Merge branch 'bpf-tunnel-metadata-selftests'

always += test_probe_write_user_kern.o

always += trace_output_kern.o

always += tcbpf1_kern.o

always += tcbpf2_kern.o

always += tc_l2_redirect_kern.o

always += lathist_kern.o

always += offwaketime_kern.o

	test_l4lb_noinline.o test_xdp_noinline.o test_stacktrace_map.o \

	sample_map_ret0.o test_tcpbpf_kern.o test_stacktrace_build_id.o \

	sockmap_tcp_msg_prog.o connect4_prog.o connect6_prog.o test_adjust_tail.o \

	test_btf_haskv.o test_btf_nokv.o test_sockmap_kern.o

	test_btf_haskv.o test_btf_nokv.o test_sockmap_kern.o test_tunnel_kern.o

# Order correspond to 'make run_tests' order

TEST_PROGS := test_kmod.sh \

	test_xdp_redirect.sh \

	test_xdp_meta.sh \

	test_offload.py \

	test_sock_addr.sh

	test_sock_addr.sh \

	test_tunnel.sh

# Compile but not part of 'make run_tests'

TEST_GEN_PROGS_EXTENDED = test_libbpf_open test_sock_addr

#!/bin/bash

# SPDX-License-Identifier: GPL-2.0

# In Namespace 0 (at_ns0) using native tunnel

# Overlay IP: 10.1.1.100

# local 192.16.1.100 remote 192.16.1.200

# veth0 IP: 172.16.1.100, tunnel dev <type>00

# Out of Namespace using BPF set/get on lwtunnel

# Overlay IP: 10.1.1.200

# local 172.16.1.200 remote 172.16.1.100

# veth1 IP: 172.16.1.200, tunnel dev <type>11

function config_device {

# End-to-end eBPF tunnel test suite

#   The script tests BPF network tunnel implementation.

#

# Topology:

# ---------

#     root namespace   |     at_ns0 namespace

#                      |

#      -----------     |     -----------

#      | tnl dev |     |     | tnl dev |  (overlay network)

#      -----------     |     -----------

#      metadata-mode   |     native-mode

#       with bpf       |

#                      |

#      ----------      |     ----------

#      |  veth1  | --------- |  veth0  |  (underlay network)

#      ----------    peer    ----------

#

#

# Device Configuration

# --------------------

# Root namespace with metadata-mode tunnel + BPF

# Device names and addresses:

# 	veth1 IP: 172.16.1.200, IPv6: 00::22 (underlay)

# 	tunnel dev <type>11, ex: gre11, IPv4: 10.1.1.200 (overlay)

#

# Namespace at_ns0 with native tunnel

# Device names and addresses:

# 	veth0 IPv4: 172.16.1.100, IPv6: 00::11 (underlay)

# 	tunnel dev <type>00, ex: gre00, IPv4: 10.1.1.100 (overlay)

#

#

# End-to-end ping packet flow

# ---------------------------

# Most of the tests start by namespace creation, device configuration,

# then ping the underlay and overlay network.  When doing 'ping 10.1.1.100'

# from root namespace, the following operations happen:

# 1) Route lookup shows 10.1.1.100/24 belongs to tnl dev, fwd to tnl dev.

# 2) Tnl device's egress BPF program is triggered and set the tunnel metadata,

#    with remote_ip=172.16.1.200 and others.

# 3) Outer tunnel header is prepended and route the packet to veth1's egress

# 4) veth0's ingress queue receive the tunneled packet at namespace at_ns0

# 5) Tunnel protocol handler, ex: vxlan_rcv, decap the packet

# 6) Forward the packet to the overlay tnl dev

PING_ARG="-c 3 -w 10 -q"

ret=0

GREEN='\033[0;92m'

RED='\033[0;31m'

NC='\033[0m' # No Color

config_device()

{

	ip netns add at_ns0

	ip link add veth0 type veth peer name veth1

	ip link set veth0 netns at_ns0

	ip addr add dev veth1 172.16.1.200/24

}

function add_gre_tunnel {

	# in namespace

add_gre_tunnel()

{

	# at_ns0 namespace

	ip netns exec at_ns0 \

        ip link add dev $DEV_NS type $TYPE seq key 2 \

		local 172.16.1.100 remote 172.16.1.200

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE key 2 external

	ip link set dev $DEV up

	ip addr add dev $DEV 10.1.1.200/24

}

function add_ip6gretap_tunnel {

add_ip6gretap_tunnel()

