test_flow_dissector.sh (5213B)
1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Load BPF flow dissector and verify it correctly dissects traffic 5export TESTNAME=test_flow_dissector 6unmount=0 7 8# Kselftest framework requirement - SKIP code is 4. 9ksft_skip=4 10 11msg="skip all tests:" 12if [ $UID != 0 ]; then 13 echo $msg please run this as root >&2 14 exit $ksft_skip 15fi 16 17# This test needs to be run in a network namespace with in_netns.sh. Check if 18# this is the case and run it with in_netns.sh if it is being run in the root 19# namespace. 20if [[ -z $(ip netns identify $$) ]]; then 21 err=0 22 if bpftool="$(which bpftool)"; then 23 echo "Testing global flow dissector..." 24 25 $bpftool prog loadall ./bpf_flow.o /sys/fs/bpf/flow \ 26 type flow_dissector 27 28 if ! unshare --net $bpftool prog attach pinned \ 29 /sys/fs/bpf/flow/_dissect flow_dissector; then 30 echo "Unexpected unsuccessful attach in namespace" >&2 31 err=1 32 fi 33 34 $bpftool prog attach pinned /sys/fs/bpf/flow/_dissect \ 35 flow_dissector 36 37 if unshare --net $bpftool prog attach pinned \ 38 /sys/fs/bpf/flow/_dissect flow_dissector; then 39 echo "Unexpected successful attach in namespace" >&2 40 err=1 41 fi 42 43 if ! $bpftool prog detach pinned \ 44 /sys/fs/bpf/flow/_dissect flow_dissector; then 45 echo "Failed to detach flow dissector" >&2 46 err=1 47 fi 48 49 rm -rf /sys/fs/bpf/flow 50 else 51 echo "Skipping root flow dissector test, bpftool not found" >&2 52 fi 53 54 # Run the rest of the tests in a net namespace. 55 ../net/in_netns.sh "$0" "$@" 56 err=$(( $err + $? )) 57 58 if (( $err == 0 )); then 59 echo "selftests: $TESTNAME [PASS]"; 60 else 61 echo "selftests: $TESTNAME [FAILED]"; 62 fi 63 64 exit $err 65fi 66 67# Determine selftest success via shell exit code 68exit_handler() 69{ 70 set +e 71 72 # Cleanup 73 tc filter del dev lo ingress pref 1337 2> /dev/null 74 tc qdisc del dev lo ingress 2> /dev/null 75 ./flow_dissector_load -d 2> /dev/null 76 if [ $unmount -ne 0 ]; then 77 umount bpffs 2> /dev/null 78 fi 79} 80 81# Exit script immediately (well catched by trap handler) if any 82# program/thing exits with a non-zero status. 83set -e 84 85# (Use 'trap -l' to list meaning of numbers) 86trap exit_handler 0 2 3 6 9 87 88# Mount BPF file system 89if /bin/mount | grep /sys/fs/bpf > /dev/null; then 90 echo "bpffs already mounted" 91else 92 echo "bpffs not mounted. Mounting..." 93 unmount=1 94 /bin/mount bpffs /sys/fs/bpf -t bpf 95fi 96 97# Attach BPF program 98./flow_dissector_load -p bpf_flow.o -s _dissect 99 100# Setup 101tc qdisc add dev lo ingress 102echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter 103echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 104echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter 105 106echo "Testing IPv4..." 107# Drops all IP/UDP packets coming from port 9 108tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ 109 udp src_port 9 action drop 110 111# Send 10 IPv4/UDP packets from port 8. Filter should not drop any. 112./test_flow_dissector -i 4 -f 8 113# Send 10 IPv4/UDP packets from port 9. Filter should drop all. 114./test_flow_dissector -i 4 -f 9 -F 115# Send 10 IPv4/UDP packets from port 10. Filter should not drop any. 116./test_flow_dissector -i 4 -f 10 117 118echo "Testing IPIP..." 119# Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any. 120./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 121 -D 192.168.0.1 -S 1.1.1.1 -f 8 122# Send 10 IPv4/IPv4/UDP packets from port 9. Filter should drop all. 123./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 124 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F 125# Send 10 IPv4/IPv4/UDP packets from port 10. Filter should not drop any. 126./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \ 127 -D 192.168.0.1 -S 1.1.1.1 -f 10 128 129echo "Testing IPv4 + GRE..." 130# Send 10 IPv4/GRE/IPv4/UDP packets from port 8. Filter should not drop any. 131./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 132 -D 192.168.0.1 -S 1.1.1.1 -f 8 133# Send 10 IPv4/GRE/IPv4/UDP packets from port 9. Filter should drop all. 134./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 135 -D 192.168.0.1 -S 1.1.1.1 -f 9 -F 136# Send 10 IPv4/GRE/IPv4/UDP packets from port 10. Filter should not drop any. 137./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e gre -i 4 \ 138 -D 192.168.0.1 -S 1.1.1.1 -f 10 139 140tc filter del dev lo ingress pref 1337 141 142echo "Testing port range..." 143# Drops all IP/UDP packets coming from port 8-10 144tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ 145 udp src_port 8-10 action drop 146 147# Send 10 IPv4/UDP packets from port 7. Filter should not drop any. 148./test_flow_dissector -i 4 -f 7 149# Send 10 IPv4/UDP packets from port 9. Filter should drop all. 150./test_flow_dissector -i 4 -f 9 -F 151# Send 10 IPv4/UDP packets from port 11. Filter should not drop any. 152./test_flow_dissector -i 4 -f 11 153 154tc filter del dev lo ingress pref 1337 155 156echo "Testing IPv6..." 157# Drops all IPv6/UDP packets coming from port 9 158tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \ 159 udp src_port 9 action drop 160 161# Send 10 IPv6/UDP packets from port 8. Filter should not drop any. 162./test_flow_dissector -i 6 -f 8 163# Send 10 IPv6/UDP packets from port 9. Filter should drop all. 164./test_flow_dissector -i 6 -f 9 -F 165# Send 10 IPv6/UDP packets from port 10. Filter should not drop any. 166./test_flow_dissector -i 6 -f 10 167 168exit 0