2 # SPDX-License-Identifier: GPL-2.0
4 # End-to-end eBPF tunnel test suite
5 # The script tests BPF network tunnel implementation.
9 # root namespace | at_ns0 namespace
11 # ----------- | -----------
12 # | tnl dev | | | tnl dev | (overlay network)
13 # ----------- | -----------
14 # metadata-mode | native-mode
17 # ---------- | ----------
18 # | veth1 | --------- | veth0 | (underlay network)
19 # ---------- peer ----------
22 # Device Configuration
23 # --------------------
24 # Root namespace with metadata-mode tunnel + BPF
25 # Device names and addresses:
26 # veth1 IP: 172.16.1.200, IPv6: 00::22 (underlay)
27 # tunnel dev <type>11, ex: gre11, IPv4: 10.1.1.200, IPv6: 1::22 (overlay)
29 # Namespace at_ns0 with native tunnel
30 # Device names and addresses:
31 # veth0 IPv4: 172.16.1.100, IPv6: 00::11 (underlay)
32 # tunnel dev <type>00, ex: gre00, IPv4: 10.1.1.100, IPv6: 1::11 (overlay)
35 # End-to-end ping packet flow
36 # ---------------------------
37 # Most of the tests start by namespace creation, device configuration,
38 # then ping the underlay and overlay network. When doing 'ping 10.1.1.100'
39 # from root namespace, the following operations happen:
40 # 1) Route lookup shows 10.1.1.100/24 belongs to tnl dev, fwd to tnl dev.
41 # 2) Tnl device's egress BPF program is triggered and set the tunnel metadata,
42 # with remote_ip=172.16.1.200 and others.
43 # 3) Outer tunnel header is prepended and route the packet to veth1's egress
44 # 4) veth0's ingress queue receive the tunneled packet at namespace at_ns0
45 # 5) Tunnel protocol handler, ex: vxlan_rcv, decap the packet
46 # 6) Forward the packet to the overlay tnl dev
48 PING_ARG="-c 3 -w 10 -q"
52 NC='\033[0m' # No Color
57 ip link add veth0 type veth peer name veth1
58 ip link set veth0 netns at_ns0
59 ip netns exec at_ns0 ip addr add 172.16.1.100/24 dev veth0
60 ip netns exec at_ns0 ip link set dev veth0 up
61 ip link set dev veth1 up mtu 1500
62 ip addr add dev veth1 172.16.1.200/24
68 ip netns exec at_ns0 \
69 ip link add dev $DEV_NS type $TYPE seq key 2 \
70 local 172.16.1.100 remote 172.16.1.200
71 ip netns exec at_ns0 ip link set dev $DEV_NS up
72 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
75 ip link add dev $DEV type $TYPE key 2 external
76 ip link set dev $DEV up
77 ip addr add dev $DEV 10.1.1.200/24
80 add_ip6gretap_tunnel()
84 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
85 ip netns exec at_ns0 ip link set dev veth0 up
86 ip addr add dev veth1 ::22/96
87 ip link set dev veth1 up
90 ip netns exec at_ns0 \
91 ip link add dev $DEV_NS type $TYPE seq flowlabel 0xbcdef key 2 \
92 local ::11 remote ::22
94 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
95 ip netns exec at_ns0 ip addr add dev $DEV_NS fc80::100/96
96 ip netns exec at_ns0 ip link set dev $DEV_NS up
99 ip link add dev $DEV type $TYPE external
100 ip addr add dev $DEV 10.1.1.200/24
101 ip addr add dev $DEV fc80::200/24
102 ip link set dev $DEV up
108 if [ "$1" == "v1" ]; then
109 ip netns exec at_ns0 \
110 ip link add dev $DEV_NS type $TYPE seq key 2 \
111 local 172.16.1.100 remote 172.16.1.200 \
112 erspan_ver 1 erspan 123
114 ip netns exec at_ns0 \
115 ip link add dev $DEV_NS type $TYPE seq key 2 \
116 local 172.16.1.100 remote 172.16.1.200 \
117 erspan_ver 2 erspan_dir egress erspan_hwid 3
119 ip netns exec at_ns0 ip link set dev $DEV_NS up
120 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
123 ip link add dev $DEV type $TYPE external
124 ip link set dev $DEV up
125 ip addr add dev $DEV 10.1.1.200/24
128 add_ip6erspan_tunnel()
131 # assign ipv6 address
132 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
133 ip netns exec at_ns0 ip link set dev veth0 up
134 ip addr add dev veth1 ::22/96
135 ip link set dev veth1 up
138 if [ "$1" == "v1" ]; then
139 ip netns exec at_ns0 \
140 ip link add dev $DEV_NS type $TYPE seq key 2 \
141 local ::11 remote ::22 \
142 erspan_ver 1 erspan 123
144 ip netns exec at_ns0 \
145 ip link add dev $DEV_NS type $TYPE seq key 2 \
146 local ::11 remote ::22 \
147 erspan_ver 2 erspan_dir egress erspan_hwid 7
149 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
150 ip netns exec at_ns0 ip link set dev $DEV_NS up
153 ip link add dev $DEV type $TYPE external
154 ip addr add dev $DEV 10.1.1.200/24
155 ip link set dev $DEV up
160 # Set static ARP entry here because iptables set-mark works
161 # on L3 packet, as a result not applying to ARP packets,
162 # causing errors at get_tunnel_{key/opt}.
165 ip netns exec at_ns0 \
166 ip link add dev $DEV_NS type $TYPE \
167 id 2 dstport 4789 gbp remote 172.16.1.200
168 ip netns exec at_ns0 \
169 ip link set dev $DEV_NS address 52:54:00:d9:01:00 up
170 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
171 ip netns exec at_ns0 \
172 ip neigh add 10.1.1.200 lladdr 52:54:00:d9:02:00 dev $DEV_NS
173 ip netns exec at_ns0 iptables -A OUTPUT -j MARK --set-mark 0x800FF
176 ip link add dev $DEV type $TYPE external gbp dstport 4789
177 ip link set dev $DEV address 52:54:00:d9:02:00 up
178 ip addr add dev $DEV 10.1.1.200/24
179 ip neigh add 10.1.1.100 lladdr 52:54:00:d9:01:00 dev $DEV
182 add_ip6vxlan_tunnel()
184 #ip netns exec at_ns0 ip -4 addr del 172.16.1.100 dev veth0
185 ip netns exec at_ns0 ip -6 addr add ::11/96 dev veth0
186 ip netns exec at_ns0 ip link set dev veth0 up
187 #ip -4 addr del 172.16.1.200 dev veth1
188 ip -6 addr add dev veth1 ::22/96
189 ip link set dev veth1 up
192 ip netns exec at_ns0 \
193 ip link add dev $DEV_NS type $TYPE id 22 dstport 4789 \
194 local ::11 remote ::22
195 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
196 ip netns exec at_ns0 ip link set dev $DEV_NS up
199 ip link add dev $DEV type $TYPE external dstport 4789
200 ip addr add dev $DEV 10.1.1.200/24
201 ip link set dev $DEV up
207 ip netns exec at_ns0 \
208 ip link add dev $DEV_NS type $TYPE \
209 id 2 dstport 6081 remote 172.16.1.200
210 ip netns exec at_ns0 ip link set dev $DEV_NS up
211 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
214 ip link add dev $DEV type $TYPE dstport 6081 external
215 ip link set dev $DEV up
216 ip addr add dev $DEV 10.1.1.200/24
219 add_ip6geneve_tunnel()
221 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
222 ip netns exec at_ns0 ip link set dev veth0 up
223 ip addr add dev veth1 ::22/96
224 ip link set dev veth1 up
227 ip netns exec at_ns0 \
228 ip link add dev $DEV_NS type $TYPE id 22 \
229 remote ::22 # geneve has no local option
230 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
231 ip netns exec at_ns0 ip link set dev $DEV_NS up
234 ip link add dev $DEV type $TYPE external
235 ip addr add dev $DEV 10.1.1.200/24
236 ip link set dev $DEV up
242 ip netns exec at_ns0 \
243 ip link add dev $DEV_NS type $TYPE \
244 local 172.16.1.100 remote 172.16.1.200
245 ip netns exec at_ns0 ip link set dev $DEV_NS up
246 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
249 ip link add dev $DEV type $TYPE external
250 ip link set dev $DEV up
251 ip addr add dev $DEV 10.1.1.200/24
256 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
257 ip netns exec at_ns0 ip link set dev veth0 up
258 ip addr add dev veth1 ::22/96
259 ip link set dev veth1 up
262 ip netns exec at_ns0 \
263 ip link add dev $DEV_NS type $TYPE \
264 local ::11 remote ::22
265 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
266 ip netns exec at_ns0 ip addr add dev $DEV_NS 1::11/96
267 ip netns exec at_ns0 ip link set dev $DEV_NS up
270 ip link add dev $DEV type $TYPE external
271 ip addr add dev $DEV 10.1.1.200/24
272 ip addr add dev $DEV 1::22/96
273 ip link set dev $DEV up
286 attach_bpf $DEV gre_set_tunnel gre_get_tunnel
287 ping $PING_ARG 10.1.1.100
289 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
293 if [ $ret -ne 0 ]; then
294 echo -e ${RED}"FAIL: $TYPE"${NC}
297 echo -e ${GREEN}"PASS: $TYPE"${NC}
309 # reuse the ip6gretap function
311 attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel
314 # overlay: ipv4 over ipv6
315 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
316 ping $PING_ARG 10.1.1.100
318 # overlay: ipv6 over ipv6
319 ip netns exec at_ns0 ping6 $PING_ARG fc80::200
323 if [ $ret -ne 0 ]; then
324 echo -e ${RED}"FAIL: $TYPE"${NC}
