lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZzdyswzsKSYwkY__@mini-arch>
Date: Fri, 15 Nov 2024 08:11:31 -0800
From: Stanislav Fomichev <stfomichev@...il.com>
To: Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
Cc: Andrii Nakryiko <andrii@...nel.org>,
	Eduard Zingerman <eddyz87@...il.com>,
	Mykola Lysenko <mykolal@...com>,
	Alexei Starovoitov <ast@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	Martin KaFai Lau <martin.lau@...ux.dev>, Song Liu <song@...nel.org>,
	Yonghong Song <yonghong.song@...ux.dev>,
	John Fastabend <john.fastabend@...il.com>,
	KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>,
	Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
	Shuah Khan <shuah@...nel.org>,
	"David S. Miller" <davem@...emloft.net>,
	Jakub Kicinski <kuba@...nel.org>,
	Jesper Dangaard Brouer <hawk@...nel.org>, ebpf@...uxfoundation.org,
	Thomas Petazzoni <thomas.petazzoni@...tlin.com>,
	Bastien Curutchet <bastien.curutchet@...tlin.com>,
	bpf@...r.kernel.org, linux-kselftest@...r.kernel.org,
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH bpf-next v2 12/13] selftests/bpf: migrate bpf flow
 dissectors tests to test_progs

On 11/14, Alexis Lothoré (eBPF Foundation) wrote:
> test_flow_dissector.sh loads flow_dissector program and subprograms,
> creates and configured relevant tunnels and interfaces, and ensure that
> the bpf dissection is actually performed correctly. Similar tests exist
> in test_progs (thanks to flow_dissector.c) and run the same programs,
> but those are only executed with BPF_PROG_RUN: those tests are then
> missing some coverage (eg: coverage for flow keys manipulated when the
> configured flower uses a port range, which has a dedicated test in
> test_flow_dissector.sh)
> 
> Convert test_flow_dissector.sh into test_progs so that the corresponding
> tests are also run in CI.
> 
> Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
> ---
> Changes in v2:
> - use new helpers added to network_helpers
> 
> The content of this new test is heavily based on the initial
> test_flow_dissector.c. I have kept most of the packet build function
> (even if not all packet types are used for the test) to allow extending
> the test later if needed.
> 
> The new test has been executed in a local x86 qemu environment as well
> as in CI:
> 
>   # ./test_progs -a flow_dissector_classification
>   #102/1   flow_dissector_classification/ipv4:OK
>   #102/2   flow_dissector_classification/ipv4_continue_dissect:OK
>   #102/3   flow_dissector_classification/ipip:OK
>   #102/4   flow_dissector_classification/gre:OK
>   #102/5   flow_dissector_classification/port_range:OK
>   #102/6   flow_dissector_classification/ipv6:OK
>   #102     flow_dissector_classification:OK
> ---
>  .../bpf/prog_tests/flow_dissector_classification.c | 807 +++++++++++++++++++++
>  1 file changed, 807 insertions(+)
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..e9bd145ee8f0cbee3487bc1e241f3c6b5f25fecb
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c
> @@ -0,0 +1,807 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#define _GNU_SOURCE
> +#include <stdbool.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <bpf/bpf.h>
> +#include <linux/bpf.h>
> +#include <bpf/libbpf.h>
> +#include <arpa/inet.h>
> +#include <asm/byteorder.h>
> +#include <netinet/udp.h>
