selftests/bpf: Use SOCKMAP for server sockets in bpf_sk_assign test

Update bpf_sk_assign test to fetch the server socket from SOCKMAP, now that
map lookup from BPF in SOCKMAP is enabled. This way the test TC BPF program
doesn't need to know what address server socket is bound to.

Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20200429181154.479310-4-jakub@cloudflare.com

diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 10f12a5aac20d02ef07aa833444e2f968b5f60aa..3d942be23d09c2b946d807decb3bcc581c6076f0 100644 (file)
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -243,7 +243,7 @@ define GCC_BPF_BUILD_RULE
        $(BPF_GCC) $3 $4 -O2 -c $1 -o $2
 endef
 
-SKEL_BLACKLIST := btf__% test_pinning_invalid.c
+SKEL_BLACKLIST := btf__% test_pinning_invalid.c test_sk_assign.c
 
 # Set up extra TRUNNER_XXX "temporary" variables in the environment (relies on
 # $eval()) and pass control to DEFINE_TEST_RUNNER_RULES.

diff --git a/tools/testing/selftests/bpf/prog_tests/sk_assign.c b/tools/testing/selftests/bpf/prog_tests/sk_assign.c
index d572e1a2c297a0c40eca36f0cc9c4715b8db75f1..47fa04adc1471f7218265a877fd67d74429fdca4 100644 (file)
--- a/tools/testing/selftests/bpf/prog_tests/sk_assign.c
+++ b/tools/testing/selftests/bpf/prog_tests/sk_assign.c
@@ -20,6 +20,7 @@
 #define CONNECT_PORT 4321
 #define TEST_DADDR (0xC0A80203)
 #define NS_SELF "/proc/self/ns/net"
+#define SERVER_MAP_PATH "/sys/fs/bpf/tc/globals/server_map"
 
 static const struct timeval timeo_sec = { .tv_sec = 3 };
 static const size_t timeo_optlen = sizeof(timeo_sec);
@@ -265,6 +266,7 @@ void test_sk_assign(void)
                TEST("ipv6 udp addr redir", AF_INET6, SOCK_DGRAM, true),
        };
        int server = -1;
+       int server_map;
        int self_net;
 
        self_net = open(NS_SELF, O_RDONLY);
@@ -278,9 +280,17 @@ void test_sk_assign(void)
                goto cleanup;
        }
 
+       server_map = bpf_obj_get(SERVER_MAP_PATH);
+       if (CHECK_FAIL(server_map < 0)) {
+               perror("Unable to open " SERVER_MAP_PATH);
+               goto cleanup;
+       }
+
        for (int i = 0; i < ARRAY_SIZE(tests) && !READ_ONCE(stop); i++) {
                struct test_sk_cfg *test = &tests[i];
                const struct sockaddr *addr;
+               const int zero = 0;
+               int err;
 
                if (!test__start_subtest(test->name))
                        continue;
@@ -288,7 +298,13 @@ void test_sk_assign(void)
                addr = (const struct sockaddr *)test->addr;
                server = start_server(addr, test->len, test->type);
                if (server == -1)
-                       goto cleanup;
+                       goto close;
+
+               err = bpf_map_update_elem(server_map, &zero, &server, BPF_ANY);
+               if (CHECK_FAIL(err)) {
+                       perror("Unable to update server_map");
+                       goto close;
+               }
 
                /* connect to unbound ports */
                prepare_addr(test->addr, test->family, CONNECT_PORT,
@@ -302,7 +318,10 @@ void test_sk_assign(void)
 
 close:
        close(server);
+       close(server_map);
 cleanup:
+       if (CHECK_FAIL(unlink(SERVER_MAP_PATH)))
+               perror("Unable to unlink " SERVER_MAP_PATH);
        if (CHECK_FAIL(setns(self_net, CLONE_NEWNET)))
                perror("Failed to setns("NS_SELF")");
        close(self_net);

diff --git a/tools/testing/selftests/bpf/progs/test_sk_assign.c b/tools/testing/selftests/bpf/progs/test_sk_assign.c
index 8f530843b4da8564898ec68e7246a61ce219533a..1ecd987005d2c8d0a3841c05e3de631f4e7bf0a5 100644 (file)
--- a/tools/testing/selftests/bpf/progs/test_sk_assign.c
+++ b/tools/testing/selftests/bpf/progs/test_sk_assign.c
@@ -16,6 +16,26 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_endian.h>
 
