lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251031-tc_tunnel_improv-v1-2-0ffe44d27eda@bootlin.com>
Date: Fri, 31 Oct 2025 10:01:42 +0100
From: Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
To: Alexei Starovoitov <ast@...nel.org>, 
 Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, 
 Martin KaFai Lau <martin.lau@...ux.dev>, 
 Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, 
 Yonghong Song <yonghong.song@...ux.dev>, 
 John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, 
 Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, 
 Jiri Olsa <jolsa@...nel.org>, Shuah Khan <shuah@...nel.org>
Cc: ebpf@...uxfoundation.org, 
 Thomas Petazzoni <thomas.petazzoni@...tlin.com>, bpf@...r.kernel.org, 
 linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Bastien Curutchet <bastien.curutchet@...tlin.com>, 
 Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
Subject: [PATCH bpf-next 2/3] selftests/bpf: add checks in tc_tunnel when
 entering net namespaces

test_tc_tunnel is missing checks on any open_netns. Add those checks
anytime we try to enter a net namespace, and skip the related operations
if we fail. While at it, reduce the number of open_netns/close_netns for
cases involving operations in two distinct namespaces: the test
currently does the following:

  nstoken = open_netns("foo")
  do_operation();
  close(nstoken);
  nstoken = open_netns("bar")
  do_another_operation();
  close(nstoken);

As already stated in reviews for the initial test, we don't need to go
back to the root net namespace to enter a second namespace, so just do:

  ntoken_client = open_netns("foo")
  do_operation();
  nstoken_server = open_netns("bar")
  do_another_operation();
  close(nstoken_server);
  close(nstoken_client);

Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
---
 .../selftests/bpf/prog_tests/test_tc_tunnel.c      | 134 ++++++++++++++-------
 1 file changed, 88 insertions(+), 46 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/test_tc_tunnel.c b/tools/testing/selftests/bpf/prog_tests/test_tc_tunnel.c
index 1d8d38e67f8b..deea90aaefad 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_tc_tunnel.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_tc_tunnel.c
@@ -133,8 +133,12 @@ static void set_subtest_addresses(struct subtest_cfg *cfg)
 
 static int run_server(struct subtest_cfg *cfg)
 {
-	struct nstoken *nstoken = open_netns(SERVER_NS);
 	int family = cfg->ipproto == 6 ? AF_INET6 : AF_INET;
+	struct nstoken *nstoken;
+
+	nstoken = open_netns(SERVER_NS);
+	if (!ASSERT_OK_PTR(nstoken, "open server ns"))
+		return -1;
 
 	cfg->server_fd = start_reuseport_server(family, SOCK_STREAM,
 						cfg->server_addr, TEST_PORT,
@@ -319,6 +323,10 @@ static int configure_encapsulation(struct subtest_cfg *cfg)
 static int configure_kernel_decapsulation(struct subtest_cfg *cfg)
 {
 	struct nstoken *nstoken = open_netns(SERVER_NS);
+	int ret = -1;
+
+	if (!ASSERT_OK_PTR(nstoken, "open server ns"))
+		return ret;
 
 	if (cfg->configure_fou_rx_port &&
 	    !ASSERT_OK(add_fou_rx_port(cfg), "configure FOU RX port"))
@@ -337,11 +345,11 @@ static int configure_kernel_decapsulation(struct subtest_cfg *cfg)
 	SYS(fail, "sysctl -qw net.ipv4.conf.all.rp_filter=0");
 	SYS(fail, "sysctl -qw net.ipv4.conf.testtun0.rp_filter=0");
 	SYS(fail, "ip link set dev testtun0 up");
-	close_netns(nstoken);
-	return 0;
+
+	ret = 0;
 fail:
 	close_netns(nstoken);
-	return -1;
+	return ret;
 }
 
 static void remove_kernel_decapsulation(struct subtest_cfg *cfg)
@@ -356,6 +364,10 @@ static void remove_kernel_decapsulation(struct subtest_cfg *cfg)
 static int configure_ebpf_decapsulation(struct subtest_cfg *cfg)
 {
 	struct nstoken *nstoken = open_netns(SERVER_NS);
+	int ret = -1;
+
+	if (!ASSERT_OK_PTR(nstoken, "open server ns"))
+		return ret;
 