> +#include <poll.h>
> +#include <string.h>
> +#include <sys/ioctl.h>
> +#include <sys/socket.h>
> +#include <sys/time.h>
> +#include <unistd.h>
> +#include "test_progs.h"
> +#include "network_helpers.h"
> +#include "bpf_util.h"
> +#include "bpf_flow.skel.h"
> +
> +#define CFG_PORT_INNER 8000
> +#define CFG_PORT_GUE 6080
> +#define SUBTEST_NAME_MAX_LEN 32
> +#define TEST_NAME_MAX_LEN (32 + SUBTEST_NAME_MAX_LEN)
> +#define MAX_SOURCE_PORTS 3
> +#define TEST_PACKETS_COUNT 10
> +#define TEST_PACKET_LEN 100
> +#define TEST_PACKET_PATTERN 'a'
> +#define TEST_IPV4 "192.168.0.1/32"
> +#define TEST_IPV6 "100::a/128"
> +#define TEST_TUNNEL_REMOTE "127.0.0.2"
> +#define TEST_TUNNEL_LOCAL "127.0.0.1"
> +
> +#define INIT_ADDR4(addr4, port)					\
> +	{							\
> +		.sin_family = AF_INET,				\
> +		.sin_port = __constant_htons(port),		\
> +		.sin_addr.s_addr = __constant_htonl(addr4),	\
> +	}
> +
> +#define INIT_ADDR6(addr6, port)				\
> +	{						\
> +		.sin6_family = AF_INET6,		\
> +		.sin6_port = __constant_htons(port),	\
> +		.sin6_addr = addr6,			\
> +	}
> +#define TEST_IN4_SRC_ADDR_DEFAULT INIT_ADDR4(INADDR_LOOPBACK + 2, 0)
> +#define TEST_IN4_DST_ADDR_DEFAULT INIT_ADDR4(INADDR_LOOPBACK, CFG_PORT_INNER)
> +#define TEST_OUT4_SRC_ADDR_DEFAULT INIT_ADDR4(INADDR_LOOPBACK + 1, 0)
> +#define TEST_OUT4_DST_ADDR_DEFAULT INIT_ADDR4(INADDR_LOOPBACK, 0)
> +
> +#define TEST_IN6_SRC_ADDR_DEFAULT INIT_ADDR6(IN6ADDR_LOOPBACK_INIT, 0)
> +#define TEST_IN6_DST_ADDR_DEFAULT \
> +	INIT_ADDR6(IN6ADDR_LOOPBACK_INIT, CFG_PORT_INNER)
> +#define TEST_OUT6_SRC_ADDR_DEFAULT INIT_ADDR6(IN6ADDR_LOOPBACK_INIT, 0)
> +#define TEST_OUT6_DST_ADDR_DEFAULT INIT_ADDR6(IN6ADDR_LOOPBACK_INIT, 0)
> +
> +#define TEST_IN4_SRC_ADDR_DISSECT_CONTINUE INIT_ADDR4(INADDR_LOOPBACK + 126, 0)
> +#define TEST_IN4_SRC_ADDR_IPIP INIT_ADDR4((in_addr_t)0x01010101, 0)
> +#define TEST_IN4_DST_ADDR_IPIP INIT_ADDR4((in_addr_t)0xC0A80001, CFG_PORT_INNER)
> +
> +struct grehdr {
> +	uint16_t unused;
> +	uint16_t protocol;
> +} __packed;
> +
> +struct guehdr {
> +	union {
> +		struct {
> +#if defined(__LITTLE_ENDIAN_BITFIELD)
> +			__u8 hlen : 5, control : 1, version : 2;
> +#elif defined(__BIG_ENDIAN_BITFIELD)
> +			__u8 version : 2, control : 1, hlen : 5;
> +#else
> +#error "Please fix <asm/byteorder.h>"
> +#endif
> +			__u8 proto_ctype;
> +			__be16 flags;
> +		};
> +		__be32 word;
> +	};
> +};
> +
> +static char buf[ETH_DATA_LEN];
> +
> +struct test_configuration {
> +	char name[SUBTEST_NAME_MAX_LEN];
> +	int (*test_setup)(void);
> +	void (*test_teardown)(void);
> +	int source_ports[MAX_SOURCE_PORTS];
> +	int cfg_l3_inner;
> +	struct sockaddr_in in_saddr4;
> +	struct sockaddr_in in_daddr4;
> +	struct sockaddr_in6 in_saddr6;
> +	struct sockaddr_in6 in_daddr6;
> +	int cfg_l3_outer;
> +	struct sockaddr_in out_saddr4;
> +	struct sockaddr_in out_daddr4;
> +	struct sockaddr_in6 out_saddr6;
> +	struct sockaddr_in6 out_daddr6;
> +	int cfg_encap_proto;
> +	uint8_t cfg_dsfield_inner;
> +	uint8_t cfg_dsfield_outer;
> +	int cfg_l3_extra;
> +	struct sockaddr_in extra_saddr4;
> +	struct sockaddr_in extra_daddr4;
> +	struct sockaddr_in6 extra_saddr6;
> +	struct sockaddr_in6 extra_daddr6;
> +};
> +
> +static unsigned long util_gettime(void)
> +{
> +	struct timeval tv;
> +
> +	gettimeofday(&tv, NULL);
> +	return (tv.tv_sec * 1000) + (tv.tv_usec / 1000);
