mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-11 21:14:07 +08:00
selftests/bpf: add test for bpf_tcp_gen_syncookie
Modify the existing bpf_tcp_check_syncookie test to also generate a SYN cookie, pass the packet to the kernel, and verify that the two cookies are the same (and both valid). Since cloned SKBs are skipped during generic XDP, this test does not issue a SYN cookie when run in XDP mode. We therefore only check that a valid SYN cookie was issued at the TC hook. Additionally, verify that the MSS for that SYN cookie is within expected range. Signed-off-by: Petar Penkov <ppenkov@google.com> Reviewed-by: Lorenz Bauer <lmb@cloudflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
parent
637f71c09b
commit
91bc35789d
@ -19,10 +19,29 @@
|
|||||||
struct bpf_map_def SEC("maps") results = {
|
struct bpf_map_def SEC("maps") results = {
|
||||||
.type = BPF_MAP_TYPE_ARRAY,
|
.type = BPF_MAP_TYPE_ARRAY,
|
||||||
.key_size = sizeof(__u32),
|
.key_size = sizeof(__u32),
|
||||||
.value_size = sizeof(__u64),
|
.value_size = sizeof(__u32),
|
||||||
.max_entries = 1,
|
.max_entries = 3,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static __always_inline __s64 gen_syncookie(void *data_end, struct bpf_sock *sk,
|
||||||
|
void *iph, __u32 ip_size,
|
||||||
|
struct tcphdr *tcph)
|
||||||
|
{
|
||||||
|
__u32 thlen = tcph->doff * 4;
|
||||||
|
|
||||||
|
if (tcph->syn && !tcph->ack) {
|
||||||
|
// packet should only have an MSS option
|
||||||
|
if (thlen != 24)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if ((void *)tcph + thlen > data_end)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
return bpf_tcp_gen_syncookie(sk, iph, ip_size, tcph, thlen);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static __always_inline void check_syncookie(void *ctx, void *data,
|
static __always_inline void check_syncookie(void *ctx, void *data,
|
||||||
void *data_end)
|
void *data_end)
|
||||||
{
|
{
|
||||||
@ -33,8 +52,10 @@ static __always_inline void check_syncookie(void *ctx, void *data,
|
|||||||
struct ipv6hdr *ipv6h;
|
struct ipv6hdr *ipv6h;
|
||||||
struct tcphdr *tcph;
|
struct tcphdr *tcph;
|
||||||
int ret;
|
int ret;
|
||||||
|
__u32 key_mss = 2;
|
||||||
|
__u32 key_gen = 1;
|
||||||
__u32 key = 0;
|
__u32 key = 0;
|
||||||
__u64 value = 1;
|
__s64 seq_mss;
|
||||||
|
|
||||||
ethh = data;
|
ethh = data;
|
||||||
if (ethh + 1 > data_end)
|
if (ethh + 1 > data_end)
|
||||||
@ -66,6 +87,9 @@ static __always_inline void check_syncookie(void *ctx, void *data,
|
|||||||
if (sk->state != BPF_TCP_LISTEN)
|
if (sk->state != BPF_TCP_LISTEN)
|
||||||
goto release;
|
goto release;
|
||||||
|
|
||||||
|
seq_mss = gen_syncookie(data_end, sk, ipv4h, sizeof(*ipv4h),
|
||||||
|
tcph);
|
||||||
|
|
||||||
ret = bpf_tcp_check_syncookie(sk, ipv4h, sizeof(*ipv4h),
|
ret = bpf_tcp_check_syncookie(sk, ipv4h, sizeof(*ipv4h),
|
||||||
tcph, sizeof(*tcph));
|
tcph, sizeof(*tcph));
|
||||||
break;
|
break;
|
||||||
@ -95,6 +119,9 @@ static __always_inline void check_syncookie(void *ctx, void *data,
|
|||||||
if (sk->state != BPF_TCP_LISTEN)
|
if (sk->state != BPF_TCP_LISTEN)
|
||||||
goto release;
|
goto release;
|
||||||
|
|
||||||
|
seq_mss = gen_syncookie(data_end, sk, ipv6h, sizeof(*ipv6h),
|
||||||
|
tcph);
|
||||||
|
|
||||||
ret = bpf_tcp_check_syncookie(sk, ipv6h, sizeof(*ipv6h),
|
ret = bpf_tcp_check_syncookie(sk, ipv6h, sizeof(*ipv6h),
|
||||||
tcph, sizeof(*tcph));
|
tcph, sizeof(*tcph));
|
||||||
break;
|
break;
|
||||||
@ -103,8 +130,19 @@ static __always_inline void check_syncookie(void *ctx, void *data,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret == 0)
|
if (seq_mss > 0) {
|
||||||
bpf_map_update_elem(&results, &key, &value, 0);
|
__u32 cookie = (__u32)seq_mss;
|
||||||
|
__u32 mss = seq_mss >> 32;
|
||||||
|
|
||||||
|
bpf_map_update_elem(&results, &key_gen, &cookie, 0);
|
||||||
|
bpf_map_update_elem(&results, &key_mss, &mss, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ret == 0) {
|
||||||
|
__u32 cookie = bpf_ntohl(tcph->ack_seq) - 1;
|
||||||
|
|
||||||
|
bpf_map_update_elem(&results, &key, &cookie, 0);
|
||||||
|
}
|
||||||
|
|
||||||
release:
|
release:
|
||||||
bpf_sk_release(sk);
|
bpf_sk_release(sk);
|
||||||
|
@ -37,6 +37,9 @@ setup()
|
|||||||
ns1_exec ip link set lo up
|
ns1_exec ip link set lo up
|
||||||
|
|
||||||
ns1_exec sysctl -w net.ipv4.tcp_syncookies=2
|
ns1_exec sysctl -w net.ipv4.tcp_syncookies=2
|
||||||
|
ns1_exec sysctl -w net.ipv4.tcp_window_scaling=0
|
||||||
|
ns1_exec sysctl -w net.ipv4.tcp_timestamps=0
|
||||||
|
ns1_exec sysctl -w net.ipv4.tcp_sack=0
|
||||||
|
|
||||||
wait_for_ip 127.0.0.1
|
wait_for_ip 127.0.0.1
|
||||||
wait_for_ip ::1
|
wait_for_ip ::1
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