{

	# assign ipv6 address

	ip netns exec at_ns0 ip addr add ::11/96 dev veth0

	ip addr add dev veth1 ::22/96

	ip link set dev veth1 up

	# in namespace

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE seq flowlabel 0xbcdef key 2 \

		local ::11 remote ::22

	ip netns exec at_ns0 ip addr add dev $DEV_NS fc80::100/96

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE external

	ip addr add dev $DEV 10.1.1.200/24

	ip addr add dev $DEV fc80::200/24

	ip link set dev $DEV up

}

function add_erspan_tunnel {

	# in namespace

add_erspan_tunnel()

{

	# at_ns0 namespace

	if [ "$1" == "v1" ]; then

		ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE seq key 2 \

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE external

	ip link set dev $DEV up

	ip addr add dev $DEV 10.1.1.200/24

}

function add_ip6erspan_tunnel {

add_ip6erspan_tunnel()

{

	# assign ipv6 address

	ip netns exec at_ns0 ip addr add ::11/96 dev veth0

	ip addr add dev veth1 ::22/96

	ip link set dev veth1 up

	# in namespace

	# at_ns0 namespace

	if [ "$1" == "v1" ]; then

		ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE seq key 2 \

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE external

	ip addr add dev $DEV 10.1.1.200/24

	ip link set dev $DEV up

}

function add_vxlan_tunnel {

add_vxlan_tunnel()

{

	# Set static ARP entry here because iptables set-mark works

	# on L3 packet, as a result not applying to ARP packets,

	# causing errors at get_tunnel_{key/opt}.

	# in namespace

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE \

		id 2 dstport 4789 gbp remote 172.16.1.200

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE id 2 dstport 4789 gbp remote 172.16.1.200

	ip netns exec at_ns0 ip link set dev $DEV_NS address 52:54:00:d9:01:00 up

		ip link set dev $DEV_NS address 52:54:00:d9:01:00 up

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	ip netns exec at_ns0 arp -s 10.1.1.200 52:54:00:d9:02:00

	ip netns exec at_ns0 iptables -A OUTPUT -j MARK --set-mark 0x800FF

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE external gbp dstport 4789

	ip link set dev $DEV address 52:54:00:d9:02:00 up

	ip addr add dev $DEV 10.1.1.200/24

	arp -s 10.1.1.100 52:54:00:d9:01:00

}

function add_geneve_tunnel {

	# in namespace

add_ip6vxlan_tunnel()

{

	#ip netns exec at_ns0 ip -4 addr del 172.16.1.100 dev veth0

	ip netns exec at_ns0 ip -6 addr add ::11/96 dev veth0

	ip netns exec at_ns0 ip link set dev veth0 up

	#ip -4 addr del 172.16.1.200 dev veth1

	ip -6 addr add dev veth1 ::22/96

	ip link set dev veth1 up

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE id 22 dstport 4789 \

		local ::11 remote ::22

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	# root namespace

	ip link add dev $DEV type $TYPE external dstport 4789

	ip addr add dev $DEV 10.1.1.200/24

	ip link set dev $DEV up

}

add_geneve_tunnel()

{

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE id 2 dstport 6081 remote 172.16.1.200

		ip link add dev $DEV_NS type $TYPE \

		id 2 dstport 6081 remote 172.16.1.200

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE dstport 6081 external

	ip link set dev $DEV up

	ip addr add dev $DEV 10.1.1.200/24

}

function add_ipip_tunnel {

	# in namespace

add_ip6geneve_tunnel()

{

	ip netns exec at_ns0 ip addr add ::11/96 dev veth0

	ip netns exec at_ns0 ip link set dev veth0 up

	ip addr add dev veth1 ::22/96

	ip link set dev veth1 up

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE local 172.16.1.100 remote 172.16.1.200

	ip netns exec at_ns0 ip link set dev $DEV_NS up

		ip link add dev $DEV_NS type $TYPE id 22 \

		remote ::22     # geneve has no local option

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	# out of namespace

	# root namespace

	ip link add dev $DEV type $TYPE external

	ip link set dev $DEV up

	ip addr add dev $DEV 10.1.1.200/24

	ip link set dev $DEV up

}

function setup_xfrm_tunnel {

	auth=0x$(printf '1%.0s' {1..40})

	enc=0x$(printf '2%.0s' {1..32})

	spi_in_to_out=0x1

	spi_out_to_in=0x2

	# in namespace

	# in -> out

	ip netns exec at_ns0 \

		ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \

			spi $spi_in_to_out reqid 1 mode tunnel \

			auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc

	ip netns exec at_ns0 \

		ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \

		tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \

		mode tunnel

	# out -> in

	ip netns exec at_ns0 \

		ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \

			spi $spi_out_to_in reqid 2 mode tunnel \

			auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc

add_ipip_tunnel()

