mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-11 00:04:33 +08:00
43d2b88c29
Minimal selftest which implements a small BPF policy program to the connect(2) hook which rejects TCP connection requests to port 60123 with EPERM. This is being attached to a non-root cgroup v2 path. The test asserts that this works under cgroup v2-only and under a mixed cgroup v1/v2 environment where net_classid is set in the former case. Before fix: # ./test_progs -t cgroup_v1v2 test_cgroup_v1v2:PASS:server_fd 0 nsec test_cgroup_v1v2:PASS:client_fd 0 nsec test_cgroup_v1v2:PASS:cgroup_fd 0 nsec test_cgroup_v1v2:PASS:server_fd 0 nsec run_test:PASS:skel_open 0 nsec run_test:PASS:prog_attach 0 nsec test_cgroup_v1v2:PASS:cgroup-v2-only 0 nsec run_test:PASS:skel_open 0 nsec run_test:PASS:prog_attach 0 nsec run_test:PASS:join_classid 0 nsec (network_helpers.c:219: errno: None) Unexpected success to connect to server test_cgroup_v1v2:FAIL:cgroup-v1v2 unexpected error: -1 (errno 0) #27 cgroup_v1v2:FAIL Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED After fix: # ./test_progs -t cgroup_v1v2 #27 cgroup_v1v2:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20210913230759.2313-3-daniel@iogearbox.net
59 lines
1.6 KiB
C
59 lines
1.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __NETWORK_HELPERS_H
|
|
#define __NETWORK_HELPERS_H
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <linux/types.h>
|
|
typedef __u16 __sum16;
|
|
#include <linux/if_ether.h>
|
|
#include <linux/if_packet.h>
|
|
#include <linux/ip.h>
|
|
#include <linux/ipv6.h>
|
|
#include <netinet/tcp.h>
|
|
#include <bpf/bpf_endian.h>
|
|
|
|
#define MAGIC_VAL 0x1234
|
|
#define NUM_ITER 100000
|
|
#define VIP_NUM 5
|
|
#define MAGIC_BYTES 123
|
|
|
|
struct network_helper_opts {
|
|
const char *cc;
|
|
int timeout_ms;
|
|
bool must_fail;
|
|
};
|
|
|
|
/* ipv4 test vector */
|
|
struct ipv4_packet {
|
|
struct ethhdr eth;
|
|
struct iphdr iph;
|
|
struct tcphdr tcp;
|
|
} __packed;
|
|
extern struct ipv4_packet pkt_v4;
|
|
|
|
/* ipv6 test vector */
|
|
struct ipv6_packet {
|
|
struct ethhdr eth;
|
|
struct ipv6hdr iph;
|
|
struct tcphdr tcp;
|
|
} __packed;
|
|
extern struct ipv6_packet pkt_v6;
|
|
|
|
int settimeo(int fd, int timeout_ms);
|
|
int start_server(int family, int type, const char *addr, __u16 port,
|
|
int timeout_ms);
|
|
int *start_reuseport_server(int family, int type, const char *addr_str,
|
|
__u16 port, int timeout_ms,
|
|
unsigned int nr_listens);
|
|
void free_fds(int *fds, unsigned int nr_close_fds);
|
|
int connect_to_fd(int server_fd, int timeout_ms);
|
|
int connect_to_fd_opts(int server_fd, const struct network_helper_opts *opts);
|
|
int connect_fd_to_fd(int client_fd, int server_fd, int timeout_ms);
|
|
int fastopen_connect(int server_fd, const char *data, unsigned int data_len,
|
|
int timeout_ms);
|
|
int make_sockaddr(int family, const char *addr_str, __u16 port,
|
|
struct sockaddr_storage *addr, socklen_t *len);
|
|
char *ping_command(int family);
|
|
|
|
#endif
|