Message ID | 20211210130230.4128676-10-memxor@gmail.com |
---|---|
State | Awaiting Upstream |
Delegated to: | Pablo Neira |
Headers | show |
Series | Introduce unstable CT lookup helpers | expand |
On 2021-12-10 15:02, Kumar Kartikeya Dwivedi wrote: > This tests that we return errors as documented, and also that the kfunc > calls work from both XDP and TC hooks. > > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> > --- > tools/testing/selftests/bpf/config | 4 + > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 48 ++++++++ > .../testing/selftests/bpf/progs/test_bpf_nf.c | 113 ++++++++++++++++++ > 3 files changed, 165 insertions(+) > create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_nf.c > create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf.c > > diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config > index 5192305159ec..4a2a47fcd6ef 100644 > --- a/tools/testing/selftests/bpf/config > +++ b/tools/testing/selftests/bpf/config > @@ -46,3 +46,7 @@ CONFIG_IMA_READ_POLICY=y > CONFIG_BLK_DEV_LOOP=y > CONFIG_FUNCTION_TRACER=y > CONFIG_DYNAMIC_FTRACE=y > +CONFIG_NETFILTER=y > +CONFIG_NF_DEFRAG_IPV4=y > +CONFIG_NF_DEFRAG_IPV6=y > +CONFIG_NF_CONNTRACK=y > diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c > new file mode 100644 > index 000000000000..56e8d745b8c8 > --- /dev/null > +++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c > @@ -0,0 +1,48 @@ > +// SPDX-License-Identifier: GPL-2.0 > +#include <test_progs.h> > +#include <network_helpers.h> > +#include "test_bpf_nf.skel.h" > + > +enum { > + TEST_XDP, > + TEST_TC_BPF, > +}; > + > +void test_bpf_nf_ct(int mode) > +{ > + struct test_bpf_nf *skel; > + int prog_fd, err, retval; > + > + skel = test_bpf_nf__open_and_load(); > + if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load")) > + return; > + > + if (mode == TEST_XDP) > + prog_fd = bpf_program__fd(skel->progs.nf_xdp_ct_test); > + else > + prog_fd = bpf_program__fd(skel->progs.nf_skb_ct_test); > + > + err = bpf_prog_test_run(prog_fd, 1, &pkt_v4, sizeof(pkt_v4), NULL, NULL, > + (__u32 *)&retval, NULL); > + if (!ASSERT_OK(err, "bpf_prog_test_run")) > + goto end; > + > + ASSERT_EQ(skel->bss->test_einval_bpf_tuple, -EINVAL, "Test EINVAL for NULL bpf_tuple"); > + ASSERT_EQ(skel->bss->test_einval_reserved, -EINVAL, "Test EINVAL for reserved not set to 0"); > + ASSERT_EQ(skel->bss->test_einval_netns_id, -EINVAL, "Test EINVAL for netns_id < -1"); > + ASSERT_EQ(skel->bss->test_einval_len_opts, -EINVAL, "Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ"); > + ASSERT_EQ(skel->bss->test_eproto_l4proto, -EPROTO, "Test EPROTO for l4proto != TCP or UDP"); > + ASSERT_EQ(skel->bss->test_enonet_netns_id, -ENONET, "Test ENONET for bad but valid netns_id"); > + ASSERT_EQ(skel->bss->test_enoent_lookup, -ENOENT, "Test ENOENT for failed lookup"); > + ASSERT_EQ(skel->bss->test_eafnosupport, -EAFNOSUPPORT,"Test EAFNOSUPPORT for invalid len__tuple"); > +end: > + test_bpf_nf__destroy(skel); > +} > + > +void test_bpf_nf(void) > +{ > + if (test__start_subtest("xdp-ct")) > + test_bpf_nf_ct(TEST_XDP); > + if (test__start_subtest("tc-bpf-ct")) > + test_bpf_nf_ct(TEST_TC_BPF); > +} > diff --git a/tools/testing/selftests/bpf/progs/test_bpf_nf.c b/tools/testing/selftests/bpf/progs/test_bpf_nf.c > new file mode 100644 > index 000000000000..7cfff245b24f > --- /dev/null > +++ b/tools/testing/selftests/bpf/progs/test_bpf_nf.c > @@ -0,0 +1,113 @@ > +// SPDX-License-Identifier: GPL-2.0 > +#include <vmlinux.h> > +#include <bpf/bpf_helpers.h> > + > +#define EAFNOSUPPORT 97 > +#define EPROTO 71 > +#define ENONET 64 > +#define EINVAL 22 > +#define ENOENT 2 > + > +int test_einval_bpf_tuple = 0; > +int test_einval_reserved = 0; > +int test_einval_netns_id = 0; > +int test_einval_len_opts = 0; > +int test_eproto_l4proto = 0; > +int test_enonet_netns_id = 0; > +int test_enoent_lookup = 0; > +int test_eafnosupport = 0; > + > +struct nf_conn *bpf_xdp_ct_lookup(struct xdp_md *, struct bpf_sock_tuple *, u32, > + struct bpf_ct_opts *, u32) __weak __ksym; > +struct nf_conn *bpf_skb_ct_lookup(struct __sk_buff *, struct bpf_sock_tuple *, u32, > + struct bpf_ct_opts *, u32) __weak __ksym; > +void bpf_ct_release(struct nf_conn *) __weak __ksym; > + > +#define nf_ct_test(func, ctx) \ > + ({ \ > + struct bpf_ct_opts opts_def = { .l4proto = IPPROTO_TCP, \ > + .netns_id = -1 }; \ I noticed that when CONFIG_NF_CONNTRACK=m, struct bpf_ct_opts doesn't get added to vmlinux.h. What is the right way to get definitions of structs from modules in BPF programs? Are they supposed to be part of vmlinux.h? > + struct bpf_sock_tuple bpf_tuple; \ > + struct nf_conn *ct; \ > + \ > + __builtin_memset(&bpf_tuple, 0, sizeof(bpf_tuple.ipv4)); \ > + ct = func(ctx, NULL, 0, &opts_def, sizeof(opts_def)); \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_einval_bpf_tuple = opts_def.error; \ > + \ > + opts_def.reserved[0] = 1; \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ > + sizeof(opts_def)); \ > + opts_def.reserved[0] = 0; \ > + opts_def.l4proto = IPPROTO_TCP; \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_einval_reserved = opts_def.error; \ > + \ > + opts_def.netns_id = -2; \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ > + sizeof(opts_def)); \ > + opts_def.netns_id = -1; \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_einval_netns_id = opts_def.error; \ > + \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ > + sizeof(opts_def) - 1); \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_einval_len_opts = opts_def.error; \ > + \ > + opts_def.l4proto = IPPROTO_ICMP; \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ > + sizeof(opts_def)); \ > + opts_def.l4proto = IPPROTO_TCP; \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_eproto_l4proto = opts_def.error; \ > + \ > + opts_def.netns_id = 0xf00f; \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ > + sizeof(opts_def)); \ > + opts_def.netns_id = -1; \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_enonet_netns_id = opts_def.error; \ > + \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ > + sizeof(opts_def)); \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_enoent_lookup = opts_def.error; \ > + \ > + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4) - 1, \ > + &opts_def, sizeof(opts_def)); \ > + if (ct) \ > + bpf_ct_release(ct); \ > + else \ > + test_eafnosupport = opts_def.error; \ > + }) > + > +SEC("xdp") > +int nf_xdp_ct_test(struct xdp_md *ctx) > +{ > + nf_ct_test(bpf_xdp_ct_lookup, ctx); > + return 0; > +} > + > +SEC("tc") > +int nf_skb_ct_test(struct __sk_buff *ctx) > +{ > + nf_ct_test(bpf_skb_ct_lookup, ctx); > + return 0; > +} > + > +char _license[] SEC("license") = "GPL";