> +}
> +
> +static void build_ipv4_header(void *header, uint8_t proto, uint32_t src,
> +			      uint32_t dst, int payload_len, uint8_t tos)
> +{
> +	struct iphdr *iph = header;
> +
> +	iph->ihl = 5;
> +	iph->version = 4;
> +	iph->tos = tos;
> +	iph->ttl = 8;
> +	iph->tot_len = htons(sizeof(*iph) + payload_len);
> +	iph->id = htons(1337);
> +	iph->protocol = proto;
> +	iph->saddr = src;
> +	iph->daddr = dst;
> +	iph->check = build_ip_csum((void *)iph);
> +}
> +
> +static void ipv6_set_dsfield(struct ipv6hdr *ip6h, uint8_t dsfield)
> +{
> +	uint16_t val, *ptr = (uint16_t *)ip6h;
> +
> +	val = ntohs(*ptr);
> +	val &= 0xF00F;
> +	val |= ((uint16_t)dsfield) << 4;
> +	*ptr = htons(val);
> +}
> +
> +static void build_ipv6_header(void *header, uint8_t proto,
> +			      struct sockaddr_in6 *src,
> +			      struct sockaddr_in6 *dst, int payload_len,
> +			      uint8_t dsfield)
> +{
> +	struct ipv6hdr *ip6h = header;
> +
> +	ip6h->version = 6;
> +	ip6h->payload_len = htons(payload_len);
> +	ip6h->nexthdr = proto;
> +	ip6h->hop_limit = 8;
> +	ipv6_set_dsfield(ip6h, dsfield);
> +
> +	memcpy(&ip6h->saddr, &src->sin6_addr, sizeof(ip6h->saddr));
> +	memcpy(&ip6h->daddr, &dst->sin6_addr, sizeof(ip6h->daddr));
> +}
> +
> +static void build_udp_header(void *header, int payload_len, uint16_t sport,
> +			     uint16_t dport, int family)
> +{
> +	struct udphdr *udph = header;
> +	int len = sizeof(*udph) + payload_len;
> +
> +	udph->source = htons(sport);
> +	udph->dest = htons(dport);
> +	udph->len = htons(len);
> +	udph->check = 0;
> +	if (family == AF_INET)
> +		udph->check = build_udp_v4_csum(header - sizeof(struct iphdr),
> +						IPPROTO_UDP, udph->len,
> +						udph, len >> 1);
> +	else
> +		udph->check = build_udp_v6_csum(header - sizeof(struct ipv6hdr),
> +						udph, len >> 1);
> +}
> +
> +static void build_gue_header(void *header, uint8_t proto)
> +{
> +	struct guehdr *gueh = header;
> +
> +	gueh->proto_ctype = proto;
> +}
> +
> +static void build_gre_header(void *header, uint16_t proto)
> +{
> +	struct grehdr *greh = header;
> +
> +	greh->protocol = htons(proto);
> +}
> +
> +static int l3_length(int family)
> +{
> +	if (family == AF_INET)
> +		return sizeof(struct iphdr);
> +	else
> +		return sizeof(struct ipv6hdr);
> +}
> +
> +static int build_packet(struct test_configuration *test, uint16_t sport)
> +{
> +	int ol3_len = 0, ol4_len = 0, il3_len = 0, il4_len = 0;
> +	int el3_len = 0, packet_len;
> +
> +	memset(buf, 0, ETH_DATA_LEN);
> +
> +	if (test->cfg_l3_extra)
> +		el3_len = l3_length(test->cfg_l3_extra);
> +
> +	/* calculate header offsets */
> +	if (test->cfg_encap_proto) {
> +		ol3_len = l3_length(test->cfg_l3_outer);
> +
> +		if (test->cfg_encap_proto == IPPROTO_GRE)
> +			ol4_len = sizeof(struct grehdr);
> +		else if (test->cfg_encap_proto == IPPROTO_UDP)
> +			ol4_len = sizeof(struct udphdr) + sizeof(struct guehdr);
> +	}
> +
> +	il3_len = l3_length(test->cfg_l3_inner);
> +	il4_len = sizeof(struct udphdr);
> +
> +	packet_len = el3_len + ol3_len + ol4_len + il3_len + il4_len +
> +		     TEST_PACKET_LEN;
> +	if (!ASSERT_LE(packet_len, sizeof(buf), "check packet size"))
> +		return -1;
> +
> +	/*
> +	 * Fill packet from inside out, to calculate correct checksums.
> +	 * But create ip before udp headers, as udp uses ip for pseudo-sum.
> +	 */
> +	memset(buf + el3_len + ol3_len + ol4_len + il3_len + il4_len,
> +	       TEST_PACKET_PATTERN, TEST_PACKET_LEN);
> +
> +	/* add zero byte for udp csum padding */
> +	buf[el3_len + ol3_len + ol4_len + il3_len + il4_len + TEST_PACKET_LEN] =
> +		0;
> +
> +	switch (test->cfg_l3_inner) {
> +	case PF_INET:
> +		build_ipv4_header(buf + el3_len + ol3_len + ol4_len,
> +				  IPPROTO_UDP, test->in_saddr4.sin_addr.s_addr,
> +				  test->in_daddr4.sin_addr.s_addr,
> +				  il4_len + TEST_PACKET_LEN,
> +				  test->cfg_dsfield_inner);
> +		break;
> +	case PF_INET6:
> +		build_ipv6_header(buf + el3_len + ol3_len + ol4_len,
> +				  IPPROTO_UDP, &test->in_saddr6,
> +				  &test->in_daddr6, il4_len + TEST_PACKET_LEN,
> +				  test->cfg_dsfield_inner);
> +		break;
> +	}
> +
> +	build_udp_header(buf + el3_len + ol3_len + ol4_len + il3_len,
> +			 TEST_PACKET_LEN, sport, CFG_PORT_INNER,
> +			 test->cfg_l3_inner);
> +
> +	if (!test->cfg_encap_proto)
> +		return il3_len + il4_len + TEST_PACKET_LEN;
> +
> +	switch (test->cfg_l3_outer) {
> +	case PF_INET:
> +		build_ipv4_header(buf + el3_len, test->cfg_encap_proto,
> +				  test->out_saddr4.sin_addr.s_addr,
> +				  test->out_daddr4.sin_addr.s_addr,
> +				  ol4_len + il3_len + il4_len + TEST_PACKET_LEN,
> +				  test->cfg_dsfield_outer);
> +		break;
> +	case PF_INET6:
> +		build_ipv6_header(buf + el3_len, test->cfg_encap_proto,
> +				  &test->out_saddr6, &test->out_daddr6,
> +				  ol4_len + il3_len + il4_len + TEST_PACKET_LEN,
> +				  test->cfg_dsfield_outer);
> +		break;
> +	}
> +
> +	switch (test->cfg_encap_proto) {
> +	case IPPROTO_UDP:
> +		build_gue_header(buf + el3_len + ol3_len + ol4_len -
> +					 sizeof(struct guehdr),
> +				 test->cfg_l3_inner == PF_INET ? IPPROTO_IPIP :
> +								 IPPROTO_IPV6);
> +		build_udp_header(buf + el3_len + ol3_len,
> +				 sizeof(struct guehdr) + il3_len + il4_len +
> +					 TEST_PACKET_LEN,
> +				 sport, CFG_PORT_GUE, test->cfg_l3_outer);
> +		break;
> +	case IPPROTO_GRE:
> +		build_gre_header(buf + el3_len + ol3_len,
> +				 test->cfg_l3_inner == PF_INET ? ETH_P_IP :
> +								 ETH_P_IPV6);
> +		break;
> +	}
> +
> +	switch (test->cfg_l3_extra) {
> +	case PF_INET:
> +		build_ipv4_header(buf,
> +				  test->cfg_l3_outer == PF_INET ? IPPROTO_IPIP :
> +								  IPPROTO_IPV6,
> +				  test->extra_saddr4.sin_addr.s_addr,
> +				  test->extra_daddr4.sin_addr.s_addr,
> +				  ol3_len + ol4_len + il3_len + il4_len +
> +					  TEST_PACKET_LEN,
> +				  0);
> +		break;
> +	case PF_INET6:
> +		build_ipv6_header(buf,
> +				  test->cfg_l3_outer == PF_INET ? IPPROTO_IPIP :
> +								  IPPROTO_IPV6,
> +				  &test->extra_saddr6, &test->extra_daddr6,
> +				  ol3_len + ol4_len + il3_len + il4_len +
> +					  TEST_PACKET_LEN,
> +				  0);
> +		break;
> +	}
> +
> +	return el3_len + ol3_len + ol4_len + il3_len + il4_len +
> +	       TEST_PACKET_LEN;
> +}
> +
> +/* sender transmits encapsulated over RAW or unencap'd over UDP */
> +static int setup_tx(struct test_configuration *test)
> +{
> +	int family, fd, ret;
> +
> +	if (test->cfg_l3_extra)
> +		family = test->cfg_l3_extra;
> +	else if (test->cfg_l3_outer)
> +		family = test->cfg_l3_outer;
> +	else
> +		family = test->cfg_l3_inner;
> +
