| #!/bin/bash |
| # SPDX-License-Identifier: GPL-2.0 |
| # |
| # Load BPF flow dissector and verify it correctly dissects traffic |
| export TESTNAME=test_flow_dissector |
| unmount=0 |
| |
| # Kselftest framework requirement - SKIP code is 4. |
| ksft_skip=4 |
| |
| msg="skip all tests:" |
| if [ $UID != 0 ]; then |
| echo $msg please run this as root >&2 |
| exit $ksft_skip |
| fi |
| |
| # This test needs to be run in a network namespace with in_netns.sh. Check if |
| # this is the case and run it with in_netns.sh if it is being run in the root |
| # namespace. |
| if [[ -z $(ip netns identify $$) ]]; then |
| err=0 |
| if bpftool="$(which bpftool)"; then |
| echo "Testing global flow dissector..." |
| |
| $bpftool prog loadall ./bpf_flow.o /sys/fs/bpf/flow \ |
| type flow_dissector |
| |
| if ! unshare --net $bpftool prog attach pinned \ |
| /sys/fs/bpf/flow/flow_dissector flow_dissector; then |
| echo "Unexpected unsuccessful attach in namespace" >&2 |
| err=1 |
| fi |
| |
| $bpftool prog attach pinned /sys/fs/bpf/flow/flow_dissector \ |
| flow_dissector |
| |
| if unshare --net $bpftool prog attach pinned \ |
| /sys/fs/bpf/flow/flow_dissector flow_dissector; then |
| echo "Unexpected successful attach in namespace" >&2 |
| err=1 |
| fi |
| |
| if ! $bpftool prog detach pinned \ |
| /sys/fs/bpf/flow/flow_dissector flow_dissector; then |
| echo "Failed to detach flow dissector" >&2 |
| err=1 |
| fi |
| |
| rm -rf /sys/fs/bpf/flow |
| else |
| echo "Skipping root flow dissector test, bpftool not found" >&2 |
| fi |
| |
| # Run the rest of the tests in a net namespace. |
| ../net/in_netns.sh "$0" "$@" |
| err=$(( $err + $? )) |
| |
| if (( $err == 0 )); then |
| echo "selftests: $TESTNAME [PASS]"; |
| else |
| echo "selftests: $TESTNAME [FAILED]"; |
| fi |
| |
| exit $err |
| fi |
| |
| # Determine selftest success via shell exit code |
| exit_handler() |
| { |
| set +e |
| |
| # Cleanup |
| tc filter del dev lo ingress pref 1337 2> /dev/null |
| tc qdisc del dev lo ingress 2> /dev/null |
| ./flow_dissector_load -d 2> /dev/null |
| if [ $unmount -ne 0 ]; then |
| umount bpffs 2> /dev/null |
| fi |
| } |
| |
| # Exit script immediately (well catched by trap handler) if any |
| # program/thing exits with a non-zero status. |
| set -e |
| |
| # (Use 'trap -l' to list meaning of numbers) |
| trap exit_handler 0 2 3 6 9 |
| |
| # Mount BPF file system |
| if /bin/mount | grep /sys/fs/bpf > /dev/null; then |
| echo "bpffs already mounted" |
| else |
| echo "bpffs not mounted. Mounting..." |
| unmount=1 |
| /bin/mount bpffs /sys/fs/bpf -t bpf |
| fi |
| |
| # Attach BPF program |
| ./flow_dissector_load -p bpf_flow.o -s flow_dissector |
| |
| # Setup |
| tc qdisc add dev lo ingress |
| echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter |
| echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter |
| echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter |
| |
| echo "Testing IPv4..." |
| # Drops all IP/UDP packets coming from port 9 |
| tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ |
| udp src_port 9 action drop |
| |
| # Send 10 IPv4/UDP packets from port 8. Filter should not drop any. |
| ./test_flow_dissector -i 4 -f 8 |
| # Send 10 IPv4/UDP packets from port 9. Filter should drop all. |
| ./test_flow_dissector -i 4 -f 9 -F |
| # Send 10 IPv4/UDP packets from port 10. Filter should not drop any. |
| ./test_flow_dissector -i 4 -f 10 |
| |
| echo "Testing IPIP..." |
| # Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any. |
| ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ |
| -D 192.168.0.1 -S 1.1.1.1 -f 8 |
| # Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all. |
| ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ |
| -D 192.168.0.1 -S 1.1.1.1 -f 9 -F |
| # Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any. |
| ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ |
| -D 192.168.0.1 -S 1.1.1.1 -f 10 |
| |
| echo "Testing IPv4 + GRE..." |
| # Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any. |
| ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ |
| -D 192.168.0.1 -S 1.1.1.1 -f 8 |
| # Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all. |
| ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ |
| -D 192.168.0.1 -S 1.1.1.1 -f 9 -F |
| # Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any. |
| ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ |
| -D 192.168.0.1 -S 1.1.1.1 -f 10 |
| |
| tc filter del dev lo ingress pref 1337 |
| |
| echo "Testing port range..." |
| # Drops all IP/UDP packets coming from port 8-10 |
| tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ |
| udp src_port 8-10 action drop |
| |
| # Send 10 IPv4/UDP packets from port 7. Filter should not drop any. |
| ./test_flow_dissector -i 4 -f 7 |
| # Send 10 IPv4/UDP packets from port 9. Filter should drop all. |
| ./test_flow_dissector -i 4 -f 9 -F |
| # Send 10 IPv4/UDP packets from port 11. Filter should not drop any. |
| ./test_flow_dissector -i 4 -f 11 |
| |
| tc filter del dev lo ingress pref 1337 |
| |
| echo "Testing IPv6..." |
| # Drops all IPv6/UDP packets coming from port 9 |
| tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \ |
| udp src_port 9 action drop |
| |
| # Send 10 IPv6/UDP packets from port 8. Filter should not drop any. |
| ./test_flow_dissector -i 6 -f 8 |
| # Send 10 IPv6/UDP packets from port 9. Filter should drop all. |
| ./test_flow_dissector -i 6 -f 9 -F |
| # Send 10 IPv6/UDP packets from port 10. Filter should not drop any. |
| ./test_flow_dissector -i 6 -f 10 |
| |
| exit 0 |
