1 #!/bin/bash
2 # SPDX-License-Identifier: GPL-2.0
3
4 [[ -z $TC ]] && TC='tc'
5 [[ -z $IP ]] && IP='ip'
6
7 REDIRECT_USER='./tc_l2_redirect'
8 REDIRECT_BPF='./tc_l2_redirect_kern.o'
9
10 RP_FILTER=$(< /proc/sys/net/ipv4/conf/all/rp_filter)
11 IPV6_DISABLED=$(< /proc/sys/net/ipv6/conf/all/disable_ipv6)
12 IPV6_FORWARDING=$(< /proc/sys/net/ipv6/conf/all/forwarding)
13
14 function config_common {
15 local tun_type=$1
16
17 $IP netns add ns1
18 $IP netns add ns2
19 $IP link add ve1 type veth peer name vens1
20 $IP link add ve2 type veth peer name vens2
21 $IP link set dev ve1 up
22 $IP link set dev ve2 up
23 $IP link set dev ve1 mtu 1500
24 $IP link set dev ve2 mtu 1500
25 $IP link set dev vens1 netns ns1
26 $IP link set dev vens2 netns ns2
27
28 $IP -n ns1 link set dev lo up
29 $IP -n ns1 link set dev vens1 up
30 $IP -n ns1 addr add 10.1.1.101/24 dev vens1
31 $IP -n ns1 addr add 2401:db01::65/64 dev vens1 nodad
32 $IP -n ns1 route add default via 10.1.1.1 dev vens1
33 $IP -n ns1 route add default via 2401:db01::1 dev vens1
34
35 $IP -n ns2 link set dev lo up
36 $IP -n ns2 link set dev vens2 up
37 $IP -n ns2 addr add 10.2.1.102/24 dev vens2
38 $IP -n ns2 addr add 2401:db02::66/64 dev vens2 nodad
39 $IP -n ns2 addr add 10.10.1.102 dev lo
40 $IP -n ns2 addr add 2401:face::66/64 dev lo nodad
41 $IP -n ns2 link add ipt2 type ipip local 10.2.1.102 remote 10.2.1.1
42 $IP -n ns2 link add ip6t2 type ip6tnl mode any local 2401:db02::66 remote 2401:db02::1
43 $IP -n ns2 link set dev ipt2 up
44 $IP -n ns2 link set dev ip6t2 up
45 $IP netns exec ns2 $TC qdisc add dev vens2 clsact
46 $IP netns exec ns2 $TC filter add dev vens2 ingress bpf da obj $REDIRECT_BPF sec drop_non_tun_vip
47 if [[ $tun_type == "ipip" ]]; then
48 $IP -n ns2 route add 10.1.1.0/24 dev ipt2
49 $IP netns exec ns2 sysctl -q -w net.ipv4.conf.all.rp_filter=0
50 $IP netns exec ns2 sysctl -q -w net.ipv4.conf.ipt2.rp_filter=0
51 else
52 $IP -n ns2 route add 10.1.1.0/24 dev ip6t2
53 $IP -n ns2 route add 2401:db01::/64 dev ip6t2
54 $IP netns exec ns2 sysctl -q -w net.ipv4.conf.all.rp_filter=0
55 $IP netns exec ns2 sysctl -q -w net.ipv4.conf.ip6t2.rp_filter=0
56 fi
57
58 $IP addr add 10.1.1.1/24 dev ve1
59 $IP addr add 2401:db01::1/64 dev ve1 nodad
60 $IP addr add 10.2.1.1/24 dev ve2
61 $IP addr add 2401:db02::1/64 dev ve2 nodad
62
63 $TC qdisc add dev ve2 clsact
64 $TC filter add dev ve2 ingress bpf da obj $REDIRECT_BPF sec l2_to_iptun_ingress_forward
65
66 sysctl -q -w net.ipv4.conf.all.rp_filter=0
67 sysctl -q -w net.ipv6.conf.all.forwarding=1
68 sysctl -q -w net.ipv6.conf.all.disable_ipv6=0
69 }
70
71 function cleanup {
72 set +e
73 [[ -z $DEBUG ]] || set +x
74 $IP netns delete ns1 >& /dev/null
75 $IP netns delete ns2 >& /dev/null
76 $IP link del ve1 >& /dev/null
77 $IP link del ve2 >& /dev/null
78 $IP link del ipt >& /dev/null