On Tue, Dec 14, 2021 at 07:43:13PM IST, Maxim Mikityanskiy wrote: > On 2021-12-10 15:02, Kumar Kartikeya Dwivedi wrote: > > This tests that we return errors as documented, and also that the kfunc > > calls work from both XDP and TC hooks. > > > > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> > > --- > > [...] > > + > > +#define nf_ct_test(func, ctx) \ > > + ({ \ > > + struct bpf_ct_opts opts_def = { .l4proto = IPPROTO_TCP, \ > > + .netns_id = -1 }; \ > > I noticed that when CONFIG_NF_CONNTRACK=m, struct bpf_ct_opts doesn't get > added to vmlinux.h. What is the right way to get definitions of structs from > modules in BPF programs? Are they supposed to be part of vmlinux.h? > Right, you'll have to do: # bpftool btf dump file /sys/kernel/btf/nf_conntrack format c > vmlinux.h after loading the module. This will have the definitions for vmlinux BTF + nf_conntrack BTF. > [...] -- Kartikeya
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config index 5192305159ec..4a2a47fcd6ef 100644 --- a/tools/testing/selftests/bpf/config +++ b/tools/testing/selftests/bpf/config @@ -46,3 +46,7 @@ CONFIG_IMA_READ_POLICY=y CONFIG_BLK_DEV_LOOP=y CONFIG_FUNCTION_TRACER=y CONFIG_DYNAMIC_FTRACE=y +CONFIG_NETFILTER=y +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK=y diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c new file mode 100644 index 000000000000..56e8d745b8c8 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <test_progs.h> +#include <network_helpers.h> +#include "test_bpf_nf.skel.h" + +enum { + TEST_XDP, + TEST_TC_BPF, +}; + +void test_bpf_nf_ct(int mode) +{ + struct test_bpf_nf *skel; + int prog_fd, err, retval; + + skel = test_bpf_nf__open_and_load(); + if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load")) + return; + + if (mode == TEST_XDP) + prog_fd = bpf_program__fd(skel->progs.nf_xdp_ct_test); + else + prog_fd = bpf_program__fd(skel->progs.nf_skb_ct_test); + + err = bpf_prog_test_run(prog_fd, 1, &pkt_v4, sizeof(pkt_v4), NULL, NULL, + (__u32 *)&retval, NULL); + if (!ASSERT_OK(err, "bpf_prog_test_run")) + goto end; + + ASSERT_EQ(skel->bss->test_einval_bpf_tuple, -EINVAL, "Test EINVAL for NULL bpf_tuple"); + ASSERT_EQ(skel->bss->test_einval_reserved, -EINVAL, "Test EINVAL for reserved not set to 0"); + ASSERT_EQ(skel->bss->test_einval_netns_id, -EINVAL, "Test EINVAL for netns_id < -1"); + ASSERT_EQ(skel->bss->test_einval_len_opts, -EINVAL, "Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ"); + ASSERT_EQ(skel->bss->test_eproto_l4proto, -EPROTO, "Test EPROTO for l4proto != TCP or UDP"); + ASSERT_EQ(skel->bss->test_enonet_netns_id, -ENONET, "Test ENONET for bad but valid netns_id"); + ASSERT_EQ(skel->bss->test_enoent_lookup, -ENOENT, "Test ENOENT for failed lookup"); + ASSERT_EQ(skel->bss->test_eafnosupport, -EAFNOSUPPORT,"Test EAFNOSUPPORT for invalid len__tuple"); +end: + test_bpf_nf__destroy(skel); +} + +void test_bpf_nf(void) +{ + if (test__start_subtest("xdp-ct")) + test_bpf_nf_ct(TEST_XDP); + if (test__start_subtest("tc-bpf-ct")) + test_bpf_nf_ct(TEST_TC_BPF); +} diff --git a/tools/testing/selftests/bpf/progs/test_bpf_nf.c b/tools/testing/selftests/bpf/progs/test_bpf_nf.c new file mode 100644 index 000000000000..7cfff245b24f --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_bpf_nf.c @@ -0,0 +1,113 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <vmlinux.h> +#include <bpf/bpf_helpers.h> + +#define EAFNOSUPPORT 97 +#define EPROTO 71 +#define ENONET 64 +#define EINVAL 22 +#define ENOENT 2 + +int test_einval_bpf_tuple = 0; +int test_einval_reserved = 0; +int test_einval_netns_id = 0; +int test_einval_len_opts = 0; +int test_eproto_l4proto = 0; +int test_enonet_netns_id = 0; +int test_enoent_lookup = 0; +int test_eafnosupport = 0; + +struct nf_conn *bpf_xdp_ct_lookup(struct xdp_md *, struct bpf_sock_tuple *, u32, + struct bpf_ct_opts *, u32) __weak __ksym; +struct nf_conn *bpf_skb_ct_lookup(struct __sk_buff *, struct bpf_sock_tuple *, u32, + struct bpf_ct_opts *, u32) __weak __ksym; +void bpf_ct_release(struct nf_conn *) __weak __ksym; + +#define nf_ct_test(func, ctx) \ + ({ \ + struct bpf_ct_opts opts_def = { .l4proto = IPPROTO_TCP, \ + .netns_id = -1 }; \ + struct bpf_sock_tuple bpf_tuple; \ + struct nf_conn *ct; \ + \ + __builtin_memset(&bpf_tuple, 0, sizeof(bpf_tuple.ipv4)); \ + ct = func(ctx, NULL, 0, &opts_def, sizeof(opts_def)); \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_einval_bpf_tuple = opts_def.error; \ + \ + opts_def.reserved[0] = 1; \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ + sizeof(opts_def)); \ + opts_def.reserved[0] = 0; \ + opts_def.l4proto = IPPROTO_TCP; \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_einval_reserved = opts_def.error; \ + \ + opts_def.netns_id = -2; \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ + sizeof(opts_def)); \ + opts_def.netns_id = -1; \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_einval_netns_id = opts_def.error; \ + \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ + sizeof(opts_def) - 1); \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_einval_len_opts = opts_def.error; \ + \ + opts_def.l4proto = IPPROTO_ICMP; \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ + sizeof(opts_def)); \ + opts_def.l4proto = IPPROTO_TCP; \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_eproto_l4proto = opts_def.error; \ + \ + opts_def.netns_id = 0xf00f; \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ + sizeof(opts_def)); \ + opts_def.netns_id = -1; \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_enonet_netns_id = opts_def.error; \ + \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, \ + sizeof(opts_def)); \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_enoent_lookup = opts_def.error; \ + \ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4) - 1, \ + &opts_def, sizeof(opts_def)); \ + if (ct) \ + bpf_ct_release(ct); \ + else \ + test_eafnosupport = opts_def.error; \ + }) + +SEC("xdp") +int nf_xdp_ct_test(struct xdp_md *ctx) +{ + nf_ct_test(bpf_xdp_ct_lookup, ctx); + return 0; +} + +SEC("tc") +int nf_skb_ct_test(struct __sk_buff *ctx) +{ + nf_ct_test(bpf_skb_ct_lookup, ctx); + return 0; +} + +char _license[] SEC("license") = "GPL";
This tests that we return errors as documented, and also that the kfunc calls work from both XDP and TC hooks. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> --- tools/testing/selftests/bpf/config | 4 + .../testing/selftests/bpf/prog_tests/bpf_nf.c | 48 ++++++++ .../testing/selftests/bpf/progs/test_bpf_nf.c | 113 ++++++++++++++++++ 3 files changed, 165 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_nf.c create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf.c