+/* Pin map under /sys/fs/bpf/tc/globals/<map name> */
+#define PIN_GLOBAL_NS 2
+
+/* Must match struct bpf_elf_map layout from iproute2 */
+struct {
+       __u32 type;
+       __u32 size_key;
+       __u32 size_value;
+       __u32 max_elem;
+       __u32 flags;
+       __u32 id;
+       __u32 pinning;
+} server_map SEC("maps") = {
+       .type = BPF_MAP_TYPE_SOCKMAP,
+       .size_key = sizeof(int),
+       .size_value  = sizeof(__u64),
+       .max_elem = 1,
+       .pinning = PIN_GLOBAL_NS,
+};
+
 int _version SEC("version") = 1;
 char _license[] SEC("license") = "GPL";
 
@@ -72,7 +92,9 @@ handle_udp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
 {
        struct bpf_sock_tuple ln = {0};
        struct bpf_sock *sk;
+       const int zero = 0;
        size_t tuple_len;
+       __be16 dport;
        int ret;
 
        tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
@@ -83,32 +105,11 @@ handle_udp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
        if (sk)
                goto assign;
 
-       if (ipv4) {
-               if (tuple->ipv4.dport != bpf_htons(4321))
-                       return TC_ACT_OK;
-
-               ln.ipv4.daddr = bpf_htonl(0x7f000001);
-               ln.ipv4.dport = bpf_htons(1234);
-
-               sk = bpf_sk_lookup_udp(skb, &ln, sizeof(ln.ipv4),
-                                       BPF_F_CURRENT_NETNS, 0);
-       } else {
-               if (tuple->ipv6.dport != bpf_htons(4321))
-                       return TC_ACT_OK;
-
-               /* Upper parts of daddr are already zero. */
-               ln.ipv6.daddr[3] = bpf_htonl(0x1);
-               ln.ipv6.dport = bpf_htons(1234);
-
-               sk = bpf_sk_lookup_udp(skb, &ln, sizeof(ln.ipv6),
-                                       BPF_F_CURRENT_NETNS, 0);
-       }
+       dport = ipv4 ? tuple->ipv4.dport : tuple->ipv6.dport;
+       if (dport != bpf_htons(4321))
+               return TC_ACT_OK;
 
-       /* workaround: We can't do a single socket lookup here, because then
-        * the compiler will likely spill tuple_len to the stack. This makes it
-        * lose all bounds information in the verifier, which then rejects the
-        * call as unsafe.
-        */
+       sk = bpf_map_lookup_elem(&server_map, &zero);
        if (!sk)
                return TC_ACT_SHOT;
 
@@ -123,7 +124,9 @@ handle_tcp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
 {
        struct bpf_sock_tuple ln = {0};
        struct bpf_sock *sk;
+       const int zero = 0;
        size_t tuple_len;
+       __be16 dport;
        int ret;
 
        tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
@@ -137,32 +140,11 @@ handle_tcp(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, bool ipv4)
                bpf_sk_release(sk);
        }
 
-       if (ipv4) {
-               if (tuple->ipv4.dport != bpf_htons(4321))
-                       return TC_ACT_OK;
+       dport = ipv4 ? tuple->ipv4.dport : tuple->ipv6.dport;
+       if (dport != bpf_htons(4321))
+               return TC_ACT_OK;
 
-               ln.ipv4.daddr = bpf_htonl(0x7f000001);
-               ln.ipv4.dport = bpf_htons(1234);
-
-               sk = bpf_skc_lookup_tcp(skb, &ln, sizeof(ln.ipv4),
-                                       BPF_F_CURRENT_NETNS, 0);
-       } else {
-               if (tuple->ipv6.dport != bpf_htons(4321))
-                       return TC_ACT_OK;
-
-               /* Upper parts of daddr are already zero. */
-               ln.ipv6.daddr[3] = bpf_htonl(0x1);
-               ln.ipv6.dport = bpf_htons(1234);
-
-               sk = bpf_skc_lookup_tcp(skb, &ln, sizeof(ln.ipv6),
-                                       BPF_F_CURRENT_NETNS, 0);
-       }
-
-       /* workaround: We can't do a single socket lookup here, because then
-        * the compiler will likely spill tuple_len to the stack. This makes it
-        * lose all bounds information in the verifier, which then rejects the
-        * call as unsafe.
-        */
+       sk = bpf_map_lookup_elem(&server_map, &zero);
        if (!sk)
                return TC_ACT_SHOT;