selftests/bpf: Use SOCKMAP for server sockets in bpf_sk_assign test
Update bpf_sk_assign test to fetch the server socket from SOCKMAP, now that map lookup from BPF in SOCKMAP is enabled. This way the test TC BPF program doesn't need to know what address server socket is bound to. Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/bpf/20200429181154.479310-4-jakub@cloudflare.com
This commit is contained in:
parent
34a2cc6eee
commit
0b9ad56b1e
|
@ -243,7 +243,7 @@ define GCC_BPF_BUILD_RULE
|
||||||
$(BPF_GCC) $3 $4 -O2 -c $1 -o $2
|
$(BPF_GCC) $3 $4 -O2 -c $1 -o $2
|
||||||
endef
|
endef
|
||||||
|
|
||||||
SKEL_BLACKLIST := btf__% test_pinning_invalid.c
|
SKEL_BLACKLIST := btf__% test_pinning_invalid.c test_sk_assign.c
|
||||||
|
|
||||||
# Set up extra TRUNNER_XXX "temporary" variables in the environment (relies on
|
# Set up extra TRUNNER_XXX "temporary" variables in the environment (relies on
|
||||||
# $eval()) and pass control to DEFINE_TEST_RUNNER_RULES.
|
# $eval()) and pass control to DEFINE_TEST_RUNNER_RULES.
|
||||||
|
|
|
@ -20,6 +20,7 @@
|
||||||
#define CONNECT_PORT 4321
|
#define CONNECT_PORT 4321
|
||||||
#define TEST_DADDR (0xC0A80203)
|
#define TEST_DADDR (0xC0A80203)
|
||||||
#define NS_SELF "/proc/self/ns/net"
|
#define NS_SELF "/proc/self/ns/net"
|
||||||
|
#define SERVER_MAP_PATH "/sys/fs/bpf/tc/globals/server_map"
|
||||||
|
|
||||||
static const struct timeval timeo_sec = { .tv_sec = 3 };
|
static const struct timeval timeo_sec = { .tv_sec = 3 };
|
||||||
static const size_t timeo_optlen = sizeof(timeo_sec);
|
static const size_t timeo_optlen = sizeof(timeo_sec);
|
||||||
|
@ -265,6 +266,7 @@ void test_sk_assign(void)
|
||||||
TEST("ipv6 udp addr redir", AF_INET6, SOCK_DGRAM, true),
|
TEST("ipv6 udp addr redir", AF_INET6, SOCK_DGRAM, true),
|
||||||
};
|
};
|
||||||
int server = -1;
|
int server = -1;
|
||||||
|
int server_map;
|
||||||
int self_net;
|
int self_net;
|
||||||
|
|
||||||
self_net = open(NS_SELF, O_RDONLY);
|
self_net = open(NS_SELF, O_RDONLY);
|
||||||
|
@ -278,9 +280,17 @@ void test_sk_assign(void)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
server_map = bpf_obj_get(SERVER_MAP_PATH);
|
||||||
|
if (CHECK_FAIL(server_map < 0)) {
|
||||||
|
perror("Unable to open " SERVER_MAP_PATH);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
for (int i = 0; i < ARRAY_SIZE(tests) && !READ_ONCE(stop); i++) {
|
for (int i = 0; i < ARRAY_SIZE(tests) && !READ_ONCE(stop); i++) {
|
||||||
struct test_sk_cfg *test = &tests[i];
|
struct test_sk_cfg *test = &tests[i];
|
||||||
const struct sockaddr *addr;
|
const struct sockaddr *addr;
|
||||||
|
const int zero = 0;
|
||||||
|
int err;
|
||||||
|
|
||||||
if (!test__start_subtest(test->name))
|
if (!test__start_subtest(test->name))
|
||||||
continue;
|
continue;
|
||||||
|
@ -288,7 +298,13 @@ void test_sk_assign(void)
|
||||||
addr = (const struct sockaddr *)test->addr;
|
addr = (const struct sockaddr *)test->addr;
|