{

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \

		tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \

		mode tunnel

	# address & route

	ip netns exec at_ns0 \

		ip addr add dev veth0 10.1.1.100/32

	ip netns exec at_ns0 \

		ip route add 10.1.1.200 dev veth0 via 172.16.1.200 \

			src 10.1.1.100

		ip link add dev $DEV_NS type $TYPE \

		local 172.16.1.100 remote 172.16.1.200

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	# out of namespace

	# in -> out

	ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \

		spi $spi_in_to_out reqid 1 mode tunnel \

		auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc

	ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \

		tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \

		mode tunnel

	# out -> in

	ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \

		spi $spi_out_to_in reqid 2 mode tunnel \

		auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc

	ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \

		tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \

		mode tunnel

	# address & route

	ip addr add dev veth1 10.1.1.200/32

	ip route add 10.1.1.100 dev veth1 via 172.16.1.100 src 10.1.1.200

	# root namespace

	ip link add dev $DEV type $TYPE external

	ip link set dev $DEV up

	ip addr add dev $DEV 10.1.1.200/24

}

function attach_bpf {

	DEV=$1

	SET_TUNNEL=$2

	GET_TUNNEL=$3

	tc qdisc add dev $DEV clsact

	tc filter add dev $DEV egress bpf da obj tcbpf2_kern.o sec $SET_TUNNEL

	tc filter add dev $DEV ingress bpf da obj tcbpf2_kern.o sec $GET_TUNNEL

add_ipip6tnl_tunnel()

{

	ip netns exec at_ns0 ip addr add ::11/96 dev veth0

	ip netns exec at_ns0 ip link set dev veth0 up

	ip addr add dev veth1 ::22/96

	ip link set dev veth1 up

	# at_ns0 namespace

	ip netns exec at_ns0 \

		ip link add dev $DEV_NS type $TYPE \

		local ::11 remote ::22

	ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24

	ip netns exec at_ns0 ip link set dev $DEV_NS up

	# root namespace

	ip link add dev $DEV type $TYPE external

	ip addr add dev $DEV 10.1.1.200/24

	ip link set dev $DEV up

}

function test_gre {

test_gre()

{

	TYPE=gretap

	DEV_NS=gretap00

	DEV=gretap11

	ret=0

	check $TYPE

	config_device

	add_gre_tunnel

	attach_bpf $DEV gre_set_tunnel gre_get_tunnel

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

        if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

function test_ip6gre {

test_ip6gre()

{

	TYPE=ip6gre

	DEV_NS=ip6gre00

	DEV=ip6gre11

	ret=0

	check $TYPE

	config_device

	# reuse the ip6gretap function

	add_ip6gretap_tunnel

	attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel

	# underlay

	ping6 -c 4 ::11

	ping6 $PING_ARG ::11

	# overlay: ipv4 over ipv6

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	ping $PING_ARG 10.1.1.100

	check_err $?

	# overlay: ipv6 over ipv6

	ip netns exec at_ns0 ping6 -c 1 fc80::200

	ip netns exec at_ns0 ping6 $PING_ARG fc80::200

	check_err $?

	cleanup

        if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

function test_ip6gretap {

test_ip6gretap()

{

	TYPE=ip6gretap

	DEV_NS=ip6gretap00

	DEV=ip6gretap11

	ret=0

	check $TYPE

	config_device

	add_ip6gretap_tunnel

	attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel

	# underlay

	ping6 -c 4 ::11

	ping6 $PING_ARG ::11

	# overlay: ipv4 over ipv6

	ip netns exec at_ns0 ping -i .2 -c 1 10.1.1.200

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	ping $PING_ARG 10.1.1.100

	check_err $?