 	if (!cfg->expect_kern_decap_failure)
 		SYS(fail, "ip link del testtun0");
@@ -363,17 +375,20 @@ static int configure_ebpf_decapsulation(struct subtest_cfg *cfg)
 	if (!ASSERT_OK(tc_prog_attach("veth2", cfg->server_ingress_prog_fd, -1),
 		       "attach_program"))
 		goto fail;
-	close_netns(nstoken);
-	return 0;
+
+	ret = 0;
 fail:
 	close_netns(nstoken);
-	return -1;
+	return ret;
 }
 
 static void run_test(struct subtest_cfg *cfg)
 {
 	struct nstoken *nstoken = open_netns(CLIENT_NS);
 
+	if (!ASSERT_OK_PTR(nstoken, "open client ns"))
+		return;
+
 	if (!ASSERT_OK(run_server(cfg), "run server"))
 		goto fail;
 
@@ -407,7 +422,7 @@ static void run_test(struct subtest_cfg *cfg)
 
 static int setup(void)
 {
-	struct nstoken *nstoken = NULL;
+	struct nstoken *nstoken_client, *nstoken_server;
 	int fd, err;
 
 	fd = open("/dev/urandom", O_RDONLY);
@@ -424,52 +439,75 @@ static int setup(void)
 	    !ASSERT_OK(make_netns(SERVER_NS), "create server ns"))
 		goto fail;
 
-	nstoken = open_netns(CLIENT_NS);
-	SYS(fail, "ip link add %s type veth peer name %s",
+	nstoken_client = open_netns(CLIENT_NS);
+	if (!ASSERT_OK_PTR(nstoken_client, "open client ns"))
+		goto fail_delete_ns;
+	SYS(fail_close_ns_client, "ip link add %s type veth peer name %s",
 	    "veth1 mtu 1500 netns " CLIENT_NS " address " MAC_ADDR_VETH1,
 	    "veth2 mtu 1500 netns " SERVER_NS " address " MAC_ADDR_VETH2);
-	SYS(fail, "ethtool -K veth1 tso off");
-	SYS(fail, "ip link set veth1 up");
-	close_netns(nstoken);
-	nstoken = open_netns(SERVER_NS);
-	SYS(fail, "ip link set veth2 up");
-	close_netns(nstoken);
-
+	SYS(fail_close_ns_client, "ethtool -K veth1 tso off");
+	SYS(fail_close_ns_client, "ip link set veth1 up");
+	nstoken_server = open_netns(SERVER_NS);
+	if (!ASSERT_OK_PTR(nstoken_server, "open server ns"))
+		goto fail_close_ns_client;
+	SYS(fail_close_ns_server, "ip link set veth2 up");
+
+	close_netns(nstoken_server);
+	close_netns(nstoken_client);
 	return 0;
+
+fail_close_ns_server:
+	close_netns(nstoken_server);
+fail_close_ns_client:
+	close_netns(nstoken_client);
+fail_delete_ns:
+	SYS_NOFAIL("ip netns del " CLIENT_NS);
+	SYS_NOFAIL("ip netns del " SERVER_NS);
 fail:
-	close_netns(nstoken);
-	return 1;
+	return -1;
 }
 
 static int subtest_setup(struct test_tc_tunnel *skel, struct subtest_cfg *cfg)
 {
-	struct nstoken *nstoken;
+	struct nstoken *nstoken_client, *nstoken_server;
+	int ret = -1;
 
 	set_subtest_addresses(cfg);
 	if (!ASSERT_OK(set_subtest_progs(cfg, skel),
 		       "find subtest progs"))
-		return -1;
+		goto fail;
 	if (cfg->extra_decap_mod_args_cb)
 		cfg->extra_decap_mod_args_cb(cfg, cfg->extra_decap_mod_args);
 