> +	fd = socket(family, SOCK_RAW, IPPROTO_RAW);
> +	if (!ASSERT_OK_FD(fd, "setup tx socket"))
> +		return fd;
> +
> +	if (test->cfg_l3_extra) {
> +		if (test->cfg_l3_extra == PF_INET)
> +			ret = connect(fd, (void *)&test->extra_daddr4,
> +				      sizeof(test->extra_daddr4));
> +		else
> +			ret = connect(fd, (void *)&test->extra_daddr6,
> +				      sizeof(test->extra_daddr6));
> +		if (!ASSERT_OK(ret, "connect")) {
> +			close(fd);
> +			return ret;
> +		}
> +	} else if (test->cfg_l3_outer) {
> +		/* connect to destination if not encapsulated */
> +		if (test->cfg_l3_outer == PF_INET)
> +			ret = connect(fd, (void *)&test->out_daddr4,
> +				      sizeof(test->out_daddr4));
> +		else
> +			ret = connect(fd, (void *)&test->out_daddr6,
> +				      sizeof(test->out_daddr6));
> +		if (!ASSERT_OK(ret, "connect")) {
> +			close(fd);
> +			return ret;
> +		}
> +	} else {
> +		/* otherwise using loopback */
> +		if (test->cfg_l3_inner == PF_INET)
> +			ret = connect(fd, (void *)&test->in_daddr4,
> +				      sizeof(test->in_daddr4));
> +		else
> +			ret = connect(fd, (void *)&test->in_daddr6,
> +				      sizeof(test->in_daddr6));
> +		if (!ASSERT_OK(ret, "connect")) {
> +			close(fd);
> +			return ret;
> +		}
> +	}
> +
> +	return fd;
> +}
> +
> +/* receiver reads unencapsulated UDP */
> +static int setup_rx(struct test_configuration *test)
> +{
> +	int fd, ret;
> +
> +	fd = socket(test->cfg_l3_inner, SOCK_DGRAM, 0);
> +	if (!ASSERT_OK_FD(fd, "socket rx"))
> +		return fd;
> +
> +	if (test->cfg_l3_inner == PF_INET)
> +		ret = bind(fd, (void *)&test->in_daddr4,
> +			   sizeof(test->in_daddr4));
> +	else
> +		ret = bind(fd, (void *)&test->in_daddr6,
> +			   sizeof(test->in_daddr6));
> +	if (!ASSERT_OK(ret, "bind rx")) {
> +		close(fd);
> +		return ret;
> +	}
> +
> +	return fd;
> +}
> +
> +static int do_tx(int fd, const char *pkt, int len)
> +{
> +	int ret;
> +
> +	ret = write(fd, pkt, len);
> +	return ret != len;
> +}
> +
> +static int do_poll(int fd, short events, int timeout)
> +{
> +	struct pollfd pfd;
> +	int ret;
> +
> +	pfd.fd = fd;
> +	pfd.events = events;
> +
> +	ret = poll(&pfd, 1, timeout);
> +	return ret;
> +}
> +
> +static int do_rx(int fd)
> +{
> +	char rbuf;
> +	int ret, num = 0;
> +
> +	while (1) {
> +		ret = recv(fd, &rbuf, 1, MSG_DONTWAIT);
> +		if (ret == -1 && errno == EAGAIN)
> +			break;
> +		if (!ASSERT_GE(ret, 0, "check recv return code"))
> +			return -1;
> +		if (!ASSERT_EQ(rbuf, TEST_PACKET_PATTERN, "check pkt pattern"))
> +			return -1;
> +		num++;
> +	}
> +
> +	return num;
> +}
> +
> +static int run_test(struct test_configuration *test, int source_port_index)
> +{
> +	int fdt = -1, fdr = -1, len, tx = 0, rx = 0, err;
> +	unsigned long tstop, tcur;
> +
> +	fdr = setup_rx(test);
> +	fdt = setup_tx(test);
> +	if (!ASSERT_OK_FD(fdr, "setup rx") || !ASSERT_OK_FD(fdt, "setup tx")) {
> +		err = -1;
> +		goto out_close_sockets;
> +	}
> +
> +	len = build_packet(test,
> +			   (uint16_t)test->source_ports[source_port_index]);
> +	if (!ASSERT_GT(len, 0, "build test packet"))
> +		return -1;
> +
> +	tcur = util_gettime();
> +	tstop = tcur;
> +
> +	while (tx < TEST_PACKETS_COUNT) {
> +		if (!ASSERT_OK(do_tx(fdt, buf, len), "do_tx"))
> +			break;
> +		tx++;
> +		err = do_rx(fdr);

[..]

