Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 81429589 authored by Willem de Bruijn's avatar Willem de Bruijn Committed by Alexei Starovoitov
Browse files

selftests/bpf: extend bpf tunnel test with tso 



Segmentation offload takes a longer path. Verify that the feature
works with large packets.

The test succeeds if not setting dodgy in bpf_skb_adjust_room, as veth
TSO is permissive.

If not setting SKB_GSO_DODGY, this enables tunneled TSO offload on
supporting NICs.

The feature sets SKB_GSO_DODGY because the caller is untrusted. As a
result the packets traverse through the gso stack at least up to TCP.
And fail the gso_type validation, such as the skb->encapsulation check
in gre_gso_segment and the gso_type checks introduced in commit
418e897e ("gso: validate gso_type on ipip style tunnel").

This will be addressed in a follow-on feature patch. In the meantime,
disable the new gso tests.

Changes v1->v2:
  - not all netcat versions support flag '-q', use timeout instead

Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 7255fade

tools/testing/selftests/bpf/test_tc_tunnel.sh

+49 −11
Original line number Diff line number Diff line
@@ -15,6 +15,8 @@ readonly ns2_v4=192.168.1.2 
readonly ns1_v6=fd::1

readonly ns2_v6=fd::2



readonly infile="$(mktemp)"

readonly outfile="$(mktemp)"



setup() {

	ip netns add "${ns1}"
@@ -23,6 +25,8 @@ setup() { 
	ip link add dev veth1 mtu 1500 netns "${ns1}" type veth \

	      peer name veth2 mtu 1500 netns "${ns2}"



	ip netns exec "${ns1}" ethtool -K veth1 tso off



	ip -netns "${ns1}" link set veth1 up

	ip -netns "${ns2}" link set veth2 up
@@ -32,58 +36,86 @@ setup() { 
	ip -netns "${ns2}" -6 addr add "${ns2_v6}/64" dev veth2 nodad



	sleep 1



	dd if=/dev/urandom of="${infile}" bs="${datalen}" count=1 status=none

}



cleanup() {

	ip netns del "${ns2}"

	ip netns del "${ns1}"



	if [[ -f "${outfile}" ]]; then

		rm "${outfile}"

	fi

	if [[ -f "${infile}" ]]; then

		rm "${infile}"

	fi

}



server_listen() {

	ip netns exec "${ns2}" nc "${netcat_opt}" -l -p "${port}" &

	ip netns exec "${ns2}" nc "${netcat_opt}" -l -p "${port}" > "${outfile}" &

	server_pid=$!

	sleep 0.2

}



client_connect() {

	ip netns exec "${ns1}" nc "${netcat_opt}" -z -w 1 "${addr2}" "${port}"

	ip netns exec "${ns1}" timeout 2 nc "${netcat_opt}" -w 1 "${addr2}" "${port}" < "${infile}"

	echo $?

}



verify_data() {

	wait "${server_pid}"

	# sha1sum returns two fields [sha1] [filepath]

	# convert to bash array and access first elem

	insum=($(sha1sum ${infile}))

	outsum=($(sha1sum ${outfile}))

	if [[ "${insum[0]}" != "${outsum[0]}" ]]; then

		echo "data mismatch"

		exit 1

	fi

}



set -e



# no arguments: automated test, run all

if [[ "$#" -eq "0" ]]; then

	echo "ipip"

	$0 ipv4 ipip

	$0 ipv4 ipip 100



	echo "ip6ip6"

	$0 ipv6 ip6tnl

	$0 ipv6 ip6tnl 100



	echo "ip gre"

	$0 ipv4 gre

	$0 ipv4 gre 100



	echo "ip6 gre"

	$0 ipv6 ip6gre

	$0 ipv6 ip6gre 100



	# disabled until passes SKB_GSO_DODGY checks

	# echo "ip gre gso"

	# $0 ipv4 gre 2000



	# disabled until passes SKB_GSO_DODGY checks

	# echo "ip6 gre gso"

	# $0 ipv6 ip6gre 2000



	echo "OK. All tests passed"

	exit 0

fi



if [[ "$#" -ne "2" ]]; then

if [[ "$#" -ne "3" ]]; then

	echo "Usage: $0"

	echo "   or: $0 <ipv4|ipv6> <tuntype>"

	echo "   or: $0 <ipv4|ipv6> <tuntype> <data_len>"

	exit 1

fi



case "$1" in

"ipv4")

	readonly tuntype=$2

	readonly addr1="${ns1_v4}"

	readonly addr2="${ns2_v4}"

	readonly netcat_opt=-4

	;;

"ipv6")

	readonly tuntype=$2

	readonly addr1="${ns1_v6}"

	readonly addr2="${ns2_v6}"

	readonly netcat_opt=-6
@@ -94,7 +126,10 @@ case "$1" in 
	;;

esac



echo "encap ${addr1} to ${addr2}, type ${tuntype}"

readonly tuntype=$2

readonly datalen=$3



echo "encap ${addr1} to ${addr2}, type ${tuntype}, len ${datalen}"



trap cleanup EXIT
@@ -104,6 +139,7 @@ setup 
echo "test basic connectivity"

server_listen

client_connect

verify_data



# clientside, insert bpf program to encap all TCP to port ${port}

# client can no longer connect
@@ -123,6 +159,7 @@ ip netns exec "${ns2}" ip link add dev testtun0 type "${tuntype}" \ 
ip netns exec "${ns2}" ip link set dev testtun0 up

echo "test bpf encap with tunnel device decap"

client_connect

verify_data



# serverside, use BPF for decap

ip netns exec "${ns2}" ip link del dev testtun0
@@ -132,5 +169,6 @@ ip netns exec "${ns2}" tc filter add dev veth2 ingress \ 
server_listen

echo "test bpf encap with bpf decap"

client_connect

verify_data



echo OK