bpf, selftests: Test BPF_FLOW_DISSECTOR_CONTINUE
authorShmulik Ladkani <shmulik.ladkani@gmail.com>
Sun, 21 Aug 2022 11:35:19 +0000 (14:35 +0300)
committerDaniel Borkmann <daniel@iogearbox.net>
Tue, 23 Aug 2022 20:48:12 +0000 (22:48 +0200)
The dissector program returns BPF_FLOW_DISSECTOR_CONTINUE (and avoids
setting skb->flow_keys or last_dissection map) in case it encounters
IP packets whose (outer) source address is 127.0.0.127.

Additional test is added to prog_tests/flow_dissector.c which sets
this address as test's pkk.iph.saddr, with the expected retval of
BPF_FLOW_DISSECTOR_CONTINUE.

Also, legacy test_flow_dissector.sh was similarly augmented.

Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Stanislav Fomichev <sdf@google.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20220821113519.116765-5-shmulik.ladkani@gmail.com
tools/testing/selftests/bpf/prog_tests/flow_dissector.c
tools/testing/selftests/bpf/progs/bpf_flow.c
tools/testing/selftests/bpf/test_flow_dissector.sh

index 8fa3c454995ebc9880a6cc98a6cc8afcf3411500..7acca37a3d2b56017c66283c3f332ae91c3fe7f5 100644 (file)
@@ -8,6 +8,8 @@
 
 #include "bpf_flow.skel.h"
 
+#define FLOW_CONTINUE_SADDR 0x7f00007f /* 127.0.0.127 */
+
 #ifndef IP_MF
 #define IP_MF 0x2000
 #endif
@@ -400,6 +402,25 @@ struct test tests[] = {
                .flags = BPF_FLOW_DISSECTOR_F_STOP_AT_ENCAP,
                .retval = BPF_OK,
        },
+       {
+               .name = "ipip-encap-dissector-continue",
+               .pkt.ipip = {
+                       .eth.h_proto = __bpf_constant_htons(ETH_P_IP),
+                       .iph.ihl = 5,
+                       .iph.protocol = IPPROTO_IPIP,
+                       .iph.tot_len = __bpf_constant_htons(MAGIC_BYTES),
+                       .iph.saddr = __bpf_constant_htonl(FLOW_CONTINUE_SADDR),
+                       .iph_inner.ihl = 5,
+                       .iph_inner.protocol = IPPROTO_TCP,
+                       .iph_inner.tot_len =
+                               __bpf_constant_htons(MAGIC_BYTES) -
+                               sizeof(struct iphdr),
+                       .tcp.doff = 5,
+                       .tcp.source = 99,
+                       .tcp.dest = 9090,
+               },
+               .retval = BPF_FLOW_DISSECTOR_CONTINUE,
+       },
 };
 
 static int create_tap(const char *ifname)
index f266c757b3df3368f4fad8ed8ba175fe875721c4..a20c5ed5e4546cfef792ba301b8ece7efc3a2f7d 100644 (file)
@@ -22,6 +22,8 @@
 #define PROG(F) PROG_(F, _##F)
 #define PROG_(NUM, NAME) SEC("flow_dissector") int flow_dissector_##NUM
 
+#define FLOW_CONTINUE_SADDR 0x7f00007f /* 127.0.0.127 */
+
 /* These are the identifiers of the BPF programs that will be used in tail
  * calls. Name is limited to 16 characters, with the terminating character and
  * bpf_func_ above, we have only 6 to work with, anything after will be cropped.
@@ -143,6 +145,19 @@ int _dissect(struct __sk_buff *skb)
 {
        struct bpf_flow_keys *keys = skb->flow_keys;
 
+       if (keys->n_proto == bpf_htons(ETH_P_IP)) {
+               /* IP traffic from FLOW_CONTINUE_SADDR falls-back to
+                * standard dissector
+                */
+               struct iphdr *iph, _iph;
+
+               iph = bpf_flow_dissect_get_header(skb, sizeof(*iph), &_iph);
+               if (iph && iph->ihl == 5 &&
+                   iph->saddr == bpf_htonl(FLOW_CONTINUE_SADDR)) {
+                       return BPF_FLOW_DISSECTOR_CONTINUE;
+               }
+       }
+
        return parse_eth_proto(skb, keys->n_proto);
 }
 
index dbd91221727d8f46118650bdd6d2b28c9f5c0eef..5303ce0c977bd3acf9baced98bd4f922ae13b1c8 100755 (executable)
@@ -115,6 +115,14 @@ tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \
 # Send 10 IPv4/UDP packets from port 10. Filter should not drop any.
 ./test_flow_dissector -i 4 -f 10
 
+echo "Testing IPv4 from 127.0.0.127 (fallback to generic dissector)..."
+# Send 10 IPv4/UDP packets from port 8. Filter should not drop any.
+./test_flow_dissector -i 4 -S 127.0.0.127 -f 8
+# Send 10 IPv4/UDP packets from port 9. Filter should drop all.
+./test_flow_dissector -i 4 -S 127.0.0.127 -f 9 -F
+# Send 10 IPv4/UDP packets from port 10. Filter should not drop any.
+./test_flow_dissector -i 4 -S 127.0.0.127 -f 10
+
 echo "Testing IPIP..."
 # Send 10 IPv4/IPv4/UDP packets from port 8. Filter should not drop any.
 ./with_addr.sh ./with_tunnels.sh ./test_flow_dissector -o 4 -e bare -i 4 \