tools/testing/selftests/bpf/test_tc_tunnel.sh

   1 #!/bin/bash
   2 # SPDX-License-Identifier: GPL-2.0
   3 #
   4 # In-place tunneling
   5
   6 # must match the port that the bpf program filters on
   7 readonly port=8000
   8
   9 readonly ns_prefix="ns-$$-"
  10 readonly ns1="${ns_prefix}1"
  11 readonly ns2="${ns_prefix}2"
  12
  13 readonly ns1_v4=192.168.1.1
  14 readonly ns2_v4=192.168.1.2
  15 readonly ns1_v6=fd::1
  16 readonly ns2_v6=fd::2
  17
  18 # Must match port used by bpf program
  19 readonly udpport=5555
  20 # MPLSoverUDP
  21 readonly mplsudpport=6635
  22 readonly mplsproto=137
  23
  24 readonly infile="$(mktemp)"
  25 readonly outfile="$(mktemp)"
  26
  27 setup() {
  28         ip netns add "${ns1}"
  29         ip netns add "${ns2}"
  30
  31         ip link add dev veth1 mtu 1500 netns "${ns1}" type veth \
  32               peer name veth2 mtu 1500 netns "${ns2}"
  33
  34         ip netns exec "${ns1}" ethtool -K veth1 tso off
  35
  36         ip -netns "${ns1}" link set veth1 up
  37         ip -netns "${ns2}" link set veth2 up
  38
  39         ip -netns "${ns1}" -4 addr add "${ns1_v4}/24" dev veth1
  40         ip -netns "${ns2}" -4 addr add "${ns2_v4}/24" dev veth2
  41         ip -netns "${ns1}" -6 addr add "${ns1_v6}/64" dev veth1 nodad
  42         ip -netns "${ns2}" -6 addr add "${ns2_v6}/64" dev veth2 nodad
  43
  44         # clamp route to reserve room for tunnel headers
  45         ip -netns "${ns1}" -4 route flush table main
  46         ip -netns "${ns1}" -6 route flush table main
  47         ip -netns "${ns1}" -4 route add "${ns2_v4}" mtu 1458 dev veth1
  48         ip -netns "${ns1}" -6 route add "${ns2_v6}" mtu 1438 dev veth1
  49
  50         sleep 1
  51
  52         dd if=/dev/urandom of="${infile}" bs="${datalen}" count=1 status=none
  53 }
  54
  55 cleanup() {
  56         ip netns del "${ns2}"
  57         ip netns del "${ns1}"
  58
  59         if [[ -f "${outfile}" ]]; then
  60                 rm "${outfile}"
  61         fi
  62         if [[ -f "${infile}" ]]; then
  63                 rm "${infile}"
  64         fi
  65 }
  66
  67 server_listen() {
  68         ip netns exec "${ns2}" nc "${netcat_opt}" -l -p "${port}" > "${outfile}" &
  69         server_pid=$!
  70         sleep 0.2
  71 }
  72
  73 client_connect() {
  74         ip netns exec "${ns1}" timeout 2 nc "${netcat_opt}" -w 1 "${addr2}" "${port}" < "${infile}"
  75         echo $?
