| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240501050321.157531-1-brad@faucet.nz>
Date: Wed, 1 May 2024 17:03:21 +1200
From: Brad Cowie <brad@...cet.nz>
To: martin.lau@...ux.dev
Cc: andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, brad@...cet.nz,
coreteam@...filter.org, daniel@...earbox.net, davem@...emloft.net,
john.fastabend@...il.com, jolsa@...nel.org, kuba@...nel.org,
lorenzo@...nel.org, memxor@...il.com, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, pabeni@...hat.com, pablo@...filter.org,
sdf@...gle.com, song@...nel.org
Subject: Re: [PATCH bpf-next v2 2/2] selftests/bpf: Update tests for new ct zone opts for nf_conntrack kfuncs
On Fri, 26 Apr 2024 at 11:34, Martin KaFai Lau <martin.lau@...ux.dev> wrote:
> On 4/23/24 8:00 PM, Brad Cowie wrote:
> > } __attribute__((preserve_access_index));
> >
> > struct nf_conn *bpf_xdp_ct_alloc(struct xdp_md *, struct bpf_sock_tuple *, u32,
> > @@ -84,16 +90,6 @@ nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
> > else
> > test_einval_bpf_tuple = opts_def.error;
> >
> > - opts_def.reserved[0] = 1;
> > - ct = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
> > - sizeof(opts_def));
> > - opts_def.reserved[0] = 0;
> > - opts_def.l4proto = IPPROTO_TCP;
> > - if (ct)
> > - bpf_ct_release(ct);
> > - else
> > - test_einval_reserved = opts_def.error;
> > -
> > opts_def.netns_id = -2;
> > ct = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
> > sizeof(opts_def));
> > @@ -220,10 +216,77 @@ nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
> > }
> > }
> >
> > +static __always_inline void
> > +nf_ct_zone_id_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
> > + struct bpf_ct_opts___local *, u32),
> > + struct nf_conn *(*alloc_fn)(void *, struct bpf_sock_tuple *, u32,
> > + struct bpf_ct_opts___local *, u32),
> > + void *ctx)
> > +{
> > + struct bpf_ct_opts___local opts_def = { .l4proto = IPPROTO_TCP, .netns_id = -1 };
> > + struct bpf_sock_tuple bpf_tuple;
> > + struct nf_conn *ct;
> > +
> > + __builtin_memset(&bpf_tuple, 0, sizeof(bpf_tuple.ipv4));
> > +
> > + bpf_tuple.ipv4.saddr = bpf_get_prandom_u32(); /* src IP */
> > + bpf_tuple.ipv4.daddr = bpf_get_prandom_u32(); /* dst IP */
> > + bpf_tuple.ipv4.sport = bpf_get_prandom_u32(); /* src port */
> > + bpf_tuple.ipv4.dport = bpf_get_prandom_u32(); /* dst port */
> > +
> > + /* use non-default ct zone */
> > + opts_def.ct_zone_id = 10;
>
> Can the ct_zone_flags and ct_zone_dir be tested also?
I have added an additional test for ct_zone_dir, this will be included
in my v3 patchset.
While writing a test for ct_zone_flags, I realised this option is not
used for the conntrack functions that the bpf ct helper functions call,
nf_conntrack_alloc() and nf_conntrack_find_get(), it is only used by
nf_conntrack_in(), so I will remove ct_zone_flags from my v3 patchset.
Powered by blists - more mailing lists