lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <288b0d96-d5a8-4d81-9302-32b0d414a983@linux.dev>
Date: Thu, 25 Apr 2024 16:34:11 -0700
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Brad Cowie <brad@...cet.nz>
Cc: lorenzo@...nel.org, memxor@...il.com, pablo@...filter.org,
 davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, ast@...nel.org,
 daniel@...earbox.net, andrii@...nel.org, song@...nel.org,
 john.fastabend@...il.com, sdf@...gle.com, jolsa@...nel.org,
 netfilter-devel@...r.kernel.org, coreteam@...filter.org,
 netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH bpf-next v2 2/2] selftests/bpf: Update tests for new ct
 zone opts for nf_conntrack kfuncs

On 4/23/24 8:00 PM, Brad Cowie wrote:
> Remove test for reserved options in bpf_ct_opts,
> which have been removed.
> 
> Add test for allocating and looking up ct entry in a
> non-default ct zone with kfuncs bpf_{xdp,skb}_ct_alloc
> and bpf_{xdp,skb}_ct_lookup.
> 
> Add negative test for looking up ct entry in a different
> ct zone to where it was allocated.
> 
> Signed-off-by: Brad Cowie <brad@...cet.nz>
> ---
> v1 -> v2:
>    - Separate test changes into different patch
>    - Add test for allocating/looking up entry in non-default ct zone
> ---
>   tools/testing/selftests/bpf/config            |  1 +
>   .../testing/selftests/bpf/prog_tests/bpf_nf.c |  6 +-
>   .../testing/selftests/bpf/progs/test_bpf_nf.c | 88 ++++++++++++++++---
>   3 files changed, 82 insertions(+), 13 deletions(-)
> 
> diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
> index afd675b1bf80..8d4110fe8d26 100644
> --- a/tools/testing/selftests/bpf/config
> +++ b/tools/testing/selftests/bpf/config
> @@ -75,6 +75,7 @@ CONFIG_NETFILTER_XT_TARGET_CT=y
>   CONFIG_NETKIT=y
>   CONFIG_NF_CONNTRACK=y
>   CONFIG_NF_CONNTRACK_MARK=y
> +CONFIG_NF_CONNTRACK_ZONES=y
>   CONFIG_NF_DEFRAG_IPV4=y
>   CONFIG_NF_DEFRAG_IPV6=y
>   CONFIG_NF_NAT=y
> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
> index b30ff6b3b81a..853f694af6d4 100644
> --- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
> @@ -103,7 +103,6 @@ static void test_bpf_nf_ct(int mode)
>   		goto end;
>   
>   	ASSERT_EQ(skel->bss->test_einval_bpf_tuple, -EINVAL, "Test EINVAL for NULL bpf_tuple");
> -	ASSERT_EQ(skel->bss->test_einval_reserved, -EINVAL, "Test EINVAL for reserved not set to 0");
>   	ASSERT_EQ(skel->bss->test_einval_netns_id, -EINVAL, "Test EINVAL for netns_id < -1");
>   	ASSERT_EQ(skel->bss->test_einval_len_opts, -EINVAL, "Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ");
>   	ASSERT_EQ(skel->bss->test_eproto_l4proto, -EPROTO, "Test EPROTO for l4proto != TCP or UDP");
> @@ -122,6 +121,11 @@ static void test_bpf_nf_ct(int mode)
>   	ASSERT_EQ(skel->bss->test_exist_lookup_mark, 43, "Test existing connection lookup ctmark");
>   	ASSERT_EQ(skel->data->test_snat_addr, 0, "Test for source natting");
>   	ASSERT_EQ(skel->data->test_dnat_addr, 0, "Test for destination natting");
> +	ASSERT_EQ(skel->data->test_ct_zone_id_alloc_entry, 0, "Test for alloc new entry in specified ct zone");
> +	ASSERT_EQ(skel->data->test_ct_zone_id_insert_entry, 0, "Test for insert new entry in specified ct zone");
> +	ASSERT_EQ(skel->data->test_ct_zone_id_succ_lookup, 0, "Test for successful lookup in specified ct_zone");
> +	ASSERT_EQ(skel->bss->test_ct_zone_id_enoent_lookup, -ENOENT, "Test ENOENT for lookup in wrong ct zone");
> +
>   end:
>   	if (client_fd != -1)
>   		close(client_fd);
> diff --git a/tools/testing/selftests/bpf/progs/test_bpf_nf.c b/tools/testing/selftests/bpf/progs/test_bpf_nf.c
> index 77ad8adf68da..b47fa0708f1e 100644
> --- a/tools/testing/selftests/bpf/progs/test_bpf_nf.c
> +++ b/tools/testing/selftests/bpf/progs/test_bpf_nf.c
> @@ -12,7 +12,6 @@
>   extern unsigned long CONFIG_HZ __kconfig;
>   
>   int test_einval_bpf_tuple = 0;
> -int test_einval_reserved = 0;
>   int test_einval_netns_id = 0;
>   int test_einval_len_opts = 0;
>   int test_eproto_l4proto = 0;
> @@ -22,6 +21,10 @@ int test_eafnosupport = 0;
>   int test_alloc_entry = -EINVAL;
>   int test_insert_entry = -EAFNOSUPPORT;
>   int test_succ_lookup = -ENOENT;
> +int test_ct_zone_id_alloc_entry = -EINVAL;
> +int test_ct_zone_id_insert_entry = -EAFNOSUPPORT;
> +int test_ct_zone_id_succ_lookup = -ENOENT;
> +int test_ct_zone_id_enoent_lookup = 0;
>   u32 test_delta_timeout = 0;
>   u32 test_status = 0;
>   u32 test_insert_lookup_mark = 0;
> @@ -45,7 +48,10 @@ struct bpf_ct_opts___local {
>   	s32 netns_id;
>   	s32 error;
>   	u8 l4proto;
> -	u8 reserved[3];
> +	u8 dir;
> +	u16 ct_zone_id;
> +	u8 ct_zone_flags;
> +	u8 ct_zone_dir;

Create a new struct instead of modifying the existing one such that the existing 
test can test the size 12 still works.

The new one can use the ___new suffix like "struct bpf_ct_opts___new".

>   } __attribute__((preserve_access_index));
>   
>   struct nf_conn *bpf_xdp_ct_alloc(struct xdp_md *, struct bpf_sock_tuple *, u32,
> @@ -84,16 +90,6 @@ nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
>   	else
>   		test_einval_bpf_tuple = opts_def.error;
>   
> -	opts_def.reserved[0] = 1;
> -	ct = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
> -		       sizeof(opts_def));
> -	opts_def.reserved[0] = 0;
> -	opts_def.l4proto = IPPROTO_TCP;
> -	if (ct)
> -		bpf_ct_release(ct);
> -	else
> -		test_einval_reserved = opts_def.error;
> -
>   	opts_def.netns_id = -2;
>   	ct = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
>   		       sizeof(opts_def));
> @@ -220,10 +216,77 @@ nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
>   	}
>   }
>   
> +static __always_inline void
> +nf_ct_zone_id_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
> +						struct bpf_ct_opts___local *, u32),
> +		   struct nf_conn *(*alloc_fn)(void *, struct bpf_sock_tuple *, u32,
> +					       struct bpf_ct_opts___local *, u32),
> +		   void *ctx)
> +{
> +	struct bpf_ct_opts___local opts_def = { .l4proto = IPPROTO_TCP, .netns_id = -1 };
> +	struct bpf_sock_tuple bpf_tuple;
> +	struct nf_conn *ct;
> +
> +	__builtin_memset(&bpf_tuple, 0, sizeof(bpf_tuple.ipv4));
> +
> +	bpf_tuple.ipv4.saddr = bpf_get_prandom_u32(); /* src IP */
> +	bpf_tuple.ipv4.daddr = bpf_get_prandom_u32(); /* dst IP */
> +	bpf_tuple.ipv4.sport = bpf_get_prandom_u32(); /* src port */
> +	bpf_tuple.ipv4.dport = bpf_get_prandom_u32(); /* dst port */
> +
> +	/* use non-default ct zone */
> +	opts_def.ct_zone_id = 10;

Can the ct_zone_flags and ct_zone_dir be tested also?

pw-bot: cr

> +	ct = alloc_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
> +		      sizeof(opts_def));
> +	if (ct) {
> +		__u16 sport = bpf_get_prandom_u32();
> +		__u16 dport = bpf_get_prandom_u32();
> +		union nf_inet_addr saddr = {};
> +		union nf_inet_addr daddr = {};
> +		struct nf_conn *ct_ins;
> +
> +		bpf_ct_set_timeout(ct, 10000);
> +
> +		/* snat */
> +		saddr.ip = bpf_get_prandom_u32();
> +		bpf_ct_set_nat_info(ct, &saddr, sport, NF_NAT_MANIP_SRC___local);
> +		/* dnat */
> +		daddr.ip = bpf_get_prandom_u32();
> +		bpf_ct_set_nat_info(ct, &daddr, dport, NF_NAT_MANIP_DST___local);
> +
> +		ct_ins = bpf_ct_insert_entry(ct);
> +		if (ct_ins) {
> +			struct nf_conn *ct_lk;
> +
> +			/* entry should exist in same ct zone we inserted it */
> +			ct_lk = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4),
> +					  &opts_def, sizeof(opts_def));
> +			if (ct_lk) {
> +				bpf_ct_release(ct_lk);
> +				test_ct_zone_id_succ_lookup = 0;
> +			}
> +
> +			/* entry should not exist in default ct zone */
> +			opts_def.ct_zone_id = 0;
> +			ct_lk = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4),
> +					  &opts_def, sizeof(opts_def));
> +			if (ct_lk)
> +				bpf_ct_release(ct_lk);
> +			else
> +				test_ct_zone_id_enoent_lookup = opts_def.error;
> +
> +			bpf_ct_release(ct_ins);
> +			test_ct_zone_id_insert_entry = 0;
> +		}
> +		test_ct_zone_id_alloc_entry = 0;
> +	}
> +}
> +
>   SEC("xdp")
>   int nf_xdp_ct_test(struct xdp_md *ctx)
>   {
>   	nf_ct_test((void *)bpf_xdp_ct_lookup, (void *)bpf_xdp_ct_alloc, ctx);
> +	nf_ct_zone_id_test((void *)bpf_xdp_ct_lookup, (void *)bpf_xdp_ct_alloc, ctx);
>   	return 0;
>   }
>   
> @@ -231,6 +294,7 @@ SEC("tc")
>   int nf_skb_ct_test(struct __sk_buff *ctx)
>   {
>   	nf_ct_test((void *)bpf_skb_ct_lookup, (void *)bpf_skb_ct_alloc, ctx);
> +	nf_ct_zone_id_test((void *)bpf_skb_ct_lookup, (void *)bpf_skb_ct_alloc, ctx);
>   	return 0;
>   }
>   


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