  76 }
  77
  78 verify_data() {
  79         wait "${server_pid}"
  80         # sha1sum returns two fields [sha1] [filepath]
  81         # convert to bash array and access first elem
  82         insum=($(sha1sum ${infile}))
  83         outsum=($(sha1sum ${outfile}))
  84         if [[ "${insum[0]}" != "${outsum[0]}" ]]; then
  85                 echo "data mismatch"
  86                 exit 1
  87         fi
  88 }
  89
  90 set -e
  91
  92 # no arguments: automated test, run all
  93 if [[ "$#" -eq "0" ]]; then
  94         echo "ipip"
  95         $0 ipv4 ipip none 100
  96
  97         echo "ip6ip6"
  98         $0 ipv6 ip6tnl none 100
  99
 100         echo "sit"
 101         $0 ipv6 sit none 100
 102
 103         for mac in none mpls eth ; do
 104                 echo "ip gre $mac"
 105                 $0 ipv4 gre $mac 100
 106
 107                 echo "ip6 gre $mac"
 108                 $0 ipv6 ip6gre $mac 100
 109
 110                 echo "ip gre $mac gso"
 111                 $0 ipv4 gre $mac 2000
 112
 113                 echo "ip6 gre $mac gso"
 114                 $0 ipv6 ip6gre $mac 2000
 115
 116                 echo "ip udp $mac"
 117                 $0 ipv4 udp $mac 100
 118
 119                 echo "ip6 udp $mac"
 120                 $0 ipv6 ip6udp $mac 100
 121
 122                 echo "ip udp $mac gso"
 123                 $0 ipv4 udp $mac 2000
 124
 125                 echo "ip6 udp $mac gso"
 126                 $0 ipv6 ip6udp $mac 2000
 127         done
 128
 129         echo "OK. All tests passed"
 130         exit 0
 131 fi
 132
 133 if [[ "$#" -ne "4" ]]; then
 134         echo "Usage: $0"
 135         echo "   or: $0 <ipv4|ipv6> <tuntype> <none|mpls|eth> <data_len>"
 136         exit 1
 137 fi
 138
 139 case "$1" in
 140 "ipv4")
 141         readonly addr1="${ns1_v4}"
 142         readonly addr2="${ns2_v4}"
 143         readonly ipproto=4
 144         readonly netcat_opt=-${ipproto}
 145         readonly foumod=fou
 146         readonly foutype=ipip
 147         readonly fouproto=4
 148         readonly fouproto_mpls=${mplsproto}
 149         readonly gretaptype=gretap
 150         ;;
 151 "ipv6")
 152         readonly addr1="${ns1_v6}"
 153         readonly addr2="${ns2_v6}"
 154         readonly ipproto=6
 155         readonly netcat_opt=-${ipproto}
 156         readonly foumod=fou6
 157         readonly foutype=ip6tnl
 158         readonly fouproto="41 -6"
 159         readonly fouproto_mpls="${mplsproto} -6"
 160         readonly gretaptype=ip6gretap
 161         ;;
 162 *)
 163         echo "unknown arg: $1"
 164         exit 1
 165         ;;
 166 esac
 167
 168 readonly tuntype=$2
 169 readonly mac=$3
 170 readonly datalen=$4
 171
 172 echo "encap ${addr1} to ${addr2}, type ${tuntype}, mac ${mac} len ${datalen}"
 173
 174 trap cleanup EXIT
 175
 176 setup
 177
 178 # basic communication works
 179 echo "test basic connectivity"
 180 server_listen
 181 client_connect
 182 verify_data
 183
 184 # clientside, insert bpf program to encap all TCP to port ${port}
 185 # client can no longer connect
 186 ip netns exec "${ns1}" tc qdisc add dev veth1 clsact
 187 ip netns exec "${ns1}" tc filter add dev veth1 egress \
 188         bpf direct-action object-file ./test_tc_tunnel.o \
 189         section "encap_${tuntype}_${mac}"
 190 echo "test bpf encap without decap (expect failure)"
 191 server_listen
 192 ! client_connect
 193
 194 if [[ "$tuntype" =~ "udp" ]]; then
 195         # Set up fou tunnel.
 196         ttype="${foutype}"
 197         targs="encap fou encap-sport auto encap-dport $udpport"
 198         # fou may be a module; allow this to fail.
