1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
package overlay
import (
"bytes"
"encoding/binary"
"errors"
"fmt"
"net"
"net/netip"
"testing"
"time"
"golang.org/x/net/bpf"
"golang.org/x/net/ipv4"
"golang.org/x/sys/unix"
)
func TestVNIMatchBPF(t *testing.T) {
// The BPF filter program under test uses Linux extensions which are not
// emulated by any user-space BPF interpreters. It is also classic BPF,
// which cannot be tested in-kernel using the bpf(BPF_PROG_RUN) syscall.
// The best we can do without actually programming it into an iptables
// rule and end-to-end testing it is to attach it as a socket filter to
// a raw socket and test which loopback packets make it through.
//
// Modern kernels transpile cBPF programs into eBPF for execution, so a
// possible future direction would be to extract the transpiler and
// convert the program under test to eBPF so it could be loaded and run
// using the bpf(2) syscall.
// https://elixir.bootlin.com/linux/v6.2/source/net/core/filter.c#L559
// Though the effort would be better spent on adding nftables support to
// libnetwork so this whole BPF program could be replaced with a native
// nftables '@th' match expression.
//
// The filter could be manually e2e-tested for both IPv4 and IPv6 by
// programming ip[6]tables rules which log matching packets and sending
// test packets loopback using netcat. All the necessary information
// (bytecode and an acceptable test vector) is logged by this test.
//
// $ sudo ip6tables -A INPUT -p udp -s ::1 -d ::1 -m bpf \
// --bytecode "${bpf_program_under_test}" \
// -j LOG --log-prefix '[IPv6 VNI match]:'
// $ <<<"${udp_payload_hexdump}" xxd -r -p | nc -u -6 localhost 30000
// $ sudo dmesg
loopback := net.IPv4(127, 0, 0, 1)
// Reserve an ephemeral UDP port for loopback testing.
// Binding to a TUN device would be more hermetic, but is much more effort to set up.
reservation, err := net.ListenUDP("udp", &net.UDPAddr{IP: loopback, Port: 0})
if err != nil {
t.Fatal(err)
}
defer reservation.Close()
daddr := reservation.LocalAddr().(*net.UDPAddr).AddrPort()
sender, err := net.DialUDP("udp", nil, reservation.LocalAddr().(*net.UDPAddr))
if err != nil {
t.Fatal(err)
}
defer sender.Close()
saddr := sender.LocalAddr().(*net.UDPAddr).AddrPort()
// There doesn't seem to be a way to receive the entire Layer-3 IPv6
// packet including the fixed IP header using the portable raw sockets
// API. That can only be done from an AF_PACKET socket, and it is
// unclear whether 'ld poff' would behave the same in a BPF program
// attached to such a socket as in an xt_bpf match.
c, err := net.ListenIP("ip4:udp", &net.IPAddr{IP: loopback})
if err != nil {
if errors.Is(err, unix.EPERM) {
t.Skip("test requires CAP_NET_RAW")
}
t.Fatal(err)
}
defer c.Close()
pc := ipv4.NewPacketConn(c)
testvectors := []uint32{
0,
1,
0x08,
42,
0x80,
0xfe,
0xff,
0x100,
0xfff, // 4095
0x1000, // 4096
0x1001,
0x10000,
0xfffffe,
0xffffff, // Max VNI
}
for _, vni := range []uint32{1, 42, 0x100, 0x1000, 0xfffffe, 0xffffff} {
t.Run(fmt.Sprintf("vni=%d", vni), func(t *testing.T) {
setBPF(t, pc, vniMatchBPF(vni))
for _, v := range testvectors {
pkt := appendVXLANHeader(nil, v)
pkt = append(pkt, []byte{0xde, 0xad, 0xbe, 0xef}...)
if _, err := sender.Write(pkt); err != nil {
t.Fatal(err)
}
rpkt, ok := readUDPPacketFromRawSocket(t, pc, saddr, daddr)
// Sanity check: the only packets readUDPPacketFromRawSocket
// should return are ones we sent.
if ok && !bytes.Equal(pkt, rpkt) {
t.Fatalf("received unexpected packet: % x", rpkt)
}
if ok != (v == vni) {
t.Errorf("unexpected packet tagged with vni=%d (got %v, want %v)", v, ok, v == vni)
}
}
})
}
}
func appendVXLANHeader(b []byte, vni uint32) []byte {
// https://tools.ietf.org/html/rfc7348#section-5
b = append(b, []byte{0x08, 0x00, 0x00, 0x00}...)
return binary.BigEndian.AppendUint32(b, vni<<8)
}
func setBPF(t *testing.T, c *ipv4.PacketConn, fprog []bpf.RawInstruction) {
// https://natanyellin.com/posts/ebpf-filtering-done-right/
blockall, _ := bpf.Assemble([]bpf.Instruction{bpf.RetConstant{Val: 0}})
if err := c.SetBPF(blockall); err != nil {
t.Fatal(err)
}
ms := make([]ipv4.Message, 100)
for {
n, err := c.ReadBatch(ms, unix.MSG_DONTWAIT)
if err != nil {
if errors.Is(err, unix.EAGAIN) {
break
}
t.Fatal(err)
}
if n == 0 {
break
}
}
t.Logf("setting socket filter: %v", marshalXTBPF(fprog))
if err := c.SetBPF(fprog); err != nil {
t.Fatal(err)
}
}
// readUDPPacketFromRawSocket reads raw IP packets from pc until a UDP packet
// which matches the (src, dst) 4-tuple is found or the receive buffer is empty,
// and returns the payload of the UDP packet.
func readUDPPacketFromRawSocket(t *testing.T, pc *ipv4.PacketConn, src, dst netip.AddrPort) ([]byte, bool) {
t.Helper()
ms := []ipv4.Message{
{Buffers: [][]byte{make([]byte, 1500)}},
}
// Set a time limit to prevent an infinite loop if there is a lot of
// loopback traffic being captured which prevents the buffer from
// emptying.
deadline := time.Now().Add(1 * time.Second)
for time.Now().Before(deadline) {
n, err := pc.ReadBatch(ms, unix.MSG_DONTWAIT)
if err != nil {
if !errors.Is(err, unix.EAGAIN) {
t.Fatal(err)
}
break
}
if n == 0 {
break
}
pkt := ms[0].Buffers[0][:ms[0].N]
psrc, pdst, payload, ok := parseUDP(pkt)
// Discard captured packets which belong to other unrelated flows.
if !ok || psrc != src || pdst != dst {
t.Logf("discarding packet:\n% x", pkt)
continue
}
t.Logf("received packet (%v -> %v):\n% x", psrc, pdst, payload)
// While not strictly required, copy payload into a new
// slice which does not share a backing array with pkt
// so the IP and UDP headers can be garbage collected.
return append([]byte(nil), payload...), true
}
return nil, false
}
func parseIPv4(b []byte) (src, dst netip.Addr, protocol byte, payload []byte, ok bool) {
if len(b) < 20 {
return netip.Addr{}, netip.Addr{}, 0, nil, false
}
hlen := int(b[0]&0x0f) * 4
if hlen < 20 {
return netip.Addr{}, netip.Addr{}, 0, nil, false
}
src, _ = netip.AddrFromSlice(b[12:16])
dst, _ = netip.AddrFromSlice(b[16:20])
protocol = b[9]
payload = b[hlen:]
return src, dst, protocol, payload, true
}
// parseUDP parses the IP and UDP headers from the raw Layer-3 packet data in b.
func parseUDP(b []byte) (src, dst netip.AddrPort, payload []byte, ok bool) {
srcip, dstip, protocol, ippayload, ok := parseIPv4(b)
if !ok {
return netip.AddrPort{}, netip.AddrPort{}, nil, false
}
if protocol != 17 {
return netip.AddrPort{}, netip.AddrPort{}, nil, false
}
if len(ippayload) < 8 {
return netip.AddrPort{}, netip.AddrPort{}, nil, false
}
sport := binary.BigEndian.Uint16(ippayload[0:2])
dport := binary.BigEndian.Uint16(ippayload[2:4])
src = netip.AddrPortFrom(srcip, sport)
dst = netip.AddrPortFrom(dstip, dport)
payload = ippayload[8:]
return src, dst, payload, true
}
|