327 echo -e ${GREEN}"PASS: $TYPE"${NC}
340 attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel
343 # overlay: ipv4 over ipv6
344 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
345 ping $PING_ARG 10.1.1.100
347 # overlay: ipv6 over ipv6
348 ip netns exec at_ns0 ping6 $PING_ARG fc80::200
352 if [ $ret -ne 0 ]; then
353 echo -e ${RED}"FAIL: $TYPE"${NC}
356 echo -e ${GREEN}"PASS: $TYPE"${NC}
369 attach_bpf $DEV erspan_set_tunnel erspan_get_tunnel
370 ping $PING_ARG 10.1.1.100
372 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
376 if [ $ret -ne 0 ]; then
377 echo -e ${RED}"FAIL: $TYPE"${NC}
380 echo -e ${GREEN}"PASS: $TYPE"${NC}
392 add_ip6erspan_tunnel $1
393 attach_bpf $DEV ip4ip6erspan_set_tunnel ip4ip6erspan_get_tunnel
395 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
399 if [ $ret -ne 0 ]; then
400 echo -e ${RED}"FAIL: $TYPE"${NC}
403 echo -e ${GREEN}"PASS: $TYPE"${NC}
416 attach_bpf $DEV vxlan_set_tunnel vxlan_get_tunnel
417 ping $PING_ARG 10.1.1.100
419 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
423 if [ $ret -ne 0 ]; then
424 echo -e ${RED}"FAIL: $TYPE"${NC}
427 echo -e ${GREEN}"PASS: $TYPE"${NC}
440 ip link set dev veth1 mtu 1500
441 attach_bpf $DEV ip6vxlan_set_tunnel ip6vxlan_get_tunnel
445 ping $PING_ARG 10.1.1.100
447 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
451 if [ $ret -ne 0 ]; then
452 echo -e ${RED}"FAIL: ip6$TYPE"${NC}
455 echo -e ${GREEN}"PASS: ip6$TYPE"${NC}
468 attach_bpf $DEV geneve_set_tunnel geneve_get_tunnel
469 ping $PING_ARG 10.1.1.100
471 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
475 if [ $ret -ne 0 ]; then
476 echo -e ${RED}"FAIL: $TYPE"${NC}
479 echo -e ${GREEN}"PASS: $TYPE"${NC}
492 attach_bpf $DEV ip6geneve_set_tunnel ip6geneve_get_tunnel
493 ping $PING_ARG 10.1.1.100
495 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
499 if [ $ret -ne 0 ]; then
500 echo -e ${RED}"FAIL: ip6$TYPE"${NC}
503 echo -e ${GREEN}"PASS: ip6$TYPE"${NC}
516 ip link set dev veth1 mtu 1500
517 attach_bpf $DEV ipip_set_tunnel ipip_get_tunnel
518 ping $PING_ARG 10.1.1.100
520 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
524 if [ $ret -ne 0 ]; then
525 echo -e ${RED}"FAIL: $TYPE"${NC}
528 echo -e ${GREEN}"PASS: $TYPE"${NC}
541 ip link set dev veth1 mtu 1500
542 attach_bpf $DEV ipip6_set_tunnel ipip6_get_tunnel
546 ping $PING_ARG 10.1.1.100
548 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
552 if [ $ret -ne 0 ]; then
553 echo -e ${RED}"FAIL: $TYPE"${NC}
556 echo -e ${GREEN}"PASS: $TYPE"${NC}
569 ip link set dev veth1 mtu 1500
570 attach_bpf $DEV ip6ip6_set_tunnel ip6ip6_get_tunnel
574 ping6 $PING_ARG 1::11
576 ip netns exec at_ns0 ping6 $PING_ARG 1::22
580 if [ $ret -ne 0 ]; then
581 echo -e ${RED}"FAIL: ip6$TYPE"${NC}
584 echo -e ${GREEN}"PASS: ip6$TYPE"${NC}
589 auth=0x$(printf '1%.0s' {1..40})
590 enc=0x$(printf '2%.0s' {1..32})
595 ip netns exec at_ns0 \
596 ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
597 spi $spi_in_to_out reqid 1 mode tunnel \
598 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
599 ip netns exec at_ns0 \
600 ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \
601 tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \
604 ip netns exec at_ns0 \
605 ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
606 spi $spi_out_to_in reqid 2 mode tunnel \
607 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
608 ip netns exec at_ns0 \
609 ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \
610 tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \
613 ip netns exec at_ns0 \
614 ip addr add dev veth0 10.1.1.100/32
615 ip netns exec at_ns0 \
616 ip route add 10.1.1.200 dev veth0 via 172.16.1.200 \
621 ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