79 $IP link del ip6t >& /dev/null
80 sysctl -q -w net.ipv4.conf.all.rp_filter=$RP_FILTER
81 sysctl -q -w net.ipv6.conf.all.forwarding=$IPV6_FORWARDING
82 sysctl -q -w net.ipv6.conf.all.disable_ipv6=$IPV6_DISABLED
83 rm -f /sys/fs/bpf/tc/globals/tun_iface
84 [[ -z $DEBUG ]] || set -x
85 set -e
86 }
87
88 function l2_to_ipip {
89 echo -n "l2_to_ipip $1: "
90
91 local dir=$1
92
93 config_common ipip
94
95 $IP link add ipt type ipip external
96 $IP link set dev ipt up
97 sysctl -q -w net.ipv4.conf.ipt.rp_filter=0
98 sysctl -q -w net.ipv4.conf.ipt.forwarding=1
99
100 if [[ $dir == "egress" ]]; then
101 $IP route add 10.10.1.0/24 via 10.2.1.102 dev ve2
102 $TC filter add dev ve2 egress bpf da obj $REDIRECT_BPF sec l2_to_iptun_ingress_redirect
103 sysctl -q -w net.ipv4.conf.ve1.forwarding=1
104 else
105 $TC qdisc add dev ve1 clsact
106 $TC filter add dev ve1 ingress bpf da obj $REDIRECT_BPF sec l2_to_iptun_ingress_redirect
107 fi
108
109 $REDIRECT_USER -U /sys/fs/bpf/tc/globals/tun_iface -i $(< /sys/class/net/ipt/ifindex)
110
111 $IP netns exec ns1 ping -c1 10.10.1.102 >& /dev/null
112
113 if [[ $dir == "egress" ]]; then
114 # test direct egress to ve2 (i.e. not forwarding from
115 # ve1 to ve2).
116 ping -c1 10.10.1.102 >& /dev/null
117 fi
118
119 cleanup
120
121 echo "OK"
122 }
123
124 function l2_to_ip6tnl {
125 echo -n "l2_to_ip6tnl $1: "
126
127 local dir=$1
128
129 config_common ip6tnl
130
131 $IP link add ip6t type ip6tnl mode any external
132 $IP link set dev ip6t up
133 sysctl -q -w net.ipv4.conf.ip6t.rp_filter=0
134 sysctl -q -w net.ipv4.conf.ip6t.forwarding=1
135
136 if [[ $dir == "egress" ]]; then
137 $IP route add 10.10.1.0/24 via 10.2.1.102 dev ve2
138 $IP route add 2401:face::/64 via 2401:db02::66 dev ve2
139 $TC filter add dev ve2 egress bpf da obj $REDIRECT_BPF sec l2_to_ip6tun_ingress_redirect
140 sysctl -q -w net.ipv4.conf.ve1.forwarding=1
141 else
142 $TC qdisc add dev ve1 clsact
143 $TC filter add dev ve1 ingress bpf da obj $REDIRECT_BPF sec l2_to_ip6tun_ingress_redirect
144 fi
145
146 $REDIRECT_USER -U /sys/fs/bpf/tc/globals/tun_iface -i $(< /sys/class/net/ip6t/ifindex)
147
148 $IP netns exec ns1 ping -c1 10.10.1.102 >& /dev/null
149 $IP netns exec ns1 ping -6 -c1 2401:face::66 >& /dev/null
150
151 if [[ $dir == "egress" ]]; then
152 # test direct egress to ve2 (i.e. not forwarding from
153 # ve1 to ve2).
154 ping -c1 10.10.1.102 >& /dev/null
155 ping -6 -c1 2401:face::66 >& /dev/null
156 fi
157
158 cleanup
159
160 echo "OK"
161 }
162
163 cleanup
164 test_names="l2_to_ipip l2_to_ip6tnl"
165 test_dirs="ingress egress"
166 if [[ $# -ge 2 ]]; then
167 test_names=$1
168 test_dirs=$2
169 elif [[ $# -ge 1 ]]; then
170 test_names=$1
171 fi
172
173 for t in $test_names; do
174 for d in $test_dirs; do
175 $t $d
176 done
177 done
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.