linux/tools/testing/selftests/bpf/prog_tests/ip_check_defrag.c

// SPDX-License-Identifier: GPL-2.0
#include <test_progs.h>
#include <net/if.h>
#include <linux/netfilter.h>
#include <network_helpers.h>
#include "ip_check_defrag.skel.h"
#include "ip_check_defrag_frags.h"

/*
 * This selftest spins up a client and an echo server, each in their own
 * network namespace. The client will send a fragmented message to the server.
 * The prog attached to the server will shoot down any fragments. Thus, if
 * the server is able to correctly echo back the message to the client, we will
 * have verified that netfilter is reassembling packets for us.
 *
 * Topology:
 * =========
 *           NS0         |         NS1
 *                       |
 *         client        |       server
 *       ----------      |     ----------
 *       |  veth0  | --------- |  veth1  |
 *       ----------    peer    ----------
 *                       |
 *                       |       with bpf
 */

#define NS0		"defrag_ns0"
#define NS1		"defrag_ns1"
#define VETH0		"veth0"
#define VETH1		"veth1"
#define VETH0_ADDR	"172.16.1.100"
#define VETH0_ADDR6	"fc00::100"
/* The following constants must stay in sync with `generate_udp_fragments.py` */
#define VETH1_ADDR	"172.16.1.200"
#define VETH1_ADDR6	"fc00::200"
#define CLIENT_PORT	48878
#define SERVER_PORT	48879
#define MAGIC_MESSAGE	"THIS IS THE ORIGINAL MESSAGE, PLEASE REASSEMBLE ME"

static int setup_topology(bool ipv6)
{
	bool up;
	int i;

	SYS(fail, "ip netns add " NS0);
	SYS(fail, "ip netns add " NS1);
	SYS(fail, "ip link add " VETH0 " netns " NS0 " type veth peer name " VETH1 " netns " NS1);
	if (ipv6) {
		SYS(fail, "ip -6 -net " NS0 " addr add " VETH0_ADDR6 "/64 dev " VETH0 " nodad");
		SYS(fail, "ip -6 -net " NS1 " addr add " VETH1_ADDR6 "/64 dev " VETH1 " nodad");
	} else {
		SYS(fail, "ip -net " NS0 " addr add " VETH0_ADDR "/24 dev " VETH0);
		SYS(fail, "ip -net " NS1 " addr add " VETH1_ADDR "/24 dev " VETH1);
	}
	SYS(fail, "ip -net " NS0 " link set dev " VETH0 " up");
	SYS(fail, "ip -net " NS1 " link set dev " VETH1 " up");

	/* Wait for up to 5s for links to come up */
	for (i = 0; i < 5; ++i) {
		if (ipv6)
			up = !SYS_NOFAIL("ip netns exec " NS0 " ping -6 -c 1 -W 1 " VETH1_ADDR6);
		else
			up = !SYS_NOFAIL("ip netns exec " NS0 " ping -c 1 -W 1 " VETH1_ADDR);

		if (up)
			break;
	}

	return 0;
fail:
	return -1;
}

static void cleanup_topology(void)
{
	SYS_NOFAIL("test -f /var/run/netns/" NS0 " && ip netns delete " NS0);
	SYS_NOFAIL("test -f /var/run/netns/" NS1 " && ip netns delete " NS1);
}

static int attach(struct ip_check_defrag *skel, bool ipv6)
{
	LIBBPF_OPTS(bpf_netfilter_opts, opts,
		    .pf = ipv6 ? NFPROTO_IPV6 : NFPROTO_IPV4,
		    .priority = 42,
		    .flags = BPF_F_NETFILTER_IP_DEFRAG);
	struct nstoken *nstoken;
	int err = -1;

	nstoken = open_netns(NS1);
	if (!ASSERT_OK_PTR(nstoken, "setns"))
		goto out;

	skel->links.defrag = bpf_program__attach_netfilter(skel->progs.defrag, &opts);
	if (!ASSERT_OK_PTR(skel->links.defrag, "program attach"))
		goto out;

	err = 0;
out:
	close_netns(nstoken);
	return err;
}

static int send_frags(int client)
{
	struct sockaddr_storage saddr;
	struct sockaddr *saddr_p;
	socklen_t saddr_len;
	int err;

	saddr_p = (struct sockaddr *)&saddr;
	err = make_sockaddr(AF_INET, VETH1_ADDR, SERVER_PORT, &saddr, &saddr_len);
	if (!ASSERT_OK(err, "make_sockaddr"))
		return -1;

	err = sendto(client, frag_0, sizeof(frag_0), 0, saddr_p, saddr_len);
	if (!ASSERT_GE(err, 0, "sendto frag_0"))
		return -1;

	err = sendto(client, frag_1, sizeof(frag_1), 0, saddr_p, saddr_len);
	if (!ASSERT_GE(err, 0, "sendto frag_1"))
		return -1;

	err = sendto(client, frag_2, sizeof(frag_2), 0, saddr_p, saddr_len);
	if (!ASSERT_GE(err, 0, "sendto frag_2"))
		return -1;

	return 0;
}

static int send_frags6(int client)
{
	struct sockaddr_storage saddr;
	struct sockaddr *saddr_p;
	socklen_t saddr_len;
	int err;

	saddr_p = (struct sockaddr *)&saddr;
	/* Port needs to be set to 0 for raw ipv6 socket for some reason */
	err = make_sockaddr(AF_INET6, VETH1_ADDR6, 0, &saddr, &saddr_len);
	if (!ASSERT_OK(err, "make_sockaddr"))
		return -1;

