| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Apr 2019 16:32:11 +0100
From: Alan Maguire <alan.maguire@...cle.com>
To: willemb@...gle.com, ast@...nel.org, daniel@...earbox.net,
davem@...emloft.net, shuah@...nel.org, kafai@...com,
songliubraving@...com, yhs@...com, quentin.monnet@...ronome.com,
john.fastabend@...il.com, rdna@...com,
linux-kselftest@...r.kernel.org, netdev@...r.kernel.org,
bpf@...r.kernel.org
Cc: Alan Maguire <alan.maguire@...cle.com>
Subject: [PATCH bpf-next 4/4] selftests_bpf: extend test_tc_tunnel.sh test for L2 encap
Update test_tc_tunnel to verify adding inner L2 header
encapsulation (an MPLS label) works.
Signed-off-by: Alan Maguire <alan.maguire@...cle.com>
---
tools/testing/selftests/bpf/progs/test_tc_tunnel.c | 172 +++++++++++++++++----
tools/testing/selftests/bpf/test_tc_tunnel.sh | 59 +++----
2 files changed, 170 insertions(+), 61 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/test_tc_tunnel.c b/tools/testing/selftests/bpf/progs/test_tc_tunnel.c
index cc88379..5127b1b 100644
--- a/tools/testing/selftests/bpf/progs/test_tc_tunnel.c
+++ b/tools/testing/selftests/bpf/progs/test_tc_tunnel.c
@@ -11,6 +11,7 @@
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <linux/mpls.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/pkt_cls.h>
@@ -23,7 +24,13 @@
static const int cfg_udp_src = 20000;
static const int cfg_udp_dst = 5555;
+/* MPLSoverUDP */
+#define MPLS_OVER_UDP_PORT 6635
+static const int cfg_mplsudp_dst = MPLS_OVER_UDP_PORT;
+/* MPLS label 1000 with S bit (last label) set and ttl of 255. */
+static const __u32 mpls_label = __bpf_constant_htonl(1000 << 12 |
+ MPLS_LS_S_MASK | 0xff);
struct gre_hdr {
__be16 flags;
__be16 protocol;
@@ -37,6 +44,7 @@ struct gre_hdr {
struct v4hdr {
struct iphdr ip;
union l4hdr l4hdr;
+ __u8 pad[16]; /* enough space for eth header after udp hdr */
} __attribute__((packed));
struct v6hdr {
@@ -59,14 +67,17 @@ static __always_inline void set_ipv4_csum(struct iphdr *iph)
iph->check = ~((csum & 0xffff) + (csum >> 16));
}
-static __always_inline int encap_ipv4(struct __sk_buff *skb, __u8 encap_proto)
+static __always_inline int encap_ipv4(struct __sk_buff *skb, __u8 encap_proto,
+ __u16 l2_proto)
{
struct iphdr iph_inner;
struct v4hdr h_outer;
struct udphdr *udph;
struct tcphdr tcph;
+ struct ethhdr eth;
+ int olen, elen;
__u64 flags;
- int olen;
+ __u16 dst;
if (bpf_skb_load_bytes(skb, ETH_HLEN, &iph_inner,
sizeof(iph_inner)) < 0)
@@ -84,23 +95,39 @@ static __always_inline int encap_ipv4(struct __sk_buff *skb, __u8 encap_proto)
return TC_ACT_OK;
olen = sizeof(h_outer.ip);
+ elen = 0;
flags = BPF_F_ADJ_ROOM_ENCAP_L3_IPV4;
+
+ if (l2_proto == ETH_P_MPLS_UC) {
+ elen = sizeof(mpls_label);
+ flags |= BPF_F_ADJ_ROOM_ENCAP_L2(elen);
+ }
+
switch (encap_proto) {
case IPPROTO_GRE:
flags |= BPF_F_ADJ_ROOM_ENCAP_L4_GRE | BPF_F_ADJ_ROOM_FIXED_GSO;
olen += sizeof(h_outer.l4hdr.gre);
- h_outer.l4hdr.gre.protocol = bpf_htons(ETH_P_IP);
+ h_outer.l4hdr.gre.protocol = bpf_htons(l2_proto);
h_outer.l4hdr.gre.flags = 0;
break;
case IPPROTO_UDP:
flags |= BPF_F_ADJ_ROOM_ENCAP_L4_UDP;
olen += sizeof(h_outer.l4hdr.udp);
- h_outer.l4hdr.udp.source = __bpf_constant_htons(cfg_udp_src);
- h_outer.l4hdr.udp.dest = __bpf_constant_htons(cfg_udp_dst);
h_outer.l4hdr.udp.check = 0;
h_outer.l4hdr.udp.len = bpf_htons(bpf_ntohs(iph_inner.tot_len) +
- sizeof(h_outer.l4hdr.udp));
+ sizeof(h_outer.l4hdr.udp) +
+ elen);
+ h_outer.l4hdr.udp.source = __bpf_constant_htons(cfg_udp_src);
+ switch (l2_proto) {
+ case ETH_P_IP:
+ dst = cfg_udp_dst;
+ break;
+ case ETH_P_MPLS_UC:
+ dst = cfg_mplsudp_dst;
+ break;
+ }
+ h_outer.l4hdr.udp.dest = bpf_htons(dst);
break;
case IPPROTO_IPIP:
break;
@@ -108,6 +135,13 @@ static __always_inline int encap_ipv4(struct __sk_buff *skb, __u8 encap_proto)
return TC_ACT_OK;
}
+ /* add L2 encap (if specified) */
+ if (l2_proto == ETH_P_MPLS_UC)
+ __builtin_memcpy((__u8 *)&h_outer + olen, &mpls_label,
+ sizeof(mpls_label));
+
+ olen += elen;
+
/* add room between mac and network header */
if (bpf_skb_adjust_room(skb, olen, BPF_ADJ_ROOM_MAC, flags))
return TC_ACT_SHOT;
@@ -124,18 +158,19 @@ static __always_inline int encap_ipv4(struct __sk_buff *skb, __u8 encap_proto)
if (bpf_skb_store_bytes(skb, ETH_HLEN, &h_outer, olen,
BPF_F_INVALIDATE_HASH) < 0)
return TC_ACT_SHOT;
-
return TC_ACT_OK;
}
-static __always_inline int encap_ipv6(struct __sk_buff *skb, __u8 encap_proto)
+static __always_inline int encap_ipv6(struct __sk_buff *skb, __u8 encap_proto,
+ __u16 l2_proto)
{
struct ipv6hdr iph_inner;
struct v6hdr h_outer;
struct tcphdr tcph;
+ int olen, elen;
__u16 tot_len;
__u64 flags;
- int olen;
+ __u16 dst;
if (bpf_skb_load_bytes(skb, ETH_HLEN, &iph_inner,
sizeof(iph_inner)) < 0)
@@ -150,24 +185,39 @@ static __always_inline int encap_ipv6(struct __sk_buff *skb, __u8 encap_proto)
return TC_ACT_OK;
olen = sizeof(h_outer.ip);
+ elen = 0;
flags = BPF_F_ADJ_ROOM_ENCAP_L3_IPV6;
+
+ if (l2_proto == ETH_P_MPLS_UC) {
+ elen = sizeof(mpls_label);
+ flags |= BPF_F_ADJ_ROOM_ENCAP_L2(elen);
+ }
+
switch (encap_proto) {
case IPPROTO_GRE:
flags |= BPF_F_ADJ_ROOM_ENCAP_L4_GRE | BPF_F_ADJ_ROOM_FIXED_GSO;
olen += sizeof(h_outer.l4hdr.gre);
- h_outer.l4hdr.gre.protocol = bpf_htons(ETH_P_IPV6);
+ h_outer.l4hdr.gre.protocol = bpf_htons(l2_proto);
h_outer.l4hdr.gre.flags = 0;
break;
case IPPROTO_UDP:
flags |= BPF_F_ADJ_ROOM_ENCAP_L4_UDP;
olen += sizeof(h_outer.l4hdr.udp);
- h_outer.l4hdr.udp.source = __bpf_constant_htons(cfg_udp_src);
- h_outer.l4hdr.udp.dest = __bpf_constant_htons(cfg_udp_dst);
h_outer.l4hdr.udp.check = 0;
tot_len = bpf_ntohs(iph_inner.payload_len) + sizeof(iph_inner);
h_outer.l4hdr.udp.len = bpf_htons(tot_len +
- sizeof(h_outer.l4hdr.udp));
+ sizeof(h_outer.l4hdr.udp) + elen);
+ h_outer.l4hdr.udp.source = __bpf_constant_htons(cfg_udp_src);
+ switch (l2_proto) {
+ case ETH_P_IPV6:
+ dst = cfg_udp_dst;
+ break;
+ case ETH_P_MPLS_UC:
+ dst = cfg_mplsudp_dst;
+ break;
+ }
+ h_outer.l4hdr.udp.dest = bpf_htons(dst);
break;
case IPPROTO_IPV6:
break;
@@ -175,6 +225,13 @@ static __always_inline int encap_ipv6(struct __sk_buff *skb, __u8 encap_proto)
return TC_ACT_OK;
}
+ /* add L2 encap (if specified) */
+ if (l2_proto == ETH_P_MPLS_UC)
+ __builtin_memcpy((__u8 *)&h_outer + olen, &mpls_label,
+ sizeof(mpls_label));
+
+ olen += elen;
+
/* add room between mac and network header */
if (bpf_skb_adjust_room(skb, olen, BPF_ADJ_ROOM_MAC, flags))
return TC_ACT_SHOT;
@@ -194,63 +251,104 @@ static __always_inline int encap_ipv6(struct __sk_buff *skb, __u8 encap_proto)
return TC_ACT_OK;
}
-SEC("encap_ipip")
+SEC("encap_ipip_none")
int __encap_ipip(struct __sk_buff *skb)
{
if (skb->protocol == __bpf_constant_htons(ETH_P_IP))
- return encap_ipv4(skb, IPPROTO_IPIP);
+ return encap_ipv4(skb, IPPROTO_IPIP, ETH_P_IP);
+ else
+ return TC_ACT_OK;
+}
+
+SEC("encap_gre_none")
+int __encap_gre_none(struct __sk_buff *skb)
+{
+ if (skb->protocol == __bpf_constant_htons(ETH_P_IP))
+ return encap_ipv4(skb, IPPROTO_GRE, ETH_P_IP);
else
return TC_ACT_OK;
}
-SEC("encap_gre")
-int __encap_gre(struct __sk_buff *skb)
+SEC("encap_gre_mpls")
+int __encap_gre_mpls(struct __sk_buff *skb)
{
if (skb->protocol == __bpf_constant_htons(ETH_P_IP))
- return encap_ipv4(skb, IPPROTO_GRE);
+ return encap_ipv4(skb, IPPROTO_GRE, ETH_P_MPLS_UC);
else
return TC_ACT_OK;
}
-SEC("encap_udp")
+
+SEC("encap_udp_none")
int __encap_udp(struct __sk_buff *skb)
{
if (skb->protocol == __bpf_constant_htons(ETH_P_IP))
- return encap_ipv4(skb, IPPROTO_UDP);
+ return encap_ipv4(skb, IPPROTO_UDP, ETH_P_IP);
+ else
+ return TC_ACT_OK;
+}
+
+SEC("encap_udp_mpls")
+int __encap_udp_mpls(struct __sk_buff *skb)
+{
+ if (skb->protocol == __bpf_constant_htons(ETH_P_IP))
+ return encap_ipv4(skb, IPPROTO_UDP, ETH_P_MPLS_UC);
+ else
+ return TC_ACT_OK;
+}
+
+
+SEC("encap_ip6tnl_none")
+int __encap_ip6tnl_none(struct __sk_buff *skb)
+{
+ if (skb->protocol == __bpf_constant_htons(ETH_P_IPV6))
+ return encap_ipv6(skb, IPPROTO_IPV6, ETH_P_IPV6);
+ else
+ return TC_ACT_OK;
+}
+
+SEC("encap_ip6gre_none")
+int __encap_ip6gre_none(struct __sk_buff *skb)
+{
+ if (skb->protocol == __bpf_constant_htons(ETH_P_IPV6))
+ return encap_ipv6(skb, IPPROTO_GRE, ETH_P_IPV6);
else
return TC_ACT_OK;
}
-SEC("encap_ip6tnl")
-int __encap_ip6tnl(struct __sk_buff *skb)
+SEC("encap_ip6gre_mpls")
+int __encap_ip6gre_mpls(struct __sk_buff *skb)
{
if (skb->protocol == __bpf_constant_htons(ETH_P_IPV6))
- return encap_ipv6(skb, IPPROTO_IPV6);
+ return encap_ipv6(skb, IPPROTO_GRE, ETH_P_MPLS_UC);
else
return TC_ACT_OK;
}
-SEC("encap_ip6gre")
-int __encap_ip6gre(struct __sk_buff *skb)
+SEC("encap_ip6udp_none")
+int __encap_ip6udp_none(struct __sk_buff *skb)
{
if (skb->protocol == __bpf_constant_htons(ETH_P_IPV6))
- return encap_ipv6(skb, IPPROTO_GRE);
+ return encap_ipv6(skb, IPPROTO_UDP, ETH_P_IPV6);
else
return TC_ACT_OK;
}
-SEC("encap_ip6udp")
-int __encap_ip6udp(struct __sk_buff *skb)
+SEC("encap_ip6udp_mpls")
+int __encap_ip6udp_mpls(struct __sk_buff *skb)
{
if (skb->protocol == __bpf_constant_htons(ETH_P_IPV6))
- return encap_ipv6(skb, IPPROTO_UDP);
+ return encap_ipv6(skb, IPPROTO_UDP, ETH_P_MPLS_UC);
else
return TC_ACT_OK;
}
-static int decap_internal(struct __sk_buff *skb, int off, int len, char proto)
+static __always_inline int decap_internal(struct __sk_buff *skb, int off,
+ int len, char proto)
{
char buf[sizeof(struct v6hdr)];
+ struct gre_hdr greh;
+ struct udphdr udph;
int olen = len;
switch (proto) {
@@ -259,9 +357,17 @@ static int decap_internal(struct __sk_buff *skb, int off, int len, char proto)
break;
case IPPROTO_GRE:
olen += sizeof(struct gre_hdr);
+ if (bpf_skb_load_bytes(skb, off + len, &greh, sizeof(greh)) < 0)
+ return TC_ACT_OK;
+ if (bpf_ntohs(greh.protocol) == ETH_P_MPLS_UC)
+ olen += sizeof(mpls_label);
break;
case IPPROTO_UDP:
olen += sizeof(struct udphdr);
+ if (bpf_skb_load_bytes(skb, off + len, &udph, sizeof(udph)) < 0)
+ return TC_ACT_OK;
+ if (bpf_ntohs(udph.dest) == MPLS_OVER_UDP_PORT)
+ olen += sizeof(mpls_label);
break;
default:
return TC_ACT_OK;
@@ -274,7 +380,7 @@ static int decap_internal(struct __sk_buff *skb, int off, int len, char proto)
return TC_ACT_OK;
}
-static int decap_ipv4(struct __sk_buff *skb)
+static __always_inline int decap_ipv4(struct __sk_buff *skb)
{
struct iphdr iph_outer;
@@ -289,7 +395,7 @@ static int decap_ipv4(struct __sk_buff *skb)
iph_outer.protocol);
}
-static int decap_ipv6(struct __sk_buff *skb)
+static __always_inline int decap_ipv6(struct __sk_buff *skb)
{
struct ipv6hdr iph_outer;
@@ -302,7 +408,7 @@ static int decap_ipv6(struct __sk_buff *skb)
}
SEC("decap")
-int decap_f(struct __sk_buff *skb)
+static int decap_f(struct __sk_buff *skb)
{
switch (skb->protocol) {
case __bpf_constant_htons(ETH_P_IP):
diff --git a/tools/testing/selftests/bpf/test_tc_tunnel.sh b/tools/testing/selftests/bpf/test_tc_tunnel.sh
index 3ae54f0..37c479e 100755
--- a/tools/testing/selftests/bpf/test_tc_tunnel.sh
+++ b/tools/testing/selftests/bpf/test_tc_tunnel.sh
@@ -89,42 +89,44 @@ set -e
# no arguments: automated test, run all
if [[ "$#" -eq "0" ]]; then
echo "ipip"
- $0 ipv4 ipip 100
+ $0 ipv4 ipip none 100
echo "ip6ip6"
- $0 ipv6 ip6tnl 100
+ $0 ipv6 ip6tnl none 100
- echo "ip gre"
- $0 ipv4 gre 100
+ for mac in none mpls ; do
+ echo "ip gre $mac"
+ $0 ipv4 gre $mac 100
- echo "ip6 gre"
- $0 ipv6 ip6gre 100
+ echo "ip6 gre $mac"
+ $0 ipv6 ip6gre $mac 100
- echo "ip gre gso"
- $0 ipv4 gre 2000
+ echo "ip gre $mac gso"
+ $0 ipv4 gre $mac 2000
- echo "ip6 gre gso"
- $0 ipv6 ip6gre 2000
+ echo "ip6 gre $mac gso"
+ $0 ipv6 ip6gre $mac 2000
- echo "ip udp"
- $0 ipv4 udp 100
+ echo "ip udp $mac"
+ $0 ipv4 udp $mac 100
- echo "ip6 udp"
- $0 ipv6 ip6udp 100
+ echo "ip6 udp $mac"
+ $0 ipv6 ip6udp $mac 100
- echo "ip udp gso"
- $0 ipv4 udp 2000
+ echo "ip udp $mac gso"
+ $0 ipv4 udp $mac 2000
- echo "ip6 udp gso"
- $0 ipv6 ip6udp 2000
+ echo "ip6 udp $mac gso"
+ $0 ipv6 ip6udp $mac 2000
+ done
echo "OK. All tests passed"
exit 0
fi
-if [[ "$#" -ne "3" ]]; then
+if [[ "$#" -ne "4" ]]; then
echo "Usage: $0"
- echo " or: $0 <ipv4|ipv6> <tuntype> <data_len>"
+ echo " or: $0 <ipv4|ipv6> <tuntype> <none|mpls> <data_len>"
exit 1
fi
@@ -148,9 +150,10 @@ case "$1" in
esac
readonly tuntype=$2
-readonly datalen=$3
+readonly mactype=$3
+readonly datalen=$4
-echo "encap ${addr1} to ${addr2}, type ${tuntype}, len ${datalen}"
+echo "encap ${addr1} to ${addr2}, tun ${tuntype} mac ${mactype} len ${datalen}"
trap cleanup EXIT
@@ -167,7 +170,7 @@ verify_data
ip netns exec "${ns1}" tc qdisc add dev veth1 clsact
ip netns exec "${ns1}" tc filter add dev veth1 egress \
bpf direct-action object-file ./test_tc_tunnel.o \
- section "encap_${tuntype}"
+ section "encap_${tuntype}_${mactype}"
echo "test bpf encap without decap (expect failure)"
server_listen
! client_connect
@@ -176,11 +179,11 @@ server_listen
# server is still running
# client can connect again
-# Skip tunnel tests for ip6udp. For IPv6, a UDP checksum is required
-# and there seems to be no way to tell a fou6 tunnel to allow 0
-# checksums. Accordingly for both these cases, we skip tests against
-# tunnel peer, and test encap using BPF decap only.
-if [[ "$tuntype" != "ip6udp" ]]; then
+# Skip tunnel tests for L2 encap and ip6udp. For IPv6, a UDP checksum
+# is required and there seems to be no way to tell a fou6 tunnel to
+# allow 0 checksums. Accordingly for both these cases, we skip tests
+# against tunnel peer and test using BPF decap only.
+if [[ "$mactype" == "none" && "$tuntype" != "ip6udp" ]]; then
if [[ "$tuntype" == "udp" ]]; then
# Set up fou tunnel.
ttype=ipip
--
1.8.3.1
Powered by blists - more mailing lists