tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selftests/bpf: add tests for bpf_ct_set_nat_info kfunc

Introduce self-tests for bpf_ct_set_nat_info kfunc used to set the
source or destination nat addresses/ports.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/803e33294e247744d466943105879414344d3235.1663778601.git.lorenzo@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Lorenzo Bianconi and committed by
Alexei Starovoitov b06b45e8 0fabd2aa

+35 -3
+1
tools/testing/selftests/bpf/config
··· 63 63 CONFIG_NF_CONNTRACK_MARK=y 64 64 CONFIG_NF_DEFRAG_IPV4=y 65 65 CONFIG_NF_DEFRAG_IPV6=y 66 + CONFIG_NF_NAT=y 66 67 CONFIG_RC_CORE=y 67 68 CONFIG_SECURITY=y 68 69 CONFIG_SECURITYFS=y
+7 -3
tools/testing/selftests/bpf/prog_tests/bpf_nf.c
··· 26 26 TEST_TC_BPF, 27 27 }; 28 28 29 - #define TIMEOUT_MS 3000 29 + #define TIMEOUT_MS 3000 30 + #define IPS_STATUS_MASK (IPS_CONFIRMED | IPS_SEEN_REPLY | \ 31 + IPS_SRC_NAT_DONE | IPS_DST_NAT_DONE | \ 32 + IPS_SRC_NAT | IPS_DST_NAT) 30 33 31 34 static int connect_to_server(int srv_fd) 32 35 { ··· 117 114 ASSERT_GT(skel->bss->test_delta_timeout, 8, "Test for min ct timeout update"); 118 115 ASSERT_LE(skel->bss->test_delta_timeout, 10, "Test for max ct timeout update"); 119 116 ASSERT_EQ(skel->bss->test_insert_lookup_mark, 77, "Test for insert and lookup mark value"); 120 - ASSERT_EQ(skel->bss->test_status, IPS_CONFIRMED | IPS_SEEN_REPLY, 121 - "Test for ct status update "); 117 + ASSERT_EQ(skel->bss->test_status, IPS_STATUS_MASK, "Test for ct status update "); 122 118 ASSERT_EQ(skel->data->test_exist_lookup, 0, "Test existing connection lookup"); 123 119 ASSERT_EQ(skel->bss->test_exist_lookup_mark, 43, "Test existing connection lookup ctmark"); 120 + ASSERT_EQ(skel->data->test_snat_addr, 0, "Test for source natting"); 121 + ASSERT_EQ(skel->data->test_dnat_addr, 0, "Test for destination natting"); 124 122 end: 125 123 if (srv_client_fd != -1) 126 124 close(srv_client_fd);
+27
tools/testing/selftests/bpf/progs/test_bpf_nf.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 #include <vmlinux.h> 3 3 #include <bpf/bpf_helpers.h> 4 + #include <bpf/bpf_endian.h> 4 5 5 6 #define EAFNOSUPPORT 97 6 7 #define EPROTO 71 ··· 25 24 u32 test_delta_timeout = 0; 26 25 u32 test_status = 0; 27 26 u32 test_insert_lookup_mark = 0; 27 + int test_snat_addr = -EINVAL; 28 + int test_dnat_addr = -EINVAL; 28 29 __be32 saddr = 0; 29 30 __be16 sport = 0; 30 31 __be32 daddr = 0; ··· 57 54 int bpf_ct_change_timeout(struct nf_conn *, u32) __ksym; 58 55 int bpf_ct_set_status(struct nf_conn *, u32) __ksym; 59 56 int bpf_ct_change_status(struct nf_conn *, u32) __ksym; 57 + int bpf_ct_set_nat_info(struct nf_conn *, union nf_inet_addr *, 58 + int port, enum nf_nat_manip_type) __ksym; 60 59 61 60 static __always_inline void 62 61 nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32, ··· 146 141 ct = alloc_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, 147 142 sizeof(opts_def)); 148 143 if (ct) { 144 + __u16 sport = bpf_get_prandom_u32(); 145 + __u16 dport = bpf_get_prandom_u32(); 146 + union nf_inet_addr saddr = {}; 147 + union nf_inet_addr daddr = {}; 149 148 struct nf_conn *ct_ins; 150 149 151 150 bpf_ct_set_timeout(ct, 10000); 152 151 ct->mark = 77; 152 + 153 + /* snat */ 154 + saddr.ip = bpf_get_prandom_u32(); 155 + bpf_ct_set_nat_info(ct, &saddr, sport, NF_NAT_MANIP_SRC); 156 + /* dnat */ 157 + daddr.ip = bpf_get_prandom_u32(); 158 + bpf_ct_set_nat_info(ct, &daddr, dport, NF_NAT_MANIP_DST); 153 159 154 160 ct_ins = bpf_ct_insert_entry(ct); 155 161 if (ct_ins) { ··· 169 153 ct_lk = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), 170 154 &opts_def, sizeof(opts_def)); 171 155 if (ct_lk) { 156 + struct nf_conntrack_tuple *tuple; 157 + 158 + /* check snat and dnat addresses */ 159 + tuple = &ct_lk->tuplehash[IP_CT_DIR_REPLY].tuple; 160 + if (tuple->dst.u3.ip == saddr.ip && 161 + tuple->dst.u.all == bpf_htons(sport)) 162 + test_snat_addr = 0; 163 + if (tuple->src.u3.ip == daddr.ip && 164 + tuple->src.u.all == bpf_htons(dport)) 165 + test_dnat_addr = 0; 166 + 172 167 /* update ct entry timeout */ 173 168 bpf_ct_change_timeout(ct_lk, 10000); 174 169 test_delta_timeout = ct_lk->timeout - bpf_jiffies64();