[RFC bpf-next 6/6] bpf: xfrm: Add selftest for bpf_xdp_get_xfrm_state()

Fri, 27 Oct 2023 11:55:55 -0700 

This commit extends test_tunnel selftest to test the new XDP xfrm state
lookup kfunc.

Signed-off-by: Daniel Xu <d...@dxuuu.xyz>
---
 .../selftests/bpf/progs/test_tunnel_kern.c    | 46 +++++++++++++++++++
 tools/testing/selftests/bpf/test_tunnel.sh    | 12 +++--
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c 
b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
index ec7e04e012ae..f5f6a18ac0f1 100644
--- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
@@ -35,6 +35,9 @@ int bpf_skb_set_fou_encap(struct __sk_buff *skb_ctx,
                          struct bpf_fou_encap *encap, int type) __ksym;
 int bpf_skb_get_fou_encap(struct __sk_buff *skb_ctx,
                          struct bpf_fou_encap *encap) __ksym;
+struct xfrm_state *
+bpf_xdp_get_xfrm_state(struct xdp_md *ctx, struct bpf_xfrm_state_opts *opts,
+                      u32 opts__sz) __ksym;
 
 struct {
        __uint(type, BPF_MAP_TYPE_ARRAY);
@@ -948,4 +951,47 @@ int xfrm_get_state(struct __sk_buff *skb)
        return TC_ACT_OK;
 }
 
+SEC("xdp")
+int xfrm_get_state_xdp(struct xdp_md *xdp)
+{
+       struct bpf_xfrm_state_opts opts = {};
+       struct ip_esp_hdr *esph;
+       struct bpf_dynptr ptr;
+       struct xfrm_state *x;
+       u8 esph_buf[8] = {};
+       u8 iph_buf[20] = {};
+       struct iphdr *iph;
+       u32 off;
+
+       if (bpf_dynptr_from_xdp(xdp, 0, &ptr))
+               goto out;
+
+       off = sizeof(struct ethhdr);
+       iph = bpf_dynptr_slice(&ptr, off, iph_buf, sizeof(iph_buf));
+       if (!iph || iph->protocol != IPPROTO_ESP)
+               goto out;
+
+       off += sizeof(struct iphdr);
+       esph = bpf_dynptr_slice(&ptr, off, esph_buf, sizeof(esph_buf));
+       if (!esph)
+               goto out;
+
+       opts.netns_id = BPF_F_CURRENT_NETNS,
+       opts.daddr.a4 = iph->daddr;
+       opts.spi = esph->spi;
+       opts.proto = IPPROTO_ESP;
+       opts.family = AF_INET;
+
+       x = bpf_xdp_get_xfrm_state(xdp, &opts, sizeof(opts));
+       if (!x || opts.error)
+               goto out;
+
+       if (!x->replay_esn)
+               goto out;
+
+       bpf_printk("replay-window %d\n", x->replay_esn->replay_window);
+out:
+       return XDP_PASS;
+}
+
 char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/test_tunnel.sh 
b/tools/testing/selftests/bpf/test_tunnel.sh
index dd3c79129e87..17d263681c71 100755
--- a/tools/testing/selftests/bpf/test_tunnel.sh
+++ b/tools/testing/selftests/bpf/test_tunnel.sh
@@ -528,7 +528,7 @@ setup_xfrm_tunnel()
        # at_ns0 -> root
        ip netns exec at_ns0 \
                ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
-                       spi $spi_in_to_out reqid 1 mode tunnel \
+                       spi $spi_in_to_out reqid 1 mode tunnel replay-window 42 
\
                        auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
        ip netns exec at_ns0 \
                ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \
@@ -537,7 +537,7 @@ setup_xfrm_tunnel()
        # root -> at_ns0
        ip netns exec at_ns0 \
                ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
-                       spi $spi_out_to_in reqid 2 mode tunnel \
+                       spi $spi_out_to_in reqid 2 mode tunnel replay-window 42 
\
                        auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
        ip netns exec at_ns0 \
                ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \
@@ -553,14 +553,14 @@ setup_xfrm_tunnel()
        # root namespace
        # at_ns0 -> root
        ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
-               spi $spi_in_to_out reqid 1 mode tunnel \
+               spi $spi_in_to_out reqid 1 mode tunnel replay-window 42 \
                auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc
        ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \
                tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \
                mode tunnel
        # root -> at_ns0
        ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
-               spi $spi_out_to_in reqid 2 mode tunnel \
+               spi $spi_out_to_in reqid 2 mode tunnel replay-window 42 \
                auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc
        ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \
                tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \
@@ -585,6 +585,8 @@ test_xfrm_tunnel()
        tc qdisc add dev veth1 clsact
        tc filter add dev veth1 proto ip ingress bpf da object-pinned \
                ${BPF_PIN_TUNNEL_DIR}/xfrm_get_state
+       ip link set dev veth1 xdpdrv pinned \
+               ${BPF_PIN_TUNNEL_DIR}/xfrm_get_state_xdp
        ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
        sleep 1
        grep "reqid 1" ${TRACE}
@@ -593,6 +595,8 @@ test_xfrm_tunnel()
        check_err $?
        grep "remote ip 0xac100164" ${TRACE}
        check_err $?
+       grep "replay-window 42" ${TRACE}
+       check_err $?
        cleanup
 
        if [ $ret -ne 0 ]; then
-- 
2.42.0

Reply via email to