-	nstoken = open_netns(CLIENT_NS);
-	SYS(fail, "ip -4 addr add " IP4_ADDR_VETH1 "/24 dev veth1");
-	SYS(fail, "ip -4 route flush table main");
-	SYS(fail, "ip -4 route add " IP4_ADDR_VETH2 " mtu 1450 dev veth1");
-	SYS(fail, "ip -6 addr add " IP6_ADDR_VETH1 "/64 dev veth1 nodad");
-	SYS(fail, "ip -6 route flush table main");
-	SYS(fail, "ip -6 route add " IP6_ADDR_VETH2 " mtu 1430 dev veth1");
-	close_netns(nstoken);
-
-	nstoken = open_netns(SERVER_NS);
-	SYS(fail, "ip -4 addr add " IP4_ADDR_VETH2 "/24 dev veth2");
-	SYS(fail, "ip -6 addr add " IP6_ADDR_VETH2 "/64 dev veth2 nodad");
-	close_netns(nstoken);
-
-	return 0;
+	nstoken_client = open_netns(CLIENT_NS);
+	if (!ASSERT_OK_PTR(nstoken_client, "open client ns"))
+		goto fail;
+	SYS(fail_close_client_ns,
+	    "ip -4 addr add " IP4_ADDR_VETH1 "/24 dev veth1");
+	SYS(fail_close_client_ns, "ip -4 route flush table main");
+	SYS(fail_close_client_ns,
+	    "ip -4 route add " IP4_ADDR_VETH2 " mtu 1450 dev veth1");
+	SYS(fail_close_client_ns,
+	    "ip -6 addr add " IP6_ADDR_VETH1 "/64 dev veth1 nodad");
+	SYS(fail_close_client_ns, "ip -6 route flush table main");
+	SYS(fail_close_client_ns,
+	    "ip -6 route add " IP6_ADDR_VETH2 " mtu 1430 dev veth1");
+	nstoken_server = open_netns(SERVER_NS);
+	if (!ASSERT_OK_PTR(nstoken_server, "open server ns"))
+		goto fail_close_client_ns;
+	SYS(fail_close_server_ns,
+	    "ip -4 addr add " IP4_ADDR_VETH2 "/24 dev veth2");
+	SYS(fail_close_server_ns,
+	    "ip -6 addr add " IP6_ADDR_VETH2 "/64 dev veth2 nodad");
+
+	ret = 0;
+
+fail_close_server_ns:
+	close_netns(nstoken_server);
+fail_close_client_ns:
+	close_netns(nstoken_client);
 fail:
-	close_netns(nstoken);
-	return -1;
+	return ret;
 }
 
 
@@ -478,15 +516,19 @@ static void subtest_cleanup(struct subtest_cfg *cfg)
 	struct nstoken *nstoken;
 
 	nstoken = open_netns(CLIENT_NS);
-	SYS_NOFAIL("tc qdisc delete dev veth1 parent ffff:fff1");
-	SYS_NOFAIL("ip a flush veth1");
-	close_netns(nstoken);
+	if (ASSERT_OK_PTR(nstoken, "open clien ns")) {
+		SYS_NOFAIL("tc qdisc delete dev veth1 parent ffff:fff1");
+		SYS_NOFAIL("ip a flush veth1");
+		close_netns(nstoken);
+	}
 	nstoken = open_netns(SERVER_NS);
-	SYS_NOFAIL("tc qdisc delete dev veth2 parent ffff:fff1");
-	SYS_NOFAIL("ip a flush veth2");
-	if (!cfg->expect_kern_decap_failure)
-		remove_kernel_decapsulation(cfg);
-	close_netns(nstoken);
+	if (ASSERT_OK_PTR(nstoken, "open clien ns")) {
+		SYS_NOFAIL("tc qdisc delete dev veth2 parent ffff:fff1");
+		SYS_NOFAIL("ip a flush veth2");
+		if (!cfg->expect_kern_decap_failure)
+			remove_kernel_decapsulation(cfg);
+		close_netns(nstoken);
+	}
 }
 
 static void cleanup(void)

-- 
2.51.1.dirty

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