622 spi $spi_in_to_out reqid 1 mode tunnel \
623 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
624 ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \
625 tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \
628 ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
629 spi $spi_out_to_in reqid 2 mode tunnel \
630 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
631 ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \
632 tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \
635 ip addr add dev veth1 10.1.1.200/32
636 ip route add 10.1.1.100 dev veth1 via 172.16.1.100 src 10.1.1.200
642 > /sys/kernel/debug/tracing/trace
644 tc qdisc add dev veth1 clsact
645 tc filter add dev veth1 proto ip ingress bpf da obj test_tunnel_kern.o \
647 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
649 grep "reqid 1" /sys/kernel/debug/tracing/trace
651 grep "spi 0x1" /sys/kernel/debug/tracing/trace
653 grep "remote ip 0xac100164" /sys/kernel/debug/tracing/trace
657 if [ $ret -ne 0 ]; then
658 echo -e ${RED}"FAIL: xfrm tunnel"${NC}
661 echo -e ${GREEN}"PASS: xfrm tunnel"${NC}
669 tc qdisc add dev $DEV clsact
670 tc filter add dev $DEV egress bpf da obj test_tunnel_kern.o sec $SET
671 tc filter add dev $DEV ingress bpf da obj test_tunnel_kern.o sec $GET
676 ip netns delete at_ns0 2> /dev/null
677 ip link del veth1 2> /dev/null
678 ip link del ipip11 2> /dev/null
679 ip link del ipip6tnl11 2> /dev/null
680 ip link del ip6ip6tnl11 2> /dev/null
681 ip link del gretap11 2> /dev/null
682 ip link del ip6gre11 2> /dev/null
683 ip link del ip6gretap11 2> /dev/null
684 ip link del vxlan11 2> /dev/null
685 ip link del ip6vxlan11 2> /dev/null
686 ip link del geneve11 2> /dev/null
687 ip link del ip6geneve11 2> /dev/null
688 ip link del erspan11 2> /dev/null
689 ip link del ip6erspan11 2> /dev/null
690 ip xfrm policy delete dir out src 10.1.1.200/32 dst 10.1.1.100/32 2> /dev/null
691 ip xfrm policy delete dir in src 10.1.1.100/32 dst 10.1.1.200/32 2> /dev/null
692 ip xfrm state delete src 172.16.1.100 dst 172.16.1.200 proto esp spi 0x1 2> /dev/null
693 ip xfrm state delete src 172.16.1.200 dst 172.16.1.100 proto esp spi 0x2 2> /dev/null
698 echo "CATCH SIGKILL or SIGINT, cleanup and exit"
705 ip link help 2>&1 | grep -q "\s$1\s"
707 echo "SKIP $1: iproute2 not support"
715 echo 'file ip_gre.c +p' > /sys/kernel/debug/dynamic_debug/control
716 echo 'file ip6_gre.c +p' > /sys/kernel/debug/dynamic_debug/control
717 echo 'file vxlan.c +p' > /sys/kernel/debug/dynamic_debug/control
718 echo 'file geneve.c +p' > /sys/kernel/debug/dynamic_debug/control
719 echo 'file ipip.c +p' > /sys/kernel/debug/dynamic_debug/control
724 if [ $ret -eq 0 ]; then
733 echo "Testing GRE tunnel..."
735 errors=$(( $errors + $? ))
737 echo "Testing IP6GRE tunnel..."
739 errors=$(( $errors + $? ))
741 echo "Testing IP6GRETAP tunnel..."
743 errors=$(( $errors + $? ))
745 echo "Testing ERSPAN tunnel..."
747 errors=$(( $errors + $? ))
749 echo "Testing IP6ERSPAN tunnel..."
751 errors=$(( $errors + $? ))
753 echo "Testing VXLAN tunnel..."
755 errors=$(( $errors + $? ))
757 echo "Testing IP6VXLAN tunnel..."
759 errors=$(( $errors + $? ))
761 echo "Testing GENEVE tunnel..."
763 errors=$(( $errors + $? ))
765 echo "Testing IP6GENEVE tunnel..."
767 errors=$(( $errors + $? ))
769 echo "Testing IPIP tunnel..."
771 errors=$(( $errors + $? ))
773 echo "Testing IPIP6 tunnel..."
775 errors=$(( $errors + $? ))
777 echo "Testing IP6IP6 tunnel..."
779 errors=$(( $errors + $? ))
781 echo "Testing IPSec tunnel..."
783 errors=$(( $errors + $? ))
789 trap cleanup_exit 2 9
794 if [ $? -ne 0 ]; then
795 echo -e "$(basename $0): ${RED}FAIL${NC}"
798 echo -e "$(basename $0): ${GREEN}PASS${NC}"