||||||
server = start_server(addr, test->len, test->type);
|
server = start_server(addr, test->len, test->type);
|
||||||
if (server == -1)
|
if (server == -1)
|
||||||
goto cleanup;
|
goto close;
|
||||||
|
|
||||||
|
err = bpf_map_update_elem(server_map, &zero, &server, BPF_ANY);
|
||||||
|
if (CHECK_FAIL(err)) {
|
||||||
|
perror("Unable to update server_map");
|
||||||
|
goto close;
|
||||||
|
}
|
||||||
|
|
||||||
/* connect to unbound ports */
|
/* connect to unbound ports */
|
||||||
prepare_addr(test->addr, test->family, CONNECT_PORT,
|
prepare_addr(test->addr, test->family, CONNECT_PORT,
|
||||||
|
@ -302,7 +318,10 @@ void test_sk_assign(void)
|
||||||
|
|
||||||
close:
|
close:
|
||||||
close(server);
|
close(server);
|
||||||
|
close(server_map);
|
||||||
cleanup:
|
cleanup:
|
||||||
|
if (CHECK_FAIL(unlink(SERVER_MAP_PATH)))
|
||||||
|
perror("Unable to unlink " SERVER_MAP_PATH);
|
||||||
if (CHECK_FAIL(setns(self_net, CLONE_NEWNET)))
|
if (CHECK_FAIL(setns(self_net, CLONE_NEWNET)))
|
||||||
perror("Failed to setns("NS_SELF")");
|
perror("Failed to setns("NS_SELF")");
|
||||||
close(self_net);
|
close(self_net);
|
||||||
|
|
|
@ -16,6 +16,26 @@
|
||||||
#include <bpf/bpf_helpers.h>
|
#include <bpf/bpf_helpers.h>
|
||||||
#include <bpf/bpf_endian.h>
|
#include <bpf/bpf_endian.h>
|
||||||
|
|
||||||
|
/* Pin map under /sys/fs/bpf/tc/globals/<map name> */
|
||||||
|
#define PIN_GLOBAL_NS 2
|
||||||
|
|
||||||
|
/* Must match struct bpf_elf_map layout from iproute2 */
|
||||||
|
struct {
|
||||||
|
__u32 type;
|
||||||
|
__u32 size_key;
|
||||||
|
__u32 size_value;
|
||||||
|
__u32 max_elem;
|
||||||
|
__u32 flags;
|
||||||
|
__u32 id;
|
||||||
|
__u32 pinning;
|
||||||
|
} server_map SEC("maps") = {
|
||||||
|
.type = BPF_MAP_TYPE_SOCKMAP,
|
||||||
|
.size_key = sizeof(int),
|
||||||
|
.size_value = sizeof(__u64),
|
||||||
|
.max_elem = 1,
|
||||||
|
.pinning = PIN_GLOBAL_NS,
|
||||||
|
};
|
||||||
|
|
||||||
int _version SEC("version") = 1;
|
int _version SEC("version") = 1;
|
||||||
char _license[] SEC("license") = "GPL";
|
char _license[] SEC("license") = "GPL";
|
||||||
|
|
||||||
|
@ -72,7 +92,9 @@ handle_udp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
|
||||||
{
|
{
|
||||||
struct bpf_sock_tuple ln = {0};
|
struct bpf_sock_tuple ln = {0};
|
||||||
struct bpf_sock *sk;
|
struct bpf_sock *sk;
|
||||||
|
const int zero = 0;
|
||||||
size_t tuple_len;
|
size_t tuple_len;
|
||||||
|
__be16 dport;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
|
tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
|
||||||
|
@ -83,32 +105,11 @@ handle_udp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
|
||||||
if (sk)
|
if (sk)
|
||||||
goto assign;
|
goto assign;
|
||||||
|
|
||||||
if (ipv4) {
|
dport = ipv4 ? tuple->ipv4.dport : tuple->ipv6.dport;
|
||||||
if (tuple->ipv4.dport != bpf_htons(4321))
|
if (dport != bpf_htons(4321))
|
||||||
return TC_ACT_OK;
|
return TC_ACT_OK;
|
||||||