> +		if (!ASSERT_GE(err, 0, "do_rx"))
> +			break;

You seem to be already doing similar ASSERT_GE inside the do_rx, maybe
drop one?

> +		rx += err;
> +	}
> +
> +	/* read straggler packets, if any */
> +	if (rx < tx) {
> +		tstop = util_gettime() + 100;
> +		while (rx < tx) {
> +			tcur = util_gettime();
> +			if (tcur >= tstop)
> +				break;
> +
> +			err = do_poll(fdr, POLLIN, tstop - tcur);
> +			if (err < 0)
> +				break;
> +			err = do_rx(fdr);
> +			if (err >= 0)
> +				rx += err;
> +		}
> +	}
> +
> +out_close_sockets:
> +	close(fdt);
> +	close(fdr);
> +	return rx;
> +}
> +
> +static int attach_and_configure_program(struct bpf_flow *skel)
> +{
> +	struct bpf_map *prog_array = skel->maps.jmp_table;
> +	int main_prog_fd, sub_prog_fd, map_fd, i, err;
> +	struct bpf_program *prog;
> +	char prog_name[32];
> +
> +	main_prog_fd = bpf_program__fd(skel->progs._dissect);
> +	if (main_prog_fd < 0)
> +		return main_prog_fd;
> +
> +	err = bpf_prog_attach(main_prog_fd, 0, BPF_FLOW_DISSECTOR, 0);
> +	if (err)
> +		return err;
> +
> +	map_fd = bpf_map__fd(prog_array);
> +	if (map_fd < 0)
> +		return map_fd;
> +
> +	for (i = 0; i < bpf_map__max_entries(prog_array); i++) {
> +		snprintf(prog_name, sizeof(prog_name), "flow_dissector_%d", i);
> +
> +		prog = bpf_object__find_program_by_name(skel->obj, prog_name);
> +		if (!prog)
> +			return -1;
> +
> +		sub_prog_fd = bpf_program__fd(prog);
> +		if (sub_prog_fd < 0)
> +			return -1;
> +
> +		err = bpf_map_update_elem(map_fd, &i, &sub_prog_fd, BPF_ANY);
> +		if (err)
> +			return -1;
> +	}
> +
> +	return main_prog_fd;
> +}
> +
> +static void detach_program(struct bpf_flow *skel, int prog_fd)
> +{
> +	bpf_prog_detach2(prog_fd, 0, BPF_FLOW_DISSECTOR);
> +}
> +
> +static int set_port_drop(int pf, bool multi_port)
> +{
> +	SYS(fail, "tc qdisc add dev lo ingress");
> +	SYS(fail_delete_qdisc, "tc filter add %s %s %s %s %s %s %s %s %s %s",
> +	    "dev lo",
> +	    "parent FFFF:",
> +	    "protocol", pf == PF_INET6 ? "ipv6" : "ip",
> +	    "pref 1337",
> +	    "flower",
> +	    "ip_proto udp",
> +	    "src_port", multi_port ? "8-10" : "9",
> +	    "action drop");
> +	return 0;
> +
> +fail_delete_qdisc:
> +	SYS_NOFAIL("tc qdisc del dev lo ingress");
> +fail:
> +	return 1;
> +}
> +
> +static void remove_filter(void)
> +{
> +	SYS_NOFAIL("tc filter del dev lo ingress");
> +	SYS_NOFAIL("tc qdisc del dev lo ingress");
> +}
> +
> +static int ipv4_setup(void)
> +{
> +	return set_port_drop(PF_INET, false);
> +}
> +
> +static int ipv6_setup(void)
> +{
> +	return set_port_drop(PF_INET6, false);
> +}
> +
> +static int port_range_setup(void)
> +{
> +	return set_port_drop(PF_INET, true);
> +}


[..]

> +static void ipv4_shutdown(void)
> +{
> +	remove_filter();
> +}
> +
> +static void ipv6_shutdown(void)
> +{
> +	remove_filter();
> +}
> +
> +static void port_range_shutdown(void)
> +{
> +	remove_filter();
> +}

nit: Maybe use remove_filter directly as .test_teardown? These extra
wrappers are not adding anything (imho).

