forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
168 lines
5.1 KiB
168 lines
5.1 KiB
#!/bin/bash |
|
# SPDX-License-Identifier: GPL-2.0 |
|
# |
|
# Load BPF flow dissector and verify it correctly dissects traffic |
|
export TESTNAME=test_flow_dissector |
|
unmount=0 |
|
|
|
# Kselftest framework requirement - SKIP code is 4. |
|
ksft_skip=4 |
|
|
|
msg="skip all tests:" |
|
if [ $UID != 0 ]; then |
|
echo $msg please run this as root >&2 |
|
exit $ksft_skip |
|
fi |
|
|
|
# This test needs to be run in a network namespace with in_netns.sh. Check if |
|
# this is the case and run it with in_netns.sh if it is being run in the root |
|
# namespace. |
|
if [[ -z $(ip netns identify $$) ]]; then |
|
err=0 |
|
if bpftool="$(which bpftool)"; then |
|
echo "Testing global flow dissector..." |
|
|
|
$bpftool prog loadall ./bpf_flow.o /sys/fs/bpf/flow \ |
|
type flow_dissector |
|
|
|
if ! unshare --net $bpftool prog attach pinned \ |
|
/sys/fs/bpf/flow/flow_dissector flow_dissector; then |
|
echo "Unexpected unsuccessful attach in namespace" >&2 |
|
err=1 |
|
fi |
|
|
|
$bpftool prog attach pinned /sys/fs/bpf/flow/flow_dissector \ |
|
flow_dissector |
|
|
|
if unshare --net $bpftool prog attach pinned \ |
|
/sys/fs/bpf/flow/flow_dissector flow_dissector; then |
|
echo "Unexpected successful attach in namespace" >&2 |
|
err=1 |
|
fi |
|
|
|
if ! $bpftool prog detach pinned \ |
|
/sys/fs/bpf/flow/flow_dissector flow_dissector; then |
|
echo "Failed to detach flow dissector" >&2 |
|
err=1 |
|
fi |
|
|
|
rm -rf /sys/fs/bpf/flow |
|
else |
|
echo "Skipping root flow dissector test, bpftool not found" >&2 |
|
fi |
|
|
|
# Run the rest of the tests in a net namespace. |
|
../net/in_netns.sh "$0" "$@" |
|
err=$(( $err + $? )) |
|
|
|
if (( $err == 0 )); then |
|
echo "selftests: $TESTNAME [PASS]"; |
|
else |
|
echo "selftests: $TESTNAME [FAILED]"; |
|
fi |
|
|
|
exit $err |
|
fi |
|
|
|
# Determine selftest success via shell exit code |
|
exit_handler() |
|
{ |
|
set +e |
|
|
|
# Cleanup |
|
tc filter del dev lo ingress pref 1337 2> /dev/null |
|
tc qdisc del dev lo ingress 2> /dev/null |
|
./flow_dissector_load -d 2> /dev/null |
|
if [ $unmount -ne 0 ]; then |
|
umount bpffs 2> /dev/null |
|
fi |
|
} |
|
|
|
# Exit script immediately (well catched by trap handler) if any |
|
# program/thing exits with a non-zero status. |
|
set -e |
|
|
|
# (Use 'trap -l' to list meaning of numbers) |
|
trap exit_handler 0 2 3 6 9 |
|
|
|
# Mount BPF file system |
|
if /bin/mount | grep /sys/fs/bpf > /dev/null; then |
|
echo "bpffs already mounted" |
|
else |
|
echo "bpffs not mounted. Mounting..." |
|
unmount=1 |
|
/bin/mount bpffs /sys/fs/bpf -t bpf |
|
fi |
|
|
|
# Attach BPF program |
|
./flow_dissector_load -p bpf_flow.o -s flow_dissector |
|
|
|
# Setup |
|
tc qdisc add dev lo ingress |
|
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter |
|
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter |
|
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter |
|
|
|
echo "Testing IPv4..." |
|
# Drops all IP/UDP packets coming from port 9 |
|
tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ |
|
udp src_port 9 action drop |
|
|
|
# Send 10 IPv4/UDP packets from port 8. Filter should not drop any. |
|
./test_flow_dissector -i 4 -f 8 |
|
# Send 10 IPv4/UDP packets from port 9. Filter should drop all. |
|
./test_flow_dissector -i 4 -f 9 -F |
|
# Send 10 IPv4/UDP packets from port 10. Filter should not drop any. |
|
./test_flow_dissector -i 4 -f 10 |
|
|
|
echo "Testing IPIP..." |
|
# Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any. |
|
./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ |
|
-D 192.168.0.1 -S 1.1.1.1 -f 8 |
|
# Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all. |
|
./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ |
|
-D 192.168.0.1 -S 1.1.1.1 -f 9 -F |
|
# Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any. |
|
./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ |
|
-D 192.168.0.1 -S 1.1.1.1 -f 10 |
|
|
|
echo "Testing IPv4 + GRE..." |
|
# Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any. |
|
./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ |
|
-D 192.168.0.1 -S 1.1.1.1 -f 8 |
|
# Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all. |
|
./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ |
|
-D 192.168.0.1 -S 1.1.1.1 -f 9 -F |
|
# Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any. |
|
./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ |
|
-D 192.168.0.1 -S 1.1.1.1 -f 10 |
|
|
|
tc filter del dev lo ingress pref 1337 |
|
|
|
echo "Testing port range..." |
|
# Drops all IP/UDP packets coming from port 8-10 |
|
tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ |
|
udp src_port 8-10 action drop |
|
|
|
# Send 10 IPv4/UDP packets from port 7. Filter should not drop any. |
|
./test_flow_dissector -i 4 -f 7 |
|
# Send 10 IPv4/UDP packets from port 9. Filter should drop all. |
|
./test_flow_dissector -i 4 -f 9 -F |
|
# Send 10 IPv4/UDP packets from port 11. Filter should not drop any. |
|
./test_flow_dissector -i 4 -f 11 |
|
|
|
tc filter del dev lo ingress pref 1337 |
|
|
|
echo "Testing IPv6..." |
|
# Drops all IPv6/UDP packets coming from port 9 |
|
tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \ |
|
udp src_port 9 action drop |
|
|
|
# Send 10 IPv6/UDP packets from port 8. Filter should not drop any. |
|
./test_flow_dissector -i 6 -f 8 |
|
# Send 10 IPv6/UDP packets from port 9. Filter should drop all. |
|
./test_flow_dissector -i 6 -f 9 -F |
|
# Send 10 IPv6/UDP packets from port 10. Filter should not drop any. |
|
./test_flow_dissector -i 6 -f 10 |
|
|
|
exit 0
|
|
|