1 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
2 // Copyright (c) 2020 Cloudflare
3
4 #define _GNU_SOURCE
5
6 #include <arpa/inet.h>
7 #include <string.h>
8
9 #include <linux/pkt_cls.h>
10 #include <netinet/tcp.h>
11
12 #include <test_progs.h>
13
14 #include "progs/test_cls_redirect.h"
15 #include "test_cls_redirect.skel.h"
16 #include "test_cls_redirect_subprogs.skel.h"
17
18 #define ENCAP_IP INADDR_LOOPBACK
19 #define ENCAP_PORT (1234)
20
21 static int duration = 0;
22
23 struct addr_port {
24 in_port_t port;
25 union {
26 struct in_addr in_addr;
27 struct in6_addr in6_addr;
28 };
29 };
30
31 struct tuple {
32 int family;
33 struct addr_port src;
34 struct addr_port dst;
35 };
36
start_server(const struct sockaddr * addr,socklen_t len,int type)37 static int start_server(const struct sockaddr *addr, socklen_t len, int type)
38 {
39 int fd = socket(addr->sa_family, type, 0);
40 if (CHECK_FAIL(fd == -1))
41 return -1;
42 if (CHECK_FAIL(bind(fd, addr, len) == -1))
43 goto err;
44 if (type == SOCK_STREAM && CHECK_FAIL(listen(fd, 128) == -1))
45 goto err;
46
47 return fd;
48
49 err:
50 close(fd);
51 return -1;
52 }
53
connect_to_server(const struct sockaddr * addr,socklen_t len,int type)54 static int connect_to_server(const struct sockaddr *addr, socklen_t len,
55 int type)
56 {
57 int fd = socket(addr->sa_family, type, 0);
58 if (CHECK_FAIL(fd == -1))
59 return -1;
60 if (CHECK_FAIL(connect(fd, addr, len)))
61 goto err;
62
63 return fd;
64
65 err:
66 close(fd);
67 return -1;
68 }
69
fill_addr_port(const struct sockaddr * sa,struct addr_port * ap)70 static bool fill_addr_port(const struct sockaddr *sa, struct addr_port *ap)
71 {
72 const struct sockaddr_in6 *in6;
73 const struct sockaddr_in *in;
74
75 switch (sa->sa_family) {
76 case AF_INET:
77 in = (const struct sockaddr_in *)sa;
78 ap->in_addr = in->sin_addr;
79 ap->port = in->sin_port;
80 return true;
81
82 case AF_INET6:
83 in6 = (const struct sockaddr_in6 *)sa;
84 ap->in6_addr = in6->sin6_addr;
85 ap->port = in6->sin6_port;
86 return true;
87
88 default:
89 return false;
90 }
91 }
92
set_up_conn(const struct sockaddr * addr,socklen_t len,int type,int * server,int * conn,struct tuple * tuple)93 static bool set_up_conn(const struct sockaddr *addr, socklen_t len, int type,
94 int *server, int *conn, struct tuple *tuple)
95 {
96 struct sockaddr_storage ss;
97 socklen_t slen = sizeof(ss);
98 struct sockaddr *sa = (struct sockaddr *)&ss;
99
100 *server = start_server(addr, len, type);
101 if (*server < 0)
102 return false;
103
104 if (CHECK_FAIL(getsockname(*server, sa, &slen)))
105 goto close_server;
106
107 *conn = connect_to_server(sa, slen, type);
108 if (*conn < 0)
109 goto close_server;
110
111 /* We want to simulate packets arriving at conn, so we have to
112 * swap src and dst.