> +static int set_addresses(void)
> +{
> +	SYS(out, "ip -4 addr add  %s dev lo", TEST_IPV4);
> +	SYS(out_remove_ipv4, "ip -6 addr add %s dev lo", TEST_IPV6);
> +	return 0;
> +out_remove_ipv4:
> +	SYS_NOFAIL("ip -4 addr del %s dev lo", TEST_IPV4);
> +out:
> +	return -1;
> +}
> +
> +static void unset_addresses(void)
> +{
> +	SYS_NOFAIL("ip -4 addr del %s dev lo", TEST_IPV4);
> +	SYS_NOFAIL("ip -6 addr del %s dev lo", TEST_IPV6);
> +}
> +
> +static int ipip_setup(void)
> +{
> +	if (!ASSERT_OK(set_addresses(), "configure addresses"))
> +		return -1;
> +	if (!ASSERT_OK(set_port_drop(PF_INET, false), "set filter"))
> +		goto out_unset_addresses;
> +	SYS(out_remove_filter,
> +	    "ip link add ipip_test type ipip remote %s local %s dev lo",
> +	    TEST_TUNNEL_REMOTE, TEST_TUNNEL_LOCAL);
> +	SYS(out_clean_netif, "ip link set ipip_test up");
> +	return 0;
> +
> +out_clean_netif:
> +	SYS_NOFAIL("ip link del ipip_test");
> +out_remove_filter:
> +	remove_filter();
> +out_unset_addresses:
> +	unset_addresses();
> +	return -1;
> +}
> +
> +static void ipip_shutdown(void)
> +{
> +	SYS_NOFAIL("ip link del ipip_test");
> +	remove_filter();
> +	unset_addresses();
> +}
> +
> +static int gre_setup(void)
> +{
> +	if (!ASSERT_OK(set_addresses(), "configure addresses"))
> +		return -1;
> +	if (!ASSERT_OK(set_port_drop(PF_INET, false), "set filter"))
> +		goto out_unset_addresses;
> +	SYS(out_remove_filter,
> +	    "ip link add gre_test type gre remote %s local %s dev lo",
> +	    TEST_TUNNEL_REMOTE, TEST_TUNNEL_LOCAL);
> +	SYS(out_clean_netif, "ip link set gre_test up");
> +	return 0;
> +
> +out_clean_netif:
> +	SYS_NOFAIL("ip link del ipip_test");
> +out_remove_filter:
> +	remove_filter();
> +out_unset_addresses:
> +	unset_addresses();
> +	return -1;
> +}
> +
> +static void gre_shutdown(void)
> +{
> +	SYS_NOFAIL("ip link del gre_test");
> +	remove_filter();
> +	unset_addresses();
> +}
> +
> +static const struct test_configuration tests_input[] = {
> +	{
> +		.name = "ipv4",
> +		.test_setup = ipv4_setup,
> +		.test_teardown = ipv4_shutdown,
> +		.source_ports = { 8, 9, 10 },
> +		.cfg_l3_inner = PF_INET,
> +		.in_saddr4 = TEST_IN4_SRC_ADDR_DEFAULT,
> +		.in_daddr4 = TEST_IN4_DST_ADDR_DEFAULT
> +	},
> +	{
> +		.name = "ipv4_continue_dissect",
> +		.test_setup = ipv4_setup,
> +		.test_teardown = ipv4_shutdown,
> +		.source_ports = { 8, 9, 10 },
> +		.cfg_l3_inner = PF_INET,
> +		.in_saddr4 = TEST_IN4_SRC_ADDR_DISSECT_CONTINUE,
> +		.in_daddr4 = TEST_IN4_DST_ADDR_DEFAULT },
> +	{
> +		.name = "ipip",
> +		.test_setup = ipip_setup,
> +		.test_teardown = ipip_shutdown,
> +		.source_ports = { 8, 9, 10 },
> +		.cfg_l3_inner = PF_INET,
> +		.in_saddr4 = TEST_IN4_SRC_ADDR_IPIP,
> +		.in_daddr4 = TEST_IN4_DST_ADDR_IPIP,
> +		.out_saddr4 = TEST_OUT4_SRC_ADDR_DEFAULT,
> +		.out_daddr4 = TEST_OUT4_DST_ADDR_DEFAULT,
> +		.cfg_l3_outer = PF_INET,
> +		.cfg_encap_proto = IPPROTO_IPIP,
> +
> +	},
> +	{
> +		.name = "gre",
> +		.test_setup = gre_setup,
> +		.test_teardown = gre_shutdown,
> +		.source_ports = { 8, 9, 10 },
> +		.cfg_l3_inner = PF_INET,
> +		.in_saddr4 = TEST_IN4_SRC_ADDR_IPIP,
