On Fri, 20 Mar 2026 14:59:09 +0100 Justin Iurman <[email protected]> wrote:
> Extend srv6_hencap_red_l3vpn_test.sh to include checks for the new > "tunsrc" feature. If there is no support for tunsrc, it silently > falls back to the encap config without tunsrc. > > Cc: Shuah Khan <[email protected]> > Cc: [email protected] > Signed-off-by: Justin Iurman <[email protected]> > --- > .../net/srv6_hencap_red_l3vpn_test.sh | 95 ++++++++++++++++--- > 1 file changed, 82 insertions(+), 13 deletions(-) > Hi Justin, Thanks for the v4. Good job on the fallback logic. However, while reviewing and testing this v4 on a mixed setup (older kernel, newer iproute2), I noticed a specific case that slips through, unfortunately causing the baseline SRv6 tunnel tests to fail. Kernels that do not support tunsrc simply ignore the SEG6_IPTUNNEL_SRC attribute. If iproute2 sends it, the kernel installs the route without the tunsrc and returns 0 (success). As a result, check_tunsrc_support() ends up setting HAS_TUNSRC=true and installs DROP rules that block the baseline SRv6 traffic (please see below). > diff --git a/tools/testing/selftests/net/srv6_hencap_red_l3vpn_test.sh > b/tools/testing/selftests/net/srv6_hencap_red_l3vpn_test.sh > index 6a68c7eff1dc..a6e32279a1f7 100755 > --- a/tools/testing/selftests/net/srv6_hencap_red_l3vpn_test.sh > +++ b/tools/testing/selftests/net/srv6_hencap_red_l3vpn_test.sh > @@ -193,6 +193,8 @@ ret=${ksft_skip} > nsuccess=0 > nfail=0 > > +HAS_TUNSRC=false > + > > [snip] > > +# Before enabling tunsrc tests, make sure tunsrc and ip6tables are supported. > +check_tunsrc_support() > +{ > + setup_ns tunsrc_ns > + > + ip -netns "${tunsrc_ns}" link add veth0 type veth \ > + peer name veth1 netns "${tunsrc_ns}" > + > + ip -netns "${tunsrc_ns}" link set veth0 up > + > + if ! ip -netns "${tunsrc_ns}" -6 route add fc00::dead:beef/128 \ > + encap seg6 mode encap.red tunsrc fc00::1 segs fc00::2 \ > + dev veth0 &>/dev/null; then > + cleanup_ns "${tunsrc_ns}" > + return > + fi > + The easiest thing that comes to mind to solve this case is something like this (just an idea, feel free to adapt it, so we can be sure tunsrc was actually set): if ! ip -netns "${tunsrc_ns}" -6 route show | grep -q "tunsrc"; then cleanup_ns "${tunsrc_ns}" return fi > + if ! ip netns exec "${tunsrc_ns}" ip6tables -t raw -A PREROUTING \ > + -d fc00::dead:beef -j DROP &>/dev/null; then > + cleanup_ns "${tunsrc_ns}" > + return > + fi > + > + cleanup_ns "${tunsrc_ns}" > + HAS_TUNSRC=true > +} > + > [snip] > To close the loop, it makes sense to send a v5 to fully implement the fallback policy. There are also a couple of non-blocking nits you might want to consider for the v5 (they seem harmless anyway): 1) When $HAS_TUNSRC is false, adding the ::dead: addresses to the interfaces could be avoided; 2) There are duplicate DROP rules when __setup_rt_policy() is called multiple times for the same router. We are almost there. Thanks for your work on this! Ciao, Andrea
