1 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
4 * Test suite of lwt_xmit BPF programs that redirect packets
5 * The file tests focus not only if these programs work as expected normally,
6 * but also if they can handle abnormal situations gracefully.
10 * This test suite may crash the kernel, thus should be run in a VM.
14 * All tests are performed in a single netns. Two lwt encap routes are setup for
17 * ip route add 10.0.0.0/24 encap bpf xmit <obj> sec "<ingress_sec>" dev link_err
18 * ip route add 20.0.0.0/24 encap bpf xmit <obj> sec "<egress_sec>" dev link_err
20 * Here <obj> is statically defined to test_lwt_redirect.bpf.o, and each section
21 * of this object holds a program entry to test. The BPF object is built from
22 * progs/test_lwt_redirect.c. We didn't use generated BPF skeleton since the
23 * attachment for lwt programs are not supported by libbpf yet.
25 * For testing, ping commands are run in the test netns:
27 * ping 10.0.0.<ifindex> -c 1 -w 1 -s 100
28 * ping 20.0.0.<ifindex> -c 1 -w 1 -s 100
31 * --------------------------------
32 * 1. Redirect to a running tap/tun device
33 * 2. Redirect to a down tap/tun device
34 * 3. Redirect to a vlan device with lower layer down
36 * Case 1, ping packets should be received by packet socket on target device
37 * when redirected to ingress, and by tun/tap fd when redirected to egress.
39 * Case 2,3 are considered successful as long as they do not crash the kernel
42 * Case 1,2 use tap device to test redirect to device that requires MAC
43 * header, and tun device to test the case with no MAC header added.
45 #include <sys/socket.h>
47 #include <linux/if_ether.h>
48 #include <linux/if_packet.h>
49 #include <linux/if_tun.h>
50 #include <linux/icmp.h>
51 #include <arpa/inet.h>
57 #include "lwt_helpers.h"
58 #include "test_progs.h"
59 #include "network_helpers.h"
61 #define BPF_OBJECT "test_lwt_redirect.bpf.o"
62 #define INGRESS_SEC(need_mac) ((need_mac) ? "redir_ingress" : "redir_ingress_nomac")
63 #define EGRESS_SEC(need_mac) ((need_mac) ? "redir_egress" : "redir_egress_nomac")
64 #define LOCAL_SRC "10.0.0.1"
65 #define CIDR_TO_INGRESS "10.0.0.0/24"
66 #define CIDR_TO_EGRESS "20.0.0.0/24"
68 /* ping to redirect toward given dev, with last byte of dest IP being the target
71 * Note: ping command inside BPF-CI is busybox version, so it does not have certain
72 * function, such like -m option to set packet mark.
74 static void ping_dev(const char *dev, bool is_ingress)
76 int link_index = if_nametoindex(dev);
79 if (!ASSERT_GE(link_index, 0, "if_nametoindex"))
83 snprintf(ip, sizeof(ip), "10.0.0.%d", link_index);
85 snprintf(ip, sizeof(ip), "20.0.0.%d", link_index);
87 /* We won't get a reply. Don't fail here */
88 SYS_NOFAIL("ping %s -c1 -W1 -s %d",
89 ip, ICMP_PAYLOAD_SIZE);
92 static int new_packet_sock(const char *ifname)
95 int ignore_outgoing = 1;
99 s = socket(AF_PACKET, SOCK_RAW, 0);
100 if (!ASSERT_GE(s, 0, "socket(AF_PACKET)"))
103 ifindex = if_nametoindex(ifname);
104 if (!ASSERT_GE(ifindex, 0, "if_nametoindex")) {
109 struct sockaddr_ll addr = {
110 .sll_family = AF_PACKET,
111 .sll_protocol = htons(ETH_P_IP),
112 .sll_ifindex = ifindex,
115 err = bind(s, (struct sockaddr *)&addr, sizeof(addr));
116 if (!ASSERT_OK(err, "bind(AF_PACKET)")) {
121 /* Use packet socket to capture only the ingress, so we can distinguish
122 * the case where a regression that actually redirects the packet to
125 err = setsockopt(s, SOL_PACKET, PACKET_IGNORE_OUTGOING,
126 &ignore_outgoing, sizeof(ignore_outgoing));
127 if (!ASSERT_OK(err, "setsockopt(PACKET_IGNORE_OUTGOING)")) {
132 err = fcntl(s, F_SETFL, O_NONBLOCK);
133 if (!ASSERT_OK(err, "fcntl(O_NONBLOCK)")) {
141 static int expect_icmp(char *buf, ssize_t len)
143 struct ethhdr *eth = (struct ethhdr *)buf;
145 if (len < (ssize_t)sizeof(*eth))
148 if (eth->h_proto == htons(ETH_P_IP))
149 return __expect_icmp_ipv4((char *)(eth + 1), len - sizeof(*eth));
154 static int expect_icmp_nomac(char *buf, ssize_t len)