	# overlay: ipv6 over ipv6

	ip netns exec at_ns0 ping6 -c 1 fc80::200

	ip netns exec at_ns0 ping6 $PING_ARG fc80::200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

function test_erspan {

test_erspan()

{

	TYPE=erspan

	DEV_NS=erspan00

	DEV=erspan11

	ret=0

	check $TYPE

	config_device

	add_erspan_tunnel $1

	attach_bpf $DEV erspan_set_tunnel erspan_get_tunnel

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

function test_ip6erspan {

test_ip6erspan()

{

	TYPE=ip6erspan

	DEV_NS=ip6erspan00

	DEV=ip6erspan11

	ret=0

	check $TYPE

	config_device

	add_ip6erspan_tunnel $1

	attach_bpf $DEV ip4ip6erspan_set_tunnel ip4ip6erspan_get_tunnel

	ping6 -c 3 ::11

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ping6 $PING_ARG ::11

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

function test_vxlan {

test_vxlan()

{

	TYPE=vxlan

	DEV_NS=vxlan00

	DEV=vxlan11

	ret=0

	check $TYPE

	config_device

	add_vxlan_tunnel

	attach_bpf $DEV vxlan_set_tunnel vxlan_get_tunnel

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

function test_geneve {

test_ip6vxlan()

{

	TYPE=vxlan

	DEV_NS=ip6vxlan00

	DEV=ip6vxlan11

	ret=0

	check $TYPE

	config_device

	add_ip6vxlan_tunnel

	ip link set dev veth1 mtu 1500

	attach_bpf $DEV ip6vxlan_set_tunnel ip6vxlan_get_tunnel

	# underlay

	ping6 $PING_ARG ::11

	# ip4 over ip6

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: ip6$TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: ip6$TYPE"${NC}

}

test_geneve()

{

	TYPE=geneve

	DEV_NS=geneve00

	DEV=geneve11

	ret=0

	check $TYPE

	config_device

	add_geneve_tunnel

	attach_bpf $DEV geneve_set_tunnel geneve_get_tunnel

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

test_ip6geneve()

{

	TYPE=geneve

	DEV_NS=ip6geneve00

	DEV=ip6geneve11

	ret=0

	check $TYPE

	config_device

	add_ip6geneve_tunnel

	attach_bpf $DEV ip6geneve_set_tunnel ip6geneve_get_tunnel

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: ip6$TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: ip6$TYPE"${NC}

}

function test_ipip {

test_ipip()

{

	TYPE=ipip

	DEV_NS=ipip00

	DEV=ipip11

	ret=0

	check $TYPE

	config_device

	tcpdump -nei veth1 &

	cat /sys/kernel/debug/tracing/trace_pipe &

	add_ipip_tunnel

	ethtool -K veth1 gso off gro off rx off tx off

	ip link set dev veth1 mtu 1500

	attach_bpf $DEV ipip_set_tunnel ipip_get_tunnel

	ping -c 1 10.1.1.100

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ip netns exec at_ns0 iperf -sD -p 5200 > /dev/null

	sleep 0.2

	iperf -c 10.1.1.100 -n 5k -p 5200

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

test_ipip6()

{

	TYPE=ip6tnl

	DEV_NS=ipip6tnl00

	DEV=ipip6tnl11

	ret=0

	check $TYPE

	config_device

	add_ipip6tnl_tunnel

	ip link set dev veth1 mtu 1500

	attach_bpf $DEV ipip6_set_tunnel ipip6_get_tunnel

	# underlay

	ping6 $PING_ARG ::11

	# ip4 over ip6

	ping $PING_ARG 10.1.1.100

	check_err $?

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: $TYPE"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: $TYPE"${NC}

}

setup_xfrm_tunnel()

{

	auth=0x$(printf '1%.0s' {1..40})

	enc=0x$(printf '2%.0s' {1..32})