 199         modprobe "${foumod}" ||true
 200         if [[ "$mac" == "mpls" ]]; then
 201                 dport=${mplsudpport}
 202                 dproto=${fouproto_mpls}
 203                 tmode="mode any ttl 255"
 204         else
 205                 dport=${udpport}
 206                 dproto=${fouproto}
 207         fi
 208         ip netns exec "${ns2}" ip fou add port $dport ipproto ${dproto}
 209         targs="encap fou encap-sport auto encap-dport $dport"
 210 elif [[ "$tuntype" =~ "gre" && "$mac" == "eth" ]]; then
 211         ttype=$gretaptype
 212 else
 213         ttype=$tuntype
 214         targs=""
 215 fi
 216
 217 # tunnel address family differs from inner for SIT
 218 if [[ "${tuntype}" == "sit" ]]; then
 219         link_addr1="${ns1_v4}"
 220         link_addr2="${ns2_v4}"
 221 else
 222         link_addr1="${addr1}"
 223         link_addr2="${addr2}"
 224 fi
 225
 226 # serverside, insert decap module
 227 # server is still running
 228 # client can connect again
 229 ip netns exec "${ns2}" ip link add name testtun0 type "${ttype}" \
 230         ${tmode} remote "${link_addr1}" local "${link_addr2}" $targs
 231
 232 expect_tun_fail=0
 233
 234 if [[ "$tuntype" == "ip6udp" && "$mac" == "mpls" ]]; then
 235         # No support for MPLS IPv6 fou tunnel; expect failure.
 236         expect_tun_fail=1
 237 elif [[ "$tuntype" =~ "udp" && "$mac" == "eth" ]]; then
 238         # No support for TEB fou tunnel; expect failure.
 239         expect_tun_fail=1
 240 elif [[ "$tuntype" =~ "gre" && "$mac" == "eth" ]]; then
 241         # Share ethernet address between tunnel/veth2 so L2 decap works.
 242         ethaddr=$(ip netns exec "${ns2}" ip link show veth2 | \
 243                   awk '/ether/ { print $2 }')
 244         ip netns exec "${ns2}" ip link set testtun0 address $ethaddr
 245 elif [[ "$mac" == "mpls" ]]; then
 246         modprobe mpls_iptunnel ||true
 247         modprobe mpls_gso ||true
 248         ip netns exec "${ns2}" sysctl -qw net.mpls.platform_labels=65536
 249         ip netns exec "${ns2}" ip -f mpls route add 1000 dev lo
 250         ip netns exec "${ns2}" ip link set lo up
 251         ip netns exec "${ns2}" sysctl -qw net.mpls.conf.testtun0.input=1
 252         ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.lo.rp_filter=0
 253 fi
 254
 255 # Because packets are decapped by the tunnel they arrive on testtun0 from
 256 # the IP stack perspective.  Ensure reverse path filtering is disabled
 257 # otherwise we drop the TCP SYN as arriving on testtun0 instead of the
 258 # expected veth2 (veth2 is where 192.168.1.2 is configured).
 259 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.all.rp_filter=0
 260 # rp needs to be disabled for both all and testtun0 as the rp value is
 261 # selected as the max of the "all" and device-specific values.
 262 ip netns exec "${ns2}" sysctl -qw net.ipv4.conf.testtun0.rp_filter=0
 263 ip netns exec "${ns2}" ip link set dev testtun0 up
 264 if [[ "$expect_tun_fail" == 1 ]]; then
 265         # This tunnel mode is not supported, so we expect failure.
 266         echo "test bpf encap with tunnel device decap (expect failure)"
 267         ! client_connect
 268 else
 269         echo "test bpf encap with tunnel device decap"
 270         client_connect
 271         verify_data
 272         server_listen
 273 fi
 274
 275 # bpf_skb_net_shrink does not take tunnel flags yet, cannot update L3.
 276 if [[ "${tuntype}" == "sit" ]]; then
 277         echo OK
 278         exit 0
 279 fi
 280
 281 # serverside, use BPF for decap
 282 ip netns exec "${ns2}" ip link del dev testtun0
 283 ip netns exec "${ns2}" tc qdisc add dev veth2 clsact
 284 ip netns exec "${ns2}" tc filter add dev veth2 ingress \
 285         bpf direct-action object-file ./test_tc_tunnel.o section decap
 286 echo "test bpf encap with bpf decap"
 287 client_connect
 288 verify_data
 289
 290 echo OK