1 #!/bin/bash 2 # SPDX-License-Identifier: GPL-2.0 3 # 4 # Load BPF flow dissector and verify it correctly dissects traffic 5 6 BPF_FILE="bpf_flow.bpf.o" 7 export TESTNAME=test_flow_dissector 8 unmount=0 9 10 # Kselftest framework requirement - SKIP code is 4. 11 ksft_skip=4 12 13 msg="skip all tests:" 14 if [ $UID != 0 ]; then 15 echo $msg please run this as root >&2 16 exit $ksft_skip 17 fi 18 19 # This test needs to be run in a network namespace with in_netns.sh. Check if 20 # this is the case and run it with in_netns.sh if it is being run in the root 21 # namespace. 22 if [[ -z $(ip netns identify $$) ]]; then 23 err=0 24 if bpftool="$(which bpftool)"; then 25 echo "Testing global flow dissector..." 26 27 $bpftool prog loadall $BPF_FILE /sys/fs/bpf/flow \ 28 type flow_dissector 29 30 if ! unshare --net $bpftool prog attach pinned \ 31 /sys/fs/bpf/flow/_dissect flow_dissector; then 32 echo "Unexpected unsuccessful attach in namespace" >&2 33 err=1 34 fi 35 36 $bpftool prog attach pinned /sys/fs/bpf/flow/_dissect \ 37 flow_dissector 38 39 if unshare --net $bpftool prog attach pinned \ 40 /sys/fs/bpf/flow/_dissect flow_dissector; then 41 echo "Unexpected successful attach in namespace" >&2 42 err=1 43 fi 44 45 if ! $bpftool prog detach pinned \ 46 /sys/fs/bpf/flow/_dissect flow_dissector; then 47 echo "Failed to detach flow dissector" >&2 48 err=1 49 fi 50 51 rm -rf /sys/fs/bpf/flow 52 else 53 echo "Skipping root flow dissector test, bpftool not found" >&2 54 fi 55 56 # Run the rest of the tests in a net namespace. 57 ../net/in_netns.sh "$0" "$@" 58 err=$(( $err + $? )) 59 60 if (( $err == 0 )); then 61 echo "selftests: $TESTNAME [PASS]"; 62 else 63 echo "selftests: $TESTNAME [FAILED]"; 64 fi 65 66 exit $err 67 fi 68 69 # Determine selftest success via shell exit code 70 exit_handler() 71 { 72 set +e 73 74 # Cleanup 75 tc filter del dev lo ingress pref 1337 2> /dev/null 76 tc qdisc del dev lo ingress 2> /dev/null 77 ./flow_dissector_load -d 2> /dev/null 78 if [ $unmount -ne 0 ]; then 79 umount bpffs 2> /dev/null 80 fi 81 } 82 83 # Exit script immediately (well catched by trap handler) if any 84 # program/thing exits with a non-zero status. 85 set -e 86 87 # (Use 'trap -l' to list meaning of numbers) 88 trap exit_handler 0 2 3 6 9 89 90 # Mount BPF file system 91 if /bin/mount | grep /sys/fs/bpf > /dev/null; then 92 echo "bpffs already mounted" 93 else 94 echo "bpffs not mounted. Mounting..." 95 unmount=1 96 /bin/mount bpffs /sys/fs/bpf -t bpf 97 fi 98 99 # Attach BPF program 100 ./flow_dissector_load -p $BPF_FILE -s _dissect 101 102 # Setup 103 tc qdisc add dev lo ingress 104 echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter 105 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 106 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter 107 108 echo "Testing IPv4..." 109 # Drops all IP/UDP packets coming from port 9 110 tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ 111 udp src_port 9 action drop 112 113 # Send 10 IPv4/UDP packets from port 8. Filter should not drop any. 114 ./test_flow_dissector -i 4 -f 8 115 # Send 10 IPv4/UDP packets from port 9. Filter should drop all. 116 ./test_flow_dissector -i 4 -f 9 -F 117 # Send 10 IPv4/UDP packets from port 10. Filter should not drop any. 118 ./test_flow_dissector -i 4 -f 10 119 120 echo "Testing IPv4 from 127.0.0.127 (fallback to generic dissector)..." 121 # Send 10 IPv4/UDP packets from port 8. Filter should not drop any. 122 ./test_flow_dissector -i 4 -S 127.0.0.127 -f 8 123 # Send 10 IPv4/UDP packets from port 9. Filter should drop all. 124 ./test_flow_dissector -i 4 -S 127.0.0.127 -f 9 -F 125 # Send 10 IPv4/UDP packets from port 10. Filter should not drop any. 126 ./test_flow_dissector -i 4 -S 127.0.0.127 -f 10 127 128 echo "Testing IPIP..." 129 # Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any. 130 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 131 -D 192.168.0.1 -S 1.1.1.1 -f 8 132 # Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all. 133 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 134 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F 135 # Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any. 136 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 137 -D 192.168.0.1 -S 1.1.1.1 -f 10 138 139 echo "Testing IPv4 + GRE..." 140 # Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any. 141 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 142 -D 192.168.0.1 -S 1.1.1.1 -f 8 143 # Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all. 144 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 145 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F 146 # Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any. 147 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 148 -D 192.168.0.1 -S 1.1.1.1 -f 10 149 150 tc filter del dev lo ingress pref 1337 151 152 echo "Testing port range..." 153 # Drops all IP/UDP packets coming from port 8-10 154 tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ 155 udp src_port 8-10 action drop 156 157 # Send 10 IPv4/UDP packets from port 7. Filter should not drop any. 158 ./test_flow_dissector -i 4 -f 7 159 # Send 10 IPv4/UDP packets from port 9. Filter should drop all. 160 ./test_flow_dissector -i 4 -f 9 -F 161 # Send 10 IPv4/UDP packets from port 11. Filter should not drop any. 162 ./test_flow_dissector -i 4 -f 11 163 164 tc filter del dev lo ingress pref 1337 165 166 echo "Testing IPv6..." 167 # Drops all IPv6/UDP packets coming from port 9 168 tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \ 169 udp src_port 9 action drop 170 171 # Send 10 IPv6/UDP packets from port 8. Filter should not drop any. 172 ./test_flow_dissector -i 6 -f 8 173 # Send 10 IPv6/UDP packets from port 9. Filter should drop all. 174 ./test_flow_dissector -i 6 -f 9 -F 175 # Send 10 IPv6/UDP packets from port 10. Filter should not drop any. 176 ./test_flow_dissector -i 6 -f 10 177 178 exit 0
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.