156 return __expect_icmp_ipv4(buf, len);
159 static void send_and_capture_test_packets(const char *test_name, int tap_fd,
160 const char *target_dev, bool need_mac)
163 struct timeval timeo = {
169 filter_t filter = need_mac ? expect_icmp : expect_icmp_nomac;
171 ping_dev(target_dev, false);
173 ret = wait_for_packet(tap_fd, filter, &timeo);
174 if (!ASSERT_EQ(ret, 1, "wait_for_epacket")) {
175 log_err("%s egress test fails", test_name);
179 psock = new_packet_sock(target_dev);
180 ping_dev(target_dev, true);
182 ret = wait_for_packet(psock, filter, &timeo);
183 if (!ASSERT_EQ(ret, 1, "wait_for_ipacket")) {
184 log_err("%s ingress test fails", test_name);
193 static int setup_redirect_target(const char *target_dev, bool need_mac)
195 int target_index = -1;
198 tap_fd = open_tuntap(target_dev, need_mac);
199 if (!ASSERT_GE(tap_fd, 0, "open_tuntap"))
202 target_index = if_nametoindex(target_dev);
203 if (!ASSERT_GE(target_index, 0, "if_nametoindex"))
206 SYS(fail, "ip link add link_err type dummy");
207 SYS(fail, "ip link set lo up");
208 SYS(fail, "ip addr add dev lo " LOCAL_SRC "/32");
209 SYS(fail, "ip link set link_err up");
210 SYS(fail, "ip link set %s up", target_dev);
212 SYS(fail, "ip route add %s dev link_err encap bpf xmit obj %s sec %s",
213 CIDR_TO_INGRESS, BPF_OBJECT, INGRESS_SEC(need_mac));
215 SYS(fail, "ip route add %s dev link_err encap bpf xmit obj %s sec %s",
216 CIDR_TO_EGRESS, BPF_OBJECT, EGRESS_SEC(need_mac));
226 static void test_lwt_redirect_normal(void)
228 const char *target_dev = "tap0";
230 bool need_mac = true;
232 tap_fd = setup_redirect_target(target_dev, need_mac);
233 if (!ASSERT_GE(tap_fd, 0, "setup_redirect_target"))
236 send_and_capture_test_packets(__func__, tap_fd, target_dev, need_mac);
240 static void test_lwt_redirect_normal_nomac(void)
242 const char *target_dev = "tun0";
244 bool need_mac = false;
246 tap_fd = setup_redirect_target(target_dev, need_mac);
247 if (!ASSERT_GE(tap_fd, 0, "setup_redirect_target"))
250 send_and_capture_test_packets(__func__, tap_fd, target_dev, need_mac);
254 /* This test aims to prevent regression of future. As long as the kernel does
255 * not panic, it is considered as success.
257 static void __test_lwt_redirect_dev_down(bool need_mac)
259 const char *target_dev = "tap0";
262 tap_fd = setup_redirect_target(target_dev, need_mac);
263 if (!ASSERT_GE(tap_fd, 0, "setup_redirect_target"))
266 SYS(out, "ip link set %s down", target_dev);
267 ping_dev(target_dev, true);
268 ping_dev(target_dev, false);
274 static void test_lwt_redirect_dev_down(void)
276 __test_lwt_redirect_dev_down(true);
279 static void test_lwt_redirect_dev_down_nomac(void)
281 __test_lwt_redirect_dev_down(false);
284 /* This test aims to prevent regression of future. As long as the kernel does
285 * not panic, it is considered as success.
287 static void test_lwt_redirect_dev_carrier_down(void)
289 const char *lower_dev = "tap0";
290 const char *vlan_dev = "vlan100";
293 tap_fd = setup_redirect_target(lower_dev, true);
294 if (!ASSERT_GE(tap_fd, 0, "setup_redirect_target"))
297 SYS(out, "ip link add vlan100 link %s type vlan id 100", lower_dev);
298 SYS(out, "ip link set %s up", vlan_dev);
299 SYS(out, "ip link set %s down", lower_dev);
300 ping_dev(vlan_dev, true);
301 ping_dev(vlan_dev, false);
307 static void *test_lwt_redirect_run(void *arg)
310 RUN_TEST(lwt_redirect_normal);
311 RUN_TEST(lwt_redirect_normal_nomac);
312 RUN_TEST(lwt_redirect_dev_down);
313 RUN_TEST(lwt_redirect_dev_down_nomac);
314 RUN_TEST(lwt_redirect_dev_carrier_down);
318 void test_lwt_redirect(void)
320 pthread_t test_thread;
323 /* Run the tests in their own thread to isolate the namespace changes
324 * so they do not affect the environment of other tests.
325 * (specifically needed because of unshare(CLONE_NEWNS) in open_netns())
327 err = pthread_create(&test_thread, NULL, &test_lwt_redirect_run, NULL);
328 if (ASSERT_OK(err, "pthread_create"))
329 ASSERT_OK(pthread_join(test_thread, NULL), "pthread_join");