113 */
114 slen = sizeof(ss);
115 if (CHECK_FAIL(getsockname(*conn, sa, &slen)))
116 goto close_conn;
117
118 if (CHECK_FAIL(!fill_addr_port(sa, &tuple->dst)))
119 goto close_conn;
120
121 slen = sizeof(ss);
122 if (CHECK_FAIL(getpeername(*conn, sa, &slen)))
123 goto close_conn;
124
125 if (CHECK_FAIL(!fill_addr_port(sa, &tuple->src)))
126 goto close_conn;
127
128 tuple->family = ss.ss_family;
129 return true;
130
131 close_conn:
132 close(*conn);
133 *conn = -1;
134 close_server:
135 close(*server);
136 *server = -1;
137 return false;
138 }
139
prepare_addr(struct sockaddr_storage * addr,int family)140 static socklen_t prepare_addr(struct sockaddr_storage *addr, int family)
141 {
142 struct sockaddr_in *addr4;
143 struct sockaddr_in6 *addr6;
144
145 switch (family) {
146 case AF_INET:
147 addr4 = (struct sockaddr_in *)addr;
148 memset(addr4, 0, sizeof(*addr4));
149 addr4->sin_family = family;
150 addr4->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
151 return sizeof(*addr4);
152 case AF_INET6:
153 addr6 = (struct sockaddr_in6 *)addr;
154 memset(addr6, 0, sizeof(*addr6));
155 addr6->sin6_family = family;
156 addr6->sin6_addr = in6addr_loopback;
157 return sizeof(*addr6);
158 default:
159 fprintf(stderr, "Invalid family %d", family);
160 return 0;
161 }
162 }
163
was_decapsulated(struct bpf_prog_test_run_attr * tattr)164 static bool was_decapsulated(struct bpf_prog_test_run_attr *tattr)
165 {
166 return tattr->data_size_out < tattr->data_size_in;
167 }
168
169 enum type {
170 UDP,
171 TCP,
172 __NR_KIND,
173 };
174
175 enum hops {
176 NO_HOPS,
177 ONE_HOP,
178 };
179
180 enum flags {
181 NONE,
182 SYN,
183 ACK,
184 };
185
186 enum conn {
187 KNOWN_CONN,
188 UNKNOWN_CONN,
189 };
190
191 enum result {
192 ACCEPT,
193 FORWARD,
194 };
195
196 struct test_cfg {
197 enum type type;
198 enum result result;
199 enum conn conn;
200 enum hops hops;
201 enum flags flags;
202 };
203
test_str(void * buf,size_t len,const struct test_cfg * test,int family)204 static int test_str(void *buf, size_t len, const struct test_cfg *test,
205 int family)
206 {
207 const char *family_str, *type, *conn, *hops, *result, *flags;
208
209 family_str = "IPv4";
210 if (family == AF_INET6)
211 family_str = "IPv6";
212
213 type = "TCP";
214 if (test->type == UDP)
215 type = "UDP";
216
217 conn = "known";
218 if (test->conn == UNKNOWN_CONN)
219 conn = "unknown";
220
221 hops = "no hops";
222 if (test->hops == ONE_HOP)
223 hops = "one hop";
224
225 result = "accept";
226 if (test->result == FORWARD)
227 result = "forward";
228
229 flags = "none";
230 if (test->flags == SYN)
231 flags = "SYN";
232 else if (test->flags == ACK)
233 flags = "ACK";
234
235 return snprintf(buf, len, "%s %s %s %s (%s, flags: %s)", family_str,
236 type, result, conn, hops, flags);
237 }
238
239 static struct test_cfg tests[] = {
240 { TCP, ACCEPT, UNKNOWN_CONN, NO_HOPS, SYN },
241 { TCP, ACCEPT, UNKNOWN_CONN, NO_HOPS, ACK },
242 { TCP, FORWARD, UNKNOWN_CONN, ONE_HOP, ACK },
243 { TCP, ACCEPT, KNOWN_CONN, ONE_HOP, ACK },
244 { UDP, ACCEPT, UNKNOWN_CONN, NO_HOPS, NONE },
245 { UDP, FORWARD, UNKNOWN_CONN, ONE_HOP, NONE },
246 { UDP, ACCEPT, KNOWN_CONN, ONE_HOP, NONE },
247 };
248
