1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Load BPF flow dissector and verify it correctly dissects traffic 5export TESTNAME=test_flow_dissector 6unmount=0 7 8# Kselftest framework requirement - SKIP code is 4. 9ksft_skip=4 10 11msg="skip all tests:" 12if [ $UID != 0 ]; then 13 echo $msg please run this as root >&2 14 exit $ksft_skip 15fi 16 17# This test needs to be run in a network namespace with in_netns.sh. Check if 18# this is the case and run it with in_netns.sh if it is being run in the root 19# namespace. 20if [[ -z $(ip netns identify $$) ]]; then 21 err=0 22 if bpftool="$(which bpftool)"; then 23 echo "Testing global flow dissector..." 24 25 $bpftool prog loadall ./bpf_flow.o /sys/fs/bpf/flow \ 26 type flow_dissector 27 28 if ! unshare --net $bpftool prog attach pinned \ 29 /sys/fs/bpf/flow/_dissect flow_dissector; then 30 echo "Unexpected unsuccessful attach in namespace" >&2 31 err=1 32 fi 33 34 $bpftool prog attach pinned /sys/fs/bpf/flow/_dissect \ 35 flow_dissector 36 37 if unshare --net $bpftool prog attach pinned \ 38 /sys/fs/bpf/flow/_dissect flow_dissector; then 39 echo "Unexpected successful attach in namespace" >&2 40 err=1 41 fi 42 43 if ! $bpftool prog detach pinned \ 44 /sys/fs/bpf/flow/_dissect flow_dissector; then 45 echo "Failed to detach flow dissector" >&2 46 err=1 47 fi 48 49 rm -rf /sys/fs/bpf/flow 50 else 51 echo "Skipping root flow dissector test, bpftool not found" >&2 52 fi 53 54 # Run the rest of the tests in a net namespace. 55 ../net/in_netns.sh "$0" "$@" 56 err=$(( $err + $? )) 57 58 if (( $err == 0 )); then 59 echo "selftests: $TESTNAME [PASS]"; 60 else 61 echo "selftests: $TESTNAME [FAILED]"; 62 fi 63 64 exit $err 65fi 66 67# Determine selftest success via shell exit code 68exit_handler() 69{ 70 set +e 71 72 # Cleanup 73 tc filter del dev lo ingress pref 1337 2> /dev/null 74 tc qdisc del dev lo ingress 2> /dev/null 75 ./flow_dissector_load -d 2> /dev/null 76 if [ $unmount -ne 0 ]; then 77 umount bpffs 2> /dev/null 78 fi 79} 80 81# Exit script immediately (well catched by trap handler) if any 82# program/thing exits with a non-zero status. 83set -e 84 85# (Use 'trap -l' to list meaning of numbers) 86trap exit_handler 0 2 3 6 9 87 88# Mount BPF file system 89if /bin/mount | grep /sys/fs/bpf > /dev/null; then 90 echo "bpffs already mounted" 91else 92 echo "bpffs not mounted. Mounting..." 93 unmount=1 94 /bin/mount bpffs /sys/fs/bpf -t bpf 95fi 96 97# Attach BPF program 98./flow_dissector_load -p bpf_flow.o -s _dissect 99 100# Setup 101tc qdisc add dev lo ingress 102echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter 103echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 104echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter 105 106echo "Testing IPv4..." 107# Drops all IP/UDP packets coming from port 9 108tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ 109 udp src_port 9 action drop 110 111# Send 10 IPv4/UDP packets from port 8. Filter should not drop any. 112./test_flow_dissector -i 4 -f 8 113# Send 10 IPv4/UDP packets from port 9. Filter should drop all. 114./test_flow_dissector -i 4 -f 9 -F 115# Send 10 IPv4/UDP packets from port 10. Filter should not drop any. 116./test_flow_dissector -i 4 -f 10 117 118echo "Testing IPv4 from 127.0.0.127 (fallback to generic dissector)..." 119# Send 10 IPv4/UDP packets from port 8. Filter should not drop any. 120./test_flow_dissector -i 4 -S 127.0.0.127 -f 8 121# Send 10 IPv4/UDP packets from port 9. Filter should drop all. 122./test_flow_dissector -i 4 -S 127.0.0.127 -f 9 -F 123# Send 10 IPv4/UDP packets from port 10. Filter should not drop any. 124./test_flow_dissector -i 4 -S 127.0.0.127 -f 10 125 126echo "Testing IPIP..." 127# Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any. 128./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 129 -D 192.168.0.1 -S 1.1.1.1 -f 8 130# Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all. 131./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 132 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F 133# Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any. 134./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 135 -D 192.168.0.1 -S 1.1.1.1 -f 10 136 137echo "Testing IPv4 + GRE..." 138# Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any. 139./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 140 -D 192.168.0.1 -S 1.1.1.1 -f 8 141# Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all. 142./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 143 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F 144# Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any. 145./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 146 -D 192.168.0.1 -S 1.1.1.1 -f 10 147 148tc filter del dev lo ingress pref 1337 149 150echo "Testing port range..." 151# Drops all IP/UDP packets coming from port 8-10 152tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ 153 udp src_port 8-10 action drop 154 155# Send 10 IPv4/UDP packets from port 7. Filter should not drop any. 156./test_flow_dissector -i 4 -f 7 157# Send 10 IPv4/UDP packets from port 9. Filter should drop all. 158./test_flow_dissector -i 4 -f 9 -F 159# Send 10 IPv4/UDP packets from port 11. Filter should not drop any. 160./test_flow_dissector -i 4 -f 11 161 162tc filter del dev lo ingress pref 1337 163 164echo "Testing IPv6..." 165# Drops all IPv6/UDP packets coming from port 9 166tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \ 167 udp src_port 9 action drop 168 169# Send 10 IPv6/UDP packets from port 8. Filter should not drop any. 170./test_flow_dissector -i 6 -f 8 171# Send 10 IPv6/UDP packets from port 9. Filter should drop all. 172./test_flow_dissector -i 6 -f 9 -F 173# Send 10 IPv6/UDP packets from port 10. Filter should not drop any. 174./test_flow_dissector -i 6 -f 10 175 176exit 0 177