> +		.in_daddr4 = TEST_IN4_DST_ADDR_IPIP,
> +		.out_saddr4 = TEST_OUT4_SRC_ADDR_DEFAULT,
> +		.out_daddr4 = TEST_OUT4_DST_ADDR_DEFAULT,
> +		.cfg_l3_outer = PF_INET,
> +		.cfg_encap_proto = IPPROTO_GRE,
> +	},
> +	{
> +		.name = "port_range",
> +		.test_setup = port_range_setup,
> +		.test_teardown = port_range_shutdown,
> +		.source_ports = { 7, 9, 11 },
> +		.cfg_l3_inner = PF_INET,
> +		.in_saddr4 = TEST_IN4_SRC_ADDR_DEFAULT,
> +		.in_daddr4 = TEST_IN4_DST_ADDR_DEFAULT },
> +	{
> +		.name = "ipv6",
> +		.test_setup = ipv6_setup,
> +		.test_teardown = ipv6_shutdown,
> +		.source_ports = { 8, 9, 10 },
> +		.cfg_l3_inner = PF_INET6,
> +		.in_saddr6 = TEST_IN6_SRC_ADDR_DEFAULT,
> +		.in_daddr6 = TEST_IN6_DST_ADDR_DEFAULT
> +	},
> +};
> +
> +struct test_ctx {
> +	struct bpf_flow *skel;
> +	struct netns_obj *ns;
> +	int prog_fd;
> +};
> +
> +static int test_global_init(struct test_ctx *ctx)
> +{
> +	int err;
> +
> +	ctx->skel = bpf_flow__open_and_load();
> +	if (!ASSERT_OK_PTR(ctx->skel, "open and load flow_dissector"))
> +		return -1;
> +
> +	ctx->ns = netns_new("flow_dissector_classification", true);
> +	if (!ASSERT_OK_PTR(ctx->ns, "switch ns"))
> +		goto out_destroy_skel;
> +
> +	err = write_sysctl("/proc/sys/net/ipv4/conf/default/rp_filter", "0");
> +	err |= write_sysctl("/proc/sys/net/ipv4/conf/all/rp_filter", "0");
> +	err |= write_sysctl("/proc/sys/net/ipv4/conf/lo/rp_filter", "0");
> +	if (!ASSERT_OK(err, "configure net tunables"))
> +		goto out_clean_ns;
> +
> +	ctx->prog_fd = attach_and_configure_program(ctx->skel);
> +	if (!ASSERT_OK_FD(ctx->prog_fd, "attach and configure program"))
> +		goto out_clean_ns;
> +	return 0;
> +out_clean_ns:
> +	netns_free(ctx->ns);
> +out_destroy_skel:
> +	bpf_flow__destroy(ctx->skel);
> +	return -1;
> +}
> +
> +static void test_global_shutdown(struct test_ctx *ctx)
> +{
> +	detach_program(ctx->skel, ctx->prog_fd);
> +	netns_free(ctx->ns);
> +	bpf_flow__destroy(ctx->skel);
> +}
> +
> +void test_flow_dissector_classification(void)
> +{
> +	struct test_ctx ctx;
> +	struct test_configuration *test;
> +	int i;
> +
> +	if (test_global_init(&ctx))
> +		return;
> +
> +	for (i = 0; i < ARRAY_SIZE(tests_input); i++) {
> +		if (!test__start_subtest(tests_input[i].name))
> +			continue;

[..]

> +		test = (struct test_configuration *)&tests_input[i];

nit: What's the purpose of the cast? Is it to de-constify? Can we
change run_test arguments to accept const struct test_configuration
ptr instead?

> +		/* All tests are expected to have one rx-ok port first,
> +		 * then a non-working rx port, and finally a rx-ok port
> +		 */
> +		if (test->test_setup &&
> +		    !ASSERT_OK(test->test_setup(), "init filter"))
> +			continue;
> +
> +		ASSERT_EQ(run_test(test, 0), TEST_PACKETS_COUNT,
> +			  "test first port");
> +		ASSERT_EQ(run_test(test, 1), 0, "test second port");
> +		ASSERT_EQ(run_test(test, 2), TEST_PACKETS_COUNT,
> +			  "test third port");
> +		if (test->test_teardown)
> +			test->test_teardown();
> +	}
> +	test_global_shutdown(&ctx);
> +}
> 
> -- 
> 2.47.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