encap_init(encap_headers_t * encap,uint8_t hop_count,uint8_t proto)249 static void encap_init(encap_headers_t *encap, uint8_t hop_count, uint8_t proto)
250 {
251 const uint8_t hlen =
252 (sizeof(struct guehdr) / sizeof(uint32_t)) + hop_count;
253 *encap = (encap_headers_t){
254 .eth = { .h_proto = htons(ETH_P_IP) },
255 .ip = {
256 .ihl = 5,
257 .version = 4,
258 .ttl = IPDEFTTL,
259 .protocol = IPPROTO_UDP,
260 .daddr = htonl(ENCAP_IP)
261 },
262 .udp = {
263 .dest = htons(ENCAP_PORT),
264 },
265 .gue = {
266 .hlen = hlen,
267 .proto_ctype = proto
268 },
269 .unigue = {
270 .hop_count = hop_count
271 },
272 };
273 }
274
build_input(const struct test_cfg * test,void * const buf,const struct tuple * tuple)275 static size_t build_input(const struct test_cfg *test, void *const buf,
276 const struct tuple *tuple)
277 {
278 in_port_t sport = tuple->src.port;
279 encap_headers_t encap;
280 struct iphdr ip;
281 struct ipv6hdr ipv6;
282 struct tcphdr tcp;
283 struct udphdr udp;
284 struct in_addr next_hop;
285 uint8_t *p = buf;
286 int proto;
287
288 proto = IPPROTO_IPIP;
289 if (tuple->family == AF_INET6)
290 proto = IPPROTO_IPV6;
291
292 encap_init(&encap, test->hops == ONE_HOP ? 1 : 0, proto);
293 p = mempcpy(p, &encap, sizeof(encap));
294
295 if (test->hops == ONE_HOP) {
296 next_hop = (struct in_addr){ .s_addr = htonl(0x7f000002) };
297 p = mempcpy(p, &next_hop, sizeof(next_hop));
298 }
299
300 proto = IPPROTO_TCP;
301 if (test->type == UDP)
302 proto = IPPROTO_UDP;
303
304 switch (tuple->family) {
305 case AF_INET:
306 ip = (struct iphdr){
307 .ihl = 5,
308 .version = 4,
309 .ttl = IPDEFTTL,
310 .protocol = proto,
311 .saddr = tuple->src.in_addr.s_addr,
312 .daddr = tuple->dst.in_addr.s_addr,
313 };
314 p = mempcpy(p, &ip, sizeof(ip));
315 break;
316 case AF_INET6:
317 ipv6 = (struct ipv6hdr){
318 .version = 6,
319 .hop_limit = IPDEFTTL,
320 .nexthdr = proto,
321 .saddr = tuple->src.in6_addr,
322 .daddr = tuple->dst.in6_addr,
323 };
324 p = mempcpy(p, &ipv6, sizeof(ipv6));
325 break;
326 default:
327 return 0;
328 }
329
330 if (test->conn == UNKNOWN_CONN)
331 sport--;
332
333 switch (test->type) {
334 case TCP:
335 tcp = (struct tcphdr){
336 .source = sport,
337 .dest = tuple->dst.port,
338 };
339 if (test->flags == SYN)
340 tcp.syn = true;
341 if (test->flags == ACK)
342 tcp.ack = true;
343 p = mempcpy(p, &tcp, sizeof(tcp));
344 break;
345 case UDP:
346 udp = (struct udphdr){
347 .source = sport,
348 .dest = tuple->dst.port,
349 };
350 p = mempcpy(p, &udp, sizeof(udp));
351 break;
352 default:
353 return 0;
354 }
355
356 return (void *)p - buf;
357 }
358
close_fds(int * fds,int n)359 static void close_fds(int *fds, int n)
360 {
361 int i;
362
363 for (i = 0; i < n; i++)
364 if (fds[i] > 0)
365 close(fds[i]);
366 }
367
test_cls_redirect_common(struct bpf_program * prog)368 static void test_cls_redirect_common(struct bpf_program *prog)
369 {
370 struct bpf_prog_test_run_attr tattr = {};
371 int families[] = { AF_INET, AF_INET6 };
372 struct sockaddr_storage ss;
373 struct sockaddr *addr;
374 socklen_t slen;
375 int i, j, err;
376 int servers[__NR_KIND][ARRAY_SIZE(families)] = {};
377 int conns[__NR_KIND][ARRAY_SIZE(families)] = {};
378 struct tuple tuples[__NR_KIND][ARRAY_SIZE(families)];
379
380 addr = (struct sockaddr *)&ss;
381 for (i = 0; i < ARRAY_SIZE(families); i++) {
382 slen = prepare_addr(&ss, families[i]);
383 if (CHECK_FAIL(!slen))
384 goto cleanup;
385
386 if (CHECK_FAIL(!set_up_conn(addr, slen, SOCK_DGRAM,
387 &servers[UDP][i], &conns[UDP][i],
388 &tuples[UDP][i])))
389 goto cleanup;
390
391 if (CHECK_FAIL(!set_up_conn(addr, slen, SOCK_STREAM,
392 &servers[TCP][i], &conns[TCP][i],
393 &tuples[TCP][i])))
394 goto cleanup;
395 }
396
397 tattr.prog_fd = bpf_program__fd(prog);
398 for (i = 0; i < ARRAY_SIZE(tests); i++) {
399 struct test_cfg *test = &tests[i];
400
401 for (j = 0; j < ARRAY_SIZE(families); j++) {
402 struct tuple *tuple = &tuples[test->type][j];
403 char input[256];
404 char tmp[256];
405
406 test_str(tmp, sizeof(tmp), test, tuple->family);
407 if (!test__start_subtest(tmp))
408 continue;
409
410 tattr.data_out = tmp;
411 tattr.data_size_out = sizeof(tmp);
412
413 tattr.data_in = input;
414 tattr.data_size_in = build_input(test, input, tuple);
415 if (CHECK_FAIL(!tattr.data_size_in))
416 continue;
417
418 err = bpf_prog_test_run_xattr(&tattr);
419 if (CHECK_FAIL(err))
420 continue;
421
422 if (tattr.retval != TC_ACT_REDIRECT) {
423 PRINT_FAIL("expected TC_ACT_REDIRECT, got %d\n",
424 tattr.retval);
425 continue;
426 }
427
428 switch (test->result) {
429 case ACCEPT:
430 if (CHECK_FAIL(!was_decapsulated(&tattr)))
431 continue;
432 break;
433 case FORWARD:
434 if (CHECK_FAIL(was_decapsulated(&tattr)))
435 continue;
436 break;
437 default:
438 PRINT_FAIL("unknown result %d\n", test->result);
439 continue;
440 }
441 }
442 }
443
444 cleanup:
445 close_fds((int *)servers, sizeof(servers) / sizeof(servers[0][0]));
446 close_fds((int *)conns, sizeof(conns) / sizeof(conns[0][0]));
447 }
448
test_cls_redirect_inlined(void)449 static void test_cls_redirect_inlined(void)
450 {
451 struct test_cls_redirect *skel;
452 int err;
453
454 skel = test_cls_redirect__open();
455 if (CHECK(!skel, "skel_open", "failed\n"))
456 return;
457
458 skel->rodata->ENCAPSULATION_IP = htonl(ENCAP_IP);
459 skel->rodata->ENCAPSULATION_PORT = htons(ENCAP_PORT);
460
461 err = test_cls_redirect__load(skel);
462 if (CHECK(err, "skel_load", "failed: %d\n", err))
463 goto cleanup;
464
465 test_cls_redirect_common(skel->progs.cls_redirect);
466
467 cleanup:
468 test_cls_redirect__destroy(skel);
469 }
470
test_cls_redirect_subprogs(void)471 static void test_cls_redirect_subprogs(void)
472 {
473 struct test_cls_redirect_subprogs *skel;
474 int err;
475
476 skel = test_cls_redirect_subprogs__open();
477 if (CHECK(!skel, "skel_open", "failed\n"))
478 return;
479
480 skel->rodata->ENCAPSULATION_IP = htonl(ENCAP_IP);
481 skel->rodata->ENCAPSULATION_PORT = htons(ENCAP_PORT);
482
483 err = test_cls_redirect_subprogs__load(skel);
484 if (CHECK(err, "skel_load", "failed: %d\n", err))
485 goto cleanup;
486
487 test_cls_redirect_common(skel->progs.cls_redirect);
488
489 cleanup:
490 test_cls_redirect_subprogs__destroy(skel);
491 }
492
test_cls_redirect(void)493 void test_cls_redirect(void)
494 {
495 if (test__start_subtest("cls_redirect_inlined"))
496 test_cls_redirect_inlined();
497 if (test__start_subtest("cls_redirect_subprogs"))
498 test_cls_redirect_subprogs();
499 }
500