	spi_in_to_out=0x1

	spi_out_to_in=0x2

	# at_ns0 namespace

	# at_ns0 -> root

	ip netns exec at_ns0 \

		ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \

			spi $spi_in_to_out reqid 1 mode tunnel \

			auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc

	ip netns exec at_ns0 \

		ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \

		tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \

		mode tunnel

	# root -> at_ns0

	ip netns exec at_ns0 \

		ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \

			spi $spi_out_to_in reqid 2 mode tunnel \

			auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc

	ip netns exec at_ns0 \

		ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \

		tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \

		mode tunnel

	# address & route

	ip netns exec at_ns0 \

		ip addr add dev veth0 10.1.1.100/32

	ip netns exec at_ns0 \

		ip route add 10.1.1.200 dev veth0 via 172.16.1.200 \

			src 10.1.1.100

	# root namespace

	# at_ns0 -> root

	ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \

		spi $spi_in_to_out reqid 1 mode tunnel \

		auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc

	ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \

		tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \

		mode tunnel

	# root -> at_ns0

	ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \

		spi $spi_out_to_in reqid 2 mode tunnel \

		auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc

	ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \

		tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \

		mode tunnel

	# address & route

	ip addr add dev veth1 10.1.1.200/32

	ip route add 10.1.1.100 dev veth1 via 172.16.1.100 src 10.1.1.200

}

function test_xfrm_tunnel {

test_xfrm_tunnel()

{

	config_device

        tcpdump -nei veth1 ip &

        #tcpdump -nei veth1 ip &

	output=$(mktemp)

	cat /sys/kernel/debug/tracing/trace_pipe | tee $output &

        setup_xfrm_tunnel

	tc qdisc add dev veth1 clsact

	tc filter add dev veth1 proto ip ingress bpf da obj tcbpf2_kern.o \

	tc filter add dev veth1 proto ip ingress bpf da obj test_tunnel_kern.o \

		sec xfrm_get_state

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	ip netns exec at_ns0 ping $PING_ARG 10.1.1.200

	sleep 1

	grep "reqid 1" $output

	check_err $?

	grep "spi 0x1" $output

	check_err $?

	grep "remote ip 0xac100164" $output

	check_err $?

	cleanup

	if [ $ret -ne 0 ]; then

                echo -e ${RED}"FAIL: xfrm tunnel"${NC}

                return 1

        fi

        echo -e ${GREEN}"PASS: xfrm tunnel"${NC}

}

function cleanup {

	set +ex

	pkill iperf

	ip netns delete at_ns0

	ip link del veth1

	ip link del ipip11

	ip link del gretap11

	ip link del ip6gre11

	ip link del ip6gretap11

	ip link del vxlan11

	ip link del geneve11

	ip link del erspan11

	ip link del ip6erspan11

	ip x s flush

	ip x p flush

	pkill tcpdump

	pkill cat

	set -ex

attach_bpf()

{

	DEV=$1

	SET=$2

	GET=$3

	tc qdisc add dev $DEV clsact

	tc filter add dev $DEV egress bpf da obj test_tunnel_kern.o sec $SET

	tc filter add dev $DEV ingress bpf da obj test_tunnel_kern.o sec $GET

}

trap cleanup 0 2 3 6 9

cleanup()

{

	ip netns delete at_ns0 2> /dev/null

	ip link del veth1 2> /dev/null

	ip link del ipip11 2> /dev/null

	ip link del ipip6tnl11 2> /dev/null

	ip link del gretap11 2> /dev/null

	ip link del ip6gre11 2> /dev/null

	ip link del ip6gretap11 2> /dev/null

	ip link del vxlan11 2> /dev/null

	ip link del ip6vxlan11 2> /dev/null

	ip link del geneve11 2> /dev/null

	ip link del ip6geneve11 2> /dev/null

	ip link del erspan11 2> /dev/null

	ip link del ip6erspan11 2> /dev/null

}

cleanup_exit()

{

	echo "CATCH SIGKILL or SIGINT, cleanup and exit"

	cleanup

	exit 0

}

check()

{

	ip link help $1 2>&1 | grep -q "^Usage:"

	if [ $? -ne 0 ];then

		echo "SKIP $1: iproute2 not support"

	cleanup

	return 1

	fi

}

enable_debug()

{

	echo 'file ip_gre.c +p' > /sys/kernel/debug/dynamic_debug/control

	echo 'file ip6_gre.c +p' > /sys/kernel/debug/dynamic_debug/control

	echo 'file vxlan.c +p' > /sys/kernel/debug/dynamic_debug/control

	echo 'file geneve.c +p' > /sys/kernel/debug/dynamic_debug/control

	echo 'file ipip.c +p' > /sys/kernel/debug/dynamic_debug/control

}

check_err()

{

	if [ $ret -eq 0 ]; then

		ret=$1

	fi

}

bpf_tunnel_test()

{

	echo "Testing GRE tunnel..."

	test_gre

	echo "Testing IP6GRE tunnel..."