mac" if offload else "off"
+
+ ip(f"link set {name} type macsec encrypt on offload {offload_arg}")
+ ip(f"link set {name} type macsec encrypt on offload {offload_arg}",
+ host=cfg.remote)
+
+
+def _setup_vlans(cfg, name, vid):
+ """Adds VLANs on top of existing macsec devs."""
+ vlan_name = f"{name}.{vid}"
+
+ ip(f"link add link {name} {vlan_name} type vlan id {vid}")
+ defer(ip, f"link del {vlan_name}")
+ ip(f"link add link {name} {vlan_name} type vlan id {vid}", host=cfg.remote)
+ defer(ip, f"link del {vlan_name}", host=cfg.remote)
+
+
+def _setup_vlan_ips(cfg, name, vid):
+ """Adds VLAN IPs."""
+ local_ip = f"10.0.{vid}.1"
+ remote_ip = f"10.0.{vid}.2"
+ vlan_name = f"{name}.{vid}"
+
+ ip(f"addr add {local_ip}/24 dev {vlan_name}")
+ ip(f"addr add {remote_ip}/24 dev {vlan_name}", host=cfg.remote)
+ ip(f"link set {name} up")
+ ip(f"link set {name} up", host=cfg.remote)
+ ip(f"link set {vlan_name} up")
+ ip(f"link set {vlan_name} up", host=cfg.remote)
+
+ return remote_ip
+
+
+@ksft_variants([
+ KsftNamedVariant("offloaded", True),
+ KsftNamedVariant("software", False),
+])
+def test_vlan(cfg, offload) -> None:
+ """Ping through VLAN-over-macsec."""
+
+ require_macsec_offload(cfg)
+ _setup_macsec_devs(cfg, MACSEC_NAME, offload=offload)
+ _setup_macsec_sa(cfg, MACSEC_NAME)
+ _setup_vlans(cfg, MACSEC_NAME, MACSEC_VLAN_VID)
+ remote_ip = _setup_vlan_ips(cfg, MACSEC_NAME, MACSEC_VLAN_VID)
+ cmd(f"ping -c 1 -W 5 {remote_ip}")
+
+
+@ksft_variants([
+ KsftNamedVariant("toggle_on", True),
+ KsftNamedVariant("toggle_off", False),
+])
+def test_vlan_toggle(cfg, offload) -> None:
+ """Toggle offload: VLAN filters propagate/remove correctly."""
+
+ require_macsec_offload(cfg)
+ _setup_macsec_devs(cfg, MACSEC_NAME, offload=offload)
+ _setup_vlans(cfg, MACSEC_NAME, MACSEC_VLAN_VID)
+ _set_offload(cfg, MACSEC_NAME, offload=not offload)
+ remote_ip = _setup_vlan_ips(cfg, MACSEC_NAME, MACSEC_VLAN_VID)
+ _setup_macsec_sa(cfg, MACSEC_NAME)
+ cmd(f"ping -c 1 -W 5 {remote_ip}")
+
+
+def main() -> None:
+ with NetDrvEpEnv(__file__) as cfg:
+ ksft_run([test_vlan,
+ test_vlan_toggle], args=(cfg,))
+ ksft_exit()
+
+
+if __name__ == "__main__":
+ main()
--
2.43.0
next prev parent reply other threads:[~2026-03-13 10:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 10:52 [PATCH 0/3] macsec: Add support for VLAN filtering in offload mode Cosmin Ratiu
2026-03-13 10:52 ` [PATCH 1/3] selftests: Migrate nsim-only MACsec tests to Python Cosmin Ratiu
2026-03-13 10:52 ` Cosmin Ratiu [this message]
2026-03-13 10:52 ` [PATCH 3/3] macsec: Support VLAN-filtering lower devices Cosmin Ratiu
2026-03-13 10:56 ` [PATCH 0/3] macsec: Add support for VLAN filtering in offload mode Cosmin Ratiu
2026-03-13 14:18 ` Cosmin Ratiu
2026-03-13 17:31 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260313105227.1884391-3-cratiu@nvidia.com \
--to=cratiu@nvidia.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox