lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f3d875d44afaf43250dca8f9614cab119bdf5d2c.camel@redhat.com>
Date:   Tue, 04 Oct 2022 11:36:14 +0200
From:   Paolo Abeni <pabeni@...hat.com>
To:     Paul Blakey <paulb@...dia.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Vlad Buslov <vladbu@...dia.com>, Oz Shlomo <ozsh@...dia.com>,
        Roi Dayan <roid@...dia.com>, netdev@...r.kernel.org,
        Saeed Mahameed <saeedm@...dia.com>
Cc:     Eric Dumazet <edumazet@...gle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Subject: Re: [PATCH net v3 2/2] selftests: add selftest for chaining of tc
 ingress handling to egress

Hello,

On Sun, 2022-10-02 at 13:24 +0300, Paul Blakey wrote:
> This test runs a simple ingress tc setup between two veth pairs,
> then adds a egress->ingress rule to test the chaining of tc ingress
> pipeline to tc egress piepline.
> 
> Signed-off-by: Paul Blakey <paulb@...dia.com>
> ---
>  .../net/test_ingress_egress_chaining.sh       | 81 +++++++++++++++++++
>  1 file changed, 81 insertions(+)
>  create mode 100644 tools/testing/selftests/net/test_ingress_egress_chaining.sh
> 
> diff --git a/tools/testing/selftests/net/test_ingress_egress_chaining.sh b/tools/testing/selftests/net/test_ingress_egress_chaining.sh
> new file mode 100644
> index 000000000000..4775f5657e68
> --- /dev/null
> +++ b/tools/testing/selftests/net/test_ingress_egress_chaining.sh
> @@ -0,0 +1,81 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +
> +# This test runs a simple ingress tc setup between two veth pairs,
> +# and chains a single egress rule to test ingress chaining to egress.
> +#
> +# Kselftest framework requirement - SKIP code is 4.
> +ksft_skip=4
> +
> +if [ "$(id -u)" -ne 0 ];then
> +	echo "SKIP: Need root privileges"
> +	exit $ksft_skip
> +fi
> +
> +if [ ! -x "$(command -v iperf)" ]; then
> +	echo "SKIP: Could not run test without iperf tool"

You just need to establish a TCP connection towards a given IP, right?

Than you can use the existing self-tests program:

# listener:
./udpgso_bench_rx -t & 

# client:
./udpgso_bench_tx -t -l <transfer time> -4  -D <listener IP>

and avoid dependencies on external tools.

> +	exit $ksft_skip
> +fi
> +
> +needed_mods="act_mirred cls_flower sch_ingress"
> +for mod in $needed_mods; do
> +	modinfo $mod &>/dev/null || { echo "SKIP: Need act_mirred module"; exit $ksft_skip; }
> +done
> +
> +ns="ns$((RANDOM%899+100))"
> +veth1="veth1$((RANDOM%899+100))"
> +veth2="veth2$((RANDOM%899+100))"
> +peer1="peer1$((RANDOM%899+100))"
> +peer2="peer2$((RANDOM%899+100))"
> +
> +function fail() {
> +	echo "FAIL: $@" >> /dev/stderr
> +	exit 1
> +}
> +
> +function cleanup() {
> +	killall -q -9 iperf
> +	ip link del $veth1 &> /dev/null
> +	ip link del $veth2 &> /dev/null
> +	ip netns del $ns &> /dev/null
> +}
> +trap cleanup EXIT
> +
> +function config() {
> +	echo "Setup veth pairs [$veth1, $peer1], and veth pair [$veth2, $peer2]"
> +	ip link add $veth1 type veth peer name $peer1
> +	ip link add $veth2 type veth peer name $peer2
> +	ifconfig $peer1 5.5.5.6/24 up

Please use the modern 'ip addr' syntax. More importantly, it's better
if you move both peers in separate netns, to avoid 'random' self-test
failure due to the specific local routing configuration.

Additionally you could pick addresses from tests blocks (192.0.2.0/24,
198.51.100.0/24, 203.0.113.0/24) or at least from private ranges.

> +	ip netns add $ns
> +	ip link set dev $peer2 netns $ns
> +	ip netns exec $ns ifconfig $peer2 5.5.5.5/24 up
> +	ifconfig $veth2 0 up
> +	ifconfig $veth1 0 up

Please use 'ip link' ...

> +
> +	echo "Add tc filter ingress->egress forwarding $veth1 <-> $veth2"
> +	tc qdisc add dev $veth2 ingress
> +	tc qdisc add dev $veth1 ingress
> +	tc filter add dev $veth2 ingress prio 1 proto all flower \
> +		action mirred egress redirect dev $veth1
> +	tc filter add dev $veth1 ingress prio 1 proto all flower \
> +		action mirred egress redirect dev $veth2
> +
> +	echo "Add tc filter egress->ingress forwarding $peer1 -> $veth1, bypassing the veth pipe"
> +	tc qdisc add dev $peer1 clsact
> +	tc filter add dev $peer1 egress prio 20 proto ip flower \
> +		action mirred ingress redirect dev $veth1
> +}
> +
> +function test_run() {
> +	echo "Run iperf"
> +	iperf -s -D

Depending on the timing, the server can create the listener socket
after that the client tried to connect, causing random failures. 

You should introduce some explicit, small, delay to give the server the
time to start-up, e.g.:

# start server
sleep 0.2
# start client


Thanks!

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