|
|
||||||
ln.ipv4.daddr = bpf_htonl(0x7f000001);
|
sk = bpf_map_lookup_elem(&server_map, &zero);
|
||||||
ln.ipv4.dport = bpf_htons(1234);
|
|
||||||
|
|
||||||
sk = bpf_sk_lookup_udp(skb, &ln, sizeof(ln.ipv4),
|
|
||||||
BPF_F_CURRENT_NETNS, 0);
|
|
||||||
} else {
|
|
||||||
if (tuple->ipv6.dport != bpf_htons(4321))
|
|
||||||
return TC_ACT_OK;
|
|
||||||
|
|
||||||
/* Upper parts of daddr are already zero. */
|
|
||||||
ln.ipv6.daddr[3] = bpf_htonl(0x1);
|
|
||||||
ln.ipv6.dport = bpf_htons(1234);
|
|
||||||
|
|
||||||
sk = bpf_sk_lookup_udp(skb, &ln, sizeof(ln.ipv6),
|
|
||||||
BPF_F_CURRENT_NETNS, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* workaround: We can't do a single socket lookup here, because then
|
|
||||||
* the compiler will likely spill tuple_len to the stack. This makes it
|
|
||||||
* lose all bounds information in the verifier, which then rejects the
|
|
||||||
* call as unsafe.
|
|
||||||
*/
|
|
||||||
if (!sk)
|
if (!sk)
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
|
|
||||||
|
@ -123,7 +124,9 @@ handle_tcp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
|
||||||
{
|
{
|
||||||
struct bpf_sock_tuple ln = {0};
|
struct bpf_sock_tuple ln = {0};
|
||||||
struct bpf_sock *sk;
|
struct bpf_sock *sk;
|
||||||
|
const int zero = 0;
|
||||||
size_t tuple_len;
|
size_t tuple_len;
|
||||||
|
__be16 dport;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
|
tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
|
||||||
|
@ -137,32 +140,11 @@ handle_tcp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
|
||||||
bpf_sk_release(sk);
|
bpf_sk_release(sk);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ipv4) {
|
dport = ipv4 ? tuple->ipv4.dport : tuple->ipv6.dport;
|
||||||
if (tuple->ipv4.dport != bpf_htons(4321))
|
if (dport != bpf_htons(4321))
|
||||||
return TC_ACT_OK;
|
return TC_ACT_OK;
|
||||||
|
|
||||||
ln.ipv4.daddr = bpf_htonl(0x7f000001);
|
sk = bpf_map_lookup_elem(&server_map, &zero);
|
||||||
ln.ipv4.dport = bpf_htons(1234);
|
|
||||||
|
|
||||||
sk = bpf_skc_lookup_tcp(skb, &ln, sizeof(ln.ipv4),
|
|
||||||
BPF_F_CURRENT_NETNS, 0);
|
|
||||||
} else {
|
|
||||||
if (tuple->ipv6.dport != bpf_htons(4321))
|
|
||||||
return TC_ACT_OK;
|
|
||||||
|
|
||||||
/* Upper parts of daddr are already zero. */
|
|
||||||
ln.ipv6.daddr[3] = bpf_htonl(0x1);
|
|
||||||
ln.ipv6.dport = bpf_htons(1234);
|
|
||||||
|
|
||||||
sk = bpf_skc_lookup_tcp(skb, &ln, sizeof(ln.ipv6),
|
|
||||||
BPF_F_CURRENT_NETNS, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* workaround: We can't do a single socket lookup here, because then
|
|
||||||
* the compiler will likely spill tuple_len to the stack. This makes it
|
|
||||||
* lose all bounds information in the verifier, which then rejects the
|
|
||||||
* call as unsafe.
|
|
||||||
*/
|
|
||||||
if (!sk)
|
if (!sk)
|
||||||
return TC_ACT_SHOT;
|
return TC_ACT_SHOT;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue