Loading...
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Load BPF flow dissector and verify it correctly dissects traffic
5
6BPF_FILE="bpf_flow.bpf.o"
7export TESTNAME=test_flow_dissector
8unmount=0
9
10# Kselftest framework requirement - SKIP code is 4.
11ksft_skip=4
12
13msg="skip all tests:"
14if [ $UID != 0 ]; then
15 echo $msg please run this as root >&2
16 exit $ksft_skip
17fi
18
19# This test needs to be run in a network namespace with in_netns.sh. Check if
20# this is the case and run it with in_netns.sh if it is being run in the root
21# namespace.
22if [[ -z $(ip netns identify $$) ]]; then
23 err=0
24 if bpftool="$(which bpftool)"; then
25 echo "Testing global flow dissector..."
26
27 $bpftool prog loadall $BPF_FILE /sys/fs/bpf/flow \
28 type flow_dissector
29
30 if ! unshare --net $bpftool prog attach pinned \
31 /sys/fs/bpf/flow/_dissect flow_dissector; then
32 echo "Unexpected unsuccessful attach in namespace" >&2
33 err=1
34 fi
35
36 $bpftool prog attach pinned /sys/fs/bpf/flow/_dissect \
37 flow_dissector
38
39 if unshare --net $bpftool prog attach pinned \
40 /sys/fs/bpf/flow/_dissect flow_dissector; then
41 echo "Unexpected successful attach in namespace" >&2
42 err=1
43 fi
44
45 if ! $bpftool prog detach pinned \
46 /sys/fs/bpf/flow/_dissect flow_dissector; then
47 echo "Failed to detach flow dissector" >&2
48 err=1
49 fi
50
51 rm -rf /sys/fs/bpf/flow
52 else
53 echo "Skipping root flow dissector test, bpftool not found" >&2
54 fi
55
56 # Run the rest of the tests in a net namespace.
57 ../net/in_netns.sh "$0" "$@"
58 err=$(( $err + $? ))
59
60 if (( $err == 0 )); then
61 echo "selftests: $TESTNAME [PASS]";
62 else
63 echo "selftests: $TESTNAME [FAILED]";
64 fi
65
66 exit $err
67fi
68
69# Determine selftest success via shell exit code
70exit_handler()
71{
72 set +e
73
74 # Cleanup
75 tc filter del dev lo ingress pref 1337 2> /dev/null
76 tc qdisc del dev lo ingress 2> /dev/null
77 ./flow_dissector_load -d 2> /dev/null
78 if [ $unmount -ne 0 ]; then
79 umount bpffs 2> /dev/null
80 fi
81}
82
83# Exit script immediately (well catched by trap handler) if any
84# program/thing exits with a non-zero status.
85set -e
86
87# (Use 'trap -l' to list meaning of numbers)
88trap exit_handler 0 2 3 6 9
89
90# Mount BPF file system
91if /bin/mount | grep /sys/fs/bpf > /dev/null; then
92 echo "bpffs already mounted"
93else
94 echo "bpffs not mounted. Mounting..."
95 unmount=1
96 /bin/mount bpffs /sys/fs/bpf -t bpf
97fi
98
99# Attach BPF program
100./flow_dissector_load -p $BPF_FILE -s _dissect
101
102# Setup
103tc qdisc add dev lo ingress
104echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
105echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
106echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
107
108echo "Testing IPv4..."
109# Drops all IP/UDP packets coming from port 9
110tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
111 udp src_port 9 action drop
112
113# Send 10 IPv4/UDP packets from port 8. Filter should not drop any.
114./test_flow_dissector -i 4 -f 8
115# Send 10 IPv4/UDP packets from port 9. Filter should drop all.
116./test_flow_dissector -i 4 -f 9 -F
117# Send 10 IPv4/UDP packets from port 10. Filter should not drop any.
118./test_flow_dissector -i 4 -f 10
119
120echo "Testing IPv4 from 127.0.0.127 (fallback to generic dissector)..."
121# Send 10 IPv4/UDP packets from port 8. Filter should not drop any.
122./test_flow_dissector -i 4 -S 127.0.0.127 -f 8
123# Send 10 IPv4/UDP packets from port 9. Filter should drop all.
124./test_flow_dissector -i 4 -S 127.0.0.127 -f 9 -F
125# Send 10 IPv4/UDP packets from port 10. Filter should not drop any.
126./test_flow_dissector -i 4 -S 127.0.0.127 -f 10
127
128echo "Testing IPIP..."
129# Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any.
130./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \
131 -D 192.168.0.1 -S 1.1.1.1 -f 8
132# Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all.
133./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \
134 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F
135# Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any.
136./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \
137 -D 192.168.0.1 -S 1.1.1.1 -f 10
138
139echo "Testing IPv4 + GRE..."
140# Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any.
141./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \
142 -D 192.168.0.1 -S 1.1.1.1 -f 8
143# Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all.
144./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \
145 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F
146# Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any.
147./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \
148 -D 192.168.0.1 -S 1.1.1.1 -f 10
149
150tc filter del dev lo ingress pref 1337
151
152echo "Testing port range..."
153# Drops all IP/UDP packets coming from port 8-10
154tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
155 udp src_port 8-10 action drop
156
157# Send 10 IPv4/UDP packets from port 7. Filter should not drop any.
158./test_flow_dissector -i 4 -f 7
159# Send 10 IPv4/UDP packets from port 9. Filter should drop all.
160./test_flow_dissector -i 4 -f 9 -F
161# Send 10 IPv4/UDP packets from port 11. Filter should not drop any.
162./test_flow_dissector -i 4 -f 11
163
164tc filter del dev lo ingress pref 1337
165
166echo "Testing IPv6..."
167# Drops all IPv6/UDP packets coming from port 9
168tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \
169 udp src_port 9 action drop
170
171# Send 10 IPv6/UDP packets from port 8. Filter should not drop any.
172./test_flow_dissector -i 6 -f 8
173# Send 10 IPv6/UDP packets from port 9. Filter should drop all.
174./test_flow_dissector -i 6 -f 9 -F
175# Send 10 IPv6/UDP packets from port 10. Filter should not drop any.
176./test_flow_dissector -i 6 -f 10
177
178exit 0
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Load BPF flow dissector and verify it correctly dissects traffic
5export TESTNAME=test_flow_dissector
6unmount=0
7
8# Kselftest framework requirement - SKIP code is 4.
9ksft_skip=4
10
11msg="skip all tests:"
12if [ $UID != 0 ]; then
13 echo $msg please run this as root >&2
14 exit $ksft_skip
15fi
16
17# This test needs to be run in a network namespace with in_netns.sh. Check if
18# this is the case and run it with in_netns.sh if it is being run in the root
19# namespace.
20if [[ -z $(ip netns identify $$) ]]; then
21 err=0
22 if bpftool="$(which bpftool)"; then
23 echo "Testing global flow dissector..."
24
25 $bpftool prog loadall ./bpf_flow.o /sys/fs/bpf/flow \
26 type flow_dissector
27
28 if ! unshare --net $bpftool prog attach pinned \
29 /sys/fs/bpf/flow/flow_dissector flow_dissector; then
30 echo "Unexpected unsuccessful attach in namespace" >&2
31 err=1
32 fi
33
34 $bpftool prog attach pinned /sys/fs/bpf/flow/flow_dissector \
35 flow_dissector
36
37 if unshare --net $bpftool prog attach pinned \
38 /sys/fs/bpf/flow/flow_dissector flow_dissector; then
39 echo "Unexpected successful attach in namespace" >&2
40 err=1
41 fi
42
43 if ! $bpftool prog detach pinned \
44 /sys/fs/bpf/flow/flow_dissector flow_dissector; then
45 echo "Failed to detach flow dissector" >&2
46 err=1
47 fi
48
49 rm -rf /sys/fs/bpf/flow
50 else
51 echo "Skipping root flow dissector test, bpftool not found" >&2
52 fi
53
54 # Run the rest of the tests in a net namespace.
55 ../net/in_netns.sh "$0" "$@"
56 err=$(( $err + $? ))
57
58 if (( $err == 0 )); then
59 echo "selftests: $TESTNAME [PASS]";
60 else
61 echo "selftests: $TESTNAME [FAILED]";
62 fi
63
64 exit $err
65fi
66
67# Determine selftest success via shell exit code
68exit_handler()
69{
70 set +e
71
72 # Cleanup
73 tc filter del dev lo ingress pref 1337 2> /dev/null
74 tc qdisc del dev lo ingress 2> /dev/null
75 ./flow_dissector_load -d 2> /dev/null
76 if [ $unmount -ne 0 ]; then
77 umount bpffs 2> /dev/null
78 fi
79}
80
81# Exit script immediately (well catched by trap handler) if any
82# program/thing exits with a non-zero status.
83set -e
84
85# (Use 'trap -l' to list meaning of numbers)
86trap exit_handler 0 2 3 6 9
87
88# Mount BPF file system
89if /bin/mount | grep /sys/fs/bpf > /dev/null; then
90 echo "bpffs already mounted"
91else
92 echo "bpffs not mounted. Mounting..."
93 unmount=1
94 /bin/mount bpffs /sys/fs/bpf -t bpf
95fi
96
97# Attach BPF program
98./flow_dissector_load -p bpf_flow.o -s flow_dissector
99
100# Setup
101tc qdisc add dev lo ingress
102echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
103echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
104echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
105
106echo "Testing IPv4..."
107# Drops all IP/UDP packets coming from port 9
108tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
109 udp src_port 9 action drop
110
111# Send 10 IPv4/UDP packets from port 8. Filter should not drop any.
112./test_flow_dissector -i 4 -f 8
113# Send 10 IPv4/UDP packets from port 9. Filter should drop all.
114./test_flow_dissector -i 4 -f 9 -F
115# Send 10 IPv4/UDP packets from port 10. Filter should not drop any.
116./test_flow_dissector -i 4 -f 10
117
118echo "Testing IPIP..."
119# Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any.
120./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \
121 -D 192.168.0.1 -S 1.1.1.1 -f 8
122# Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all.
123./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \
124 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F
125# Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any.
126./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \
127 -D 192.168.0.1 -S 1.1.1.1 -f 10
128
129echo "Testing IPv4 + GRE..."
130# Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any.
131./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \
132 -D 192.168.0.1 -S 1.1.1.1 -f 8
133# Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all.
134./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \
135 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F
136# Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any.
137./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \
138 -D 192.168.0.1 -S 1.1.1.1 -f 10
139
140tc filter del dev lo ingress pref 1337
141
142echo "Testing port range..."
143# Drops all IP/UDP packets coming from port 8-10
144tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
145 udp src_port 8-10 action drop
146
147# Send 10 IPv4/UDP packets from port 7. Filter should not drop any.
148./test_flow_dissector -i 4 -f 7
149# Send 10 IPv4/UDP packets from port 9. Filter should drop all.
150./test_flow_dissector -i 4 -f 9 -F
151# Send 10 IPv4/UDP packets from port 11. Filter should not drop any.
152./test_flow_dissector -i 4 -f 11
153
154tc filter del dev lo ingress pref 1337
155
156echo "Testing IPv6..."
157# Drops all IPv6/UDP packets coming from port 9
158tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \
159 udp src_port 9 action drop
160
161# Send 10 IPv6/UDP packets from port 8. Filter should not drop any.
162./test_flow_dissector -i 6 -f 8
163# Send 10 IPv6/UDP packets from port 9. Filter should drop all.
164./test_flow_dissector -i 6 -f 9 -F
165# Send 10 IPv6/UDP packets from port 10. Filter should not drop any.
166./test_flow_dissector -i 6 -f 10
167
168exit 0