diff --git a/.github/workflows/selftests.yml b/.github/workflows/selftests.yml index 0b29d153..cda46f3d 100644 --- a/.github/workflows/selftests.yml +++ b/.github/workflows/selftests.yml @@ -42,7 +42,7 @@ jobs: - name: Prepare packages run: | sudo apt-get update - sudo apt-get install zstd binutils-dev elfutils libpcap-dev libelf-dev gcc-multilib pkg-config wireshark tshark bpfcc-tools python3 python3-pip python3-setuptools qemu-kvm rpm2cpio libdw-dev libdwarf-dev libcap-ng-dev + sudo apt-get install zstd binutils-dev elfutils libpcap-dev libelf-dev gcc-multilib pkg-config wireshark tshark bpfcc-tools python3 python3-pip python3-setuptools qemu-kvm rpm2cpio libdw-dev libdwarf-dev libcap-ng-dev socat - name: Prepare Clang run: | wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - diff --git a/lib/testing/test_runner.sh b/lib/testing/test_runner.sh index 8805e38f..90c7cda7 100755 --- a/lib/testing/test_runner.sh +++ b/lib/testing/test_runner.sh @@ -25,7 +25,7 @@ ALL_TESTS="" VERBOSE_TESTS=${V:-0} NUM_NS=2 -NEEDED_TOOLS="capinfos ethtool ip ping sed tc tcpdump timeout nc tshark" +NEEDED_TOOLS="capinfos ethtool ip ping sed tc tcpdump timeout nc tshark nft socat" if [ -f "$TEST_CONFIG" ]; then source "$TEST_CONFIG" diff --git a/xdp-forward/tests/test-xdp-forward.sh b/xdp-forward/tests/test-xdp-forward.sh index 2a6988e8..f3a4b080 100644 --- a/xdp-forward/tests/test-xdp-forward.sh +++ b/xdp-forward/tests/test-xdp-forward.sh @@ -1,7 +1,6 @@ XDP_LOADER=${XDP_LOADER:-./xdp-loader} XDP_FORWARD=${XDP_FORWARD:-./xdp-forward} -ALL_TESTS="test_ping test_load test_fwd_full test_fwd_direct" - +ALL_TESTS="test_ping test_load test_fwd_full test_fwd_direct test_flowtable" test_ping() { @@ -52,8 +51,89 @@ test_fwd_direct() check_run $XDP_FORWARD unload ${NS_NAMES[@]} } +test_flowtable() +{ + local INPUT_FILE="${STATEDIR}/in_$$_$RANDOM" + + # veth NAPI GRO support added this symbol; forwarding won't work without it + skip_if_missing_kernel_symbol veth_set_features + + # disable {tx,rx} checksum offload since it is not currently suported + # by XDP_REDIRECT + for n in ${NS_NAMES[@]}; do + ip netns exec $n ethtool -K veth0 tx-checksumming off rx-checksumming off + ethtool -K $n tx-checksumming off rx-checksumming off + done + + # create data to send via tcp + dd if=/dev/urandom of="${INPUT_FILE}" bs=8192 count=32 status=none + + # create flowtable configuration in the main namespace + check_run nft -f /dev/stdin < in pre-routing chain + chain prerouting { + type nat hook prerouting priority filter; policy accept; + iifname == "${NS_NAMES[0]}" meta nfproto ipv4 tcp dport 12345 dnat ip to ${ALL_INSIDE_IP4[-1]}:10000 + iifname == "${NS_NAMES[0]}" meta nfproto ipv6 tcp dport 12345 dnat ip6 to [${ALL_INSIDE_IP6[-1]}]:10000 + } + # enable SNAT of the client ip via masquerading in post-routing chain + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname "${NS_NAMES[-1]}" masquerade + } +} +table inet filter { + flowtable ft { + hook ingress priority filter + devices = { ${NS_NAMES[0]}, ${NS_NAMES[-1]} } + } + chain forward { + type filter hook forward priority filter + meta l4proto { tcp } flow add @ft + } +} +EOF + + # check if bpf flowtable lookup is available + skip_if_missing_kernel_symbol bpf_xdp_flow_lookup + + # Add some nft rules to check {dnat/snat} is done properly in + # the main namespace + check_run ip netns exec ${NS_NAMES[-1]} nft -f /dev/stdin </dev/null 2>&1 - $XDP_LOADER unload $NS --all >/dev/null 2>&1 + # enable {tx,rx} checksum offload + for n in ${NS_NAMES[@]}; do + ip netns exec $n ethtool -K veth0 tx-checksumming on rx-checksumming on + ethtool -K $n tx-checksumming on rx-checksumming on + done >/dev/null 2>&1 + { + $XDP_FORWARD unload ${NS_NAMES[@]} + $XDP_LOADER unload $NS --all + check_run ip netns exec ${NS_NAMES[-1]} nft flush ruleset + check_run nft flush ruleset + } >/dev/null 2>&1 }