	err = sendto(client, frag6_0, sizeof(frag6_0), 0, saddr_p, saddr_len);
	if (!ASSERT_GE(err, 0, "sendto frag6_0"))
		return -1;

	err = sendto(client, frag6_1, sizeof(frag6_1), 0, saddr_p, saddr_len);
	if (!ASSERT_GE(err, 0, "sendto frag6_1"))
		return -1;

	err = sendto(client, frag6_2, sizeof(frag6_2), 0, saddr_p, saddr_len);
	if (!ASSERT_GE(err, 0, "sendto frag6_2"))
		return -1;

	return 0;
}

void test_bpf_ip_check_defrag_ok(bool ipv6)
{
	int family = ipv6 ? AF_INET6 : AF_INET;
	struct network_helper_opts rx_opts = {
		.timeout_ms = 1000,
	};
	struct network_helper_opts tx_ops = {
		.timeout_ms = 1000,
		.proto = IPPROTO_RAW,
	};
	struct sockaddr_storage caddr;
	struct ip_check_defrag *skel;
	struct nstoken *nstoken;
	int client_tx_fd = -1;
	int client_rx_fd = -1;
	socklen_t caddr_len;
	int srv_fd = -1;
	char buf[1024];
	int len, err;

	skel = ip_check_defrag__open_and_load();
	if (!ASSERT_OK_PTR(skel, "skel_open"))
		return;

	if (!ASSERT_OK(setup_topology(ipv6), "setup_topology"))
		goto out;

	if (!ASSERT_OK(attach(skel, ipv6), "attach"))
		goto out;

	/* Start server in ns1 */
	nstoken = open_netns(NS1);
	if (!ASSERT_OK_PTR(nstoken, "setns ns1"))
		goto out;
	srv_fd = start_server(family, SOCK_DGRAM, NULL, SERVER_PORT, 0);
	close_netns(nstoken);
	if (!ASSERT_GE(srv_fd, 0, "start_server"))
		goto out;

	/* Open tx raw socket in ns0 */
	nstoken = open_netns(NS0);
	if (!ASSERT_OK_PTR(nstoken, "setns ns0"))
		goto out;
	client_tx_fd = client_socket(family, SOCK_RAW, &tx_ops);
	close_netns(nstoken);
	if (!ASSERT_GE(client_tx_fd, 0, "client_socket"))
		goto out;

	/* Open rx socket in ns0 */
	nstoken = open_netns(NS0);
	if (!ASSERT_OK_PTR(nstoken, "setns ns0"))
		goto out;
	client_rx_fd = client_socket(family, SOCK_DGRAM, &rx_opts);
	close_netns(nstoken);
	if (!ASSERT_GE(client_rx_fd, 0, "client_socket"))
		goto out;

	/* Bind rx socket to a premeditated port */
	memset(&caddr, 0, sizeof(caddr));
	nstoken = open_netns(NS0);
	if (!ASSERT_OK_PTR(nstoken, "setns ns0"))
		goto out;
	if (ipv6) {
		struct sockaddr_in6 *c = (struct sockaddr_in6 *)&caddr;

		c->sin6_family = AF_INET6;
		inet_pton(AF_INET6, VETH0_ADDR6, &c->sin6_addr);
		c->sin6_port = htons(CLIENT_PORT);
		err = bind(client_rx_fd, (struct sockaddr *)c, sizeof(*c));
	} else {
		struct sockaddr_in *c = (struct sockaddr_in *)&caddr;

		c->sin_family = AF_INET;
		inet_pton(AF_INET, VETH0_ADDR, &c->sin_addr);
		c->sin_port = htons(CLIENT_PORT);
		err = bind(client_rx_fd, (struct sockaddr *)c, sizeof(*c));
	}
	close_netns(nstoken);
	if (!ASSERT_OK(err, "bind"))
		goto out;

	/* Send message in fragments */
	if (ipv6) {
		if (!ASSERT_OK(send_frags6(client_tx_fd), "send_frags6"))
			goto out;
	} else {
		if (!ASSERT_OK(send_frags(client_tx_fd), "send_frags"))
			goto out;
	}

	if (!ASSERT_EQ(skel->bss->shootdowns, 0, "shootdowns"))
		goto out;

	/* Receive reassembled msg on server and echo back to client */
	caddr_len = sizeof(caddr);
	len = recvfrom(srv_fd, buf, sizeof(buf), 0, (struct sockaddr *)&caddr, &caddr_len);
	if (!ASSERT_GE(len, 0, "server recvfrom"))
		goto out;
	len = sendto(srv_fd, buf, len, 0, (struct sockaddr *)&caddr, caddr_len);
	if (!ASSERT_GE(len, 0, "server sendto"))
		goto out;

	/* Expect reassembed message to be echoed back */
	len = recvfrom(client_rx_fd, buf, sizeof(buf), 0, NULL, NULL);
	if (!ASSERT_EQ(len, sizeof(MAGIC_MESSAGE) - 1, "client short read"))
		goto out;

out:
	if (client_rx_fd != -1)
		close(client_rx_fd);
	if (client_tx_fd != -1)
		close(client_tx_fd);
	if (srv_fd != -1)
		close(srv_fd);
	cleanup_topology();
	ip_check_defrag__destroy(skel);
}

void test_bpf_ip_check_defrag(void)
{
	if (test__start_subtest("v4"))
		test_bpf_ip_check_defrag_ok(false);
	if (test__start_subtest("v6"))
		test_bpf_ip_check_defrag_ok(true);
}