// Copyright (c) 2018 Facebook
|
// Copyright (c) 2018 Facebook
|
||||||
// Copyright (c) 2019 Cloudflare
|
// Copyright (c) 2019 Cloudflare
|
||||||
|
|
||||||
|
#include <limits.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
@ -77,7 +78,7 @@ out:
|
|||||||
return fd;
|
return fd;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int get_map_fd_by_prog_id(int prog_id)
|
static int get_map_fd_by_prog_id(int prog_id, bool *xdp)
|
||||||
{
|
{
|
||||||
struct bpf_prog_info info = {};
|
struct bpf_prog_info info = {};
|
||||||
__u32 info_len = sizeof(info);
|
__u32 info_len = sizeof(info);
|
||||||
@ -104,6 +105,8 @@ static int get_map_fd_by_prog_id(int prog_id)
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
*xdp = info.type == BPF_PROG_TYPE_XDP;
|
||||||
|
|
||||||
map_fd = bpf_map_get_fd_by_id(map_ids[0]);
|
map_fd = bpf_map_get_fd_by_id(map_ids[0]);
|
||||||
if (map_fd < 0)
|
if (map_fd < 0)
|
||||||
log_err("Failed to get fd by map id %d", map_ids[0]);
|
log_err("Failed to get fd by map id %d", map_ids[0]);
|
||||||
@ -113,18 +116,32 @@ err:
|
|||||||
return map_fd;
|
return map_fd;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int run_test(int server_fd, int results_fd)
|
static int run_test(int server_fd, int results_fd, bool xdp)
|
||||||
{
|
{
|
||||||
int client = -1, srv_client = -1;
|
int client = -1, srv_client = -1;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
__u32 key = 0;
|
__u32 key = 0;
|
||||||
__u64 value = 0;
|
__u32 key_gen = 1;
|
||||||
|
__u32 key_mss = 2;
|
||||||
|
__u32 value = 0;
|
||||||
|
__u32 value_gen = 0;
|
||||||
|
__u32 value_mss = 0;
|
||||||
|
|
||||||
if (bpf_map_update_elem(results_fd, &key, &value, 0) < 0) {
|
if (bpf_map_update_elem(results_fd, &key, &value, 0) < 0) {
|
||||||
log_err("Can't clear results");
|
log_err("Can't clear results");
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (bpf_map_update_elem(results_fd, &key_gen, &value_gen, 0) < 0) {
|
||||||
|
log_err("Can't clear results");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (bpf_map_update_elem(results_fd, &key_mss, &value_mss, 0) < 0) {
|
||||||
|
log_err("Can't clear results");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
client = connect_to_server(server_fd);
|
client = connect_to_server(server_fd);
|
||||||
if (client == -1)
|
if (client == -1)
|
||||||
goto err;
|
goto err;
|
||||||
@ -140,8 +157,35 @@ static int run_test(int server_fd, int results_fd)
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (value != 1) {
|
if (value == 0) {
|
||||||
log_err("Didn't match syncookie: %llu", value);
|
log_err("Didn't match syncookie: %u", value);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (bpf_map_lookup_elem(results_fd, &key_gen, &value_gen) < 0) {
|
||||||
|
log_err("Can't lookup result");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (xdp && value_gen == 0) {
|
||||||
|
// SYN packets do not get passed through generic XDP, skip the
|
||||||
|
// rest of the test.
|
||||||
|
printf("Skipping XDP cookie check\n");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (bpf_map_lookup_elem(results_fd, &key_mss, &value_mss) < 0) {
|
||||||
|
log_err("Can't lookup result");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (value != value_gen) {
|
||||||
|
log_err("BPF generated cookie does not match kernel one");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (value_mss < 536 || value_mss > USHRT_MAX) {
|
||||||
|
log_err("Unexpected MSS retrieved");
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -163,13 +207,14 @@ int main(int argc, char **argv)
|
|||||||
int server_v6 = -1;
|
int server_v6 = -1;
|
||||||
int results = -1;
|
int results = -1;
|
||||||
int err = 0;
|
int err = 0;
|
||||||
|
bool xdp;
|
||||||
|
|
||||||
if (argc < 2) {
|
if (argc < 2) {
|
||||||
fprintf(stderr, "Usage: %s prog_id\n", argv[0]);
|
fprintf(stderr, "Usage: %s prog_id\n", argv[0]);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
results = get_map_fd_by_prog_id(atoi(argv[1]));
|
results = get_map_fd_by_prog_id(atoi(argv[1]), &xdp);
|
||||||
if (results < 0) {
|
if (results < 0) {
|
||||||
log_err("Can't get map");
|
log_err("Can't get map");
|
||||||
goto err;
|
goto err;
|
||||||
@ -194,10 +239,10 @@ int main(int argc, char **argv)
|
|||||||
if (server_v6 == -1)
|
if (server_v6 == -1)
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
if (run_test(server, results))
|
if (run_test(server, results, xdp))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
if (run_test(server_v6, results))
|
if (run_test(server_v6, results, xdp))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
printf("ok\n");
|
printf("ok\n");
|
||||||
|
Loading…
Reference in New Issue
Block a user