diff --git a/CLAUDE.md b/CLAUDE.md index 2b0d52a00..ae0008a14 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -5,9 +5,8 @@ bpfilter is an eBPF-based packet filtering framework that translates filtering rules into optimized BPF programs. Licensed under GPLv2, maintained by Meta. **Components:** -- `libbpfilter` - Core library with public API for filtering logic -- `bpfilter` - Daemon that generates and manages BPF programs -- `bfcli` - CLI for defining filtering rules +- `libbpfilter` - Core library containing all filtering logic, BPF code generation, and program lifecycle management +- `bfcli` - CLI for defining and managing filtering rules via `libbpfilter` **Requirements:** Linux 6.6+, libbpf 1.2+ @@ -17,13 +16,12 @@ bpfilter is an eBPF-based packet filtering framework that translates filtering r src/ ├── libbpfilter/ # Core library (shared object) │ ├── include/bpfilter/ # Public API headers -│ └── *.c # Implementation (chain, matcher, rule, hook, set, bpf, btf...) -├── bpfilter/ # Daemon │ ├── cgen/ # BPF code generation engine │ │ ├── matcher/ # Packet matcher codegen (ip4, ip6, tcp, udp, icmp, meta, set) │ │ └── prog/ # Program linking (link, map) │ ├── xlate.c # Rule translation │ └── bpf/ # eBPF stub programs +│ └── *.c # Implementation (chain, matcher, rule, hook, set, bpf, btf, ctx...) ├── bfcli/ # CLI (parser.y, lexer.l, opts, print, chain, ruleset) └── external/ # External deps (mpack) @@ -35,7 +33,7 @@ tests/ └── harness/ # Test utilities (test.h, mock.h, fake.h) doc/ -├── usage/ # User guides (bfcli, daemon) +├── usage/ # User guides (bfcli) └── developers/ # Dev docs (build, style, tests, modules/) ``` @@ -114,7 +112,7 @@ Use `#pragma once` for header guards. Prefer forward declarations over includes ### Commit messages Format: `component: subcomponent: short description` -- Components: `lib`, `daemon`, `cli`, `tests`, `build`, `tools`, `doc` +- Components: `lib`, `cli`, `tests`, `build`, `tools`, `doc` - Lowercase, imperative mood, no period, under 72 chars - Description explains "why", code shows "what" - No reference to Claude or Claude as co-author @@ -122,7 +120,7 @@ Format: `component: subcomponent: short description` Examples: ``` lib: matcher: add meta.flow_hash matcher -daemon: cgen: link: add support for dual-stack Netfilter chains +lib: cgen: link: add support for dual-stack Netfilter chains tests: e2e: fix end-to-end tests leaving files behind ``` diff --git a/CMakeLists.txt b/CMakeLists.txt index abc62d704..9e787ed8a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -90,14 +90,13 @@ target_link_options(bf_global_flags_cxx add_subdirectory(src/libbpfilter) add_subdirectory(src/bfcli) -add_subdirectory(src/bpfilter) if (NOT ${NO_DOCS}) add_subdirectory(doc) endif () if (NOT ${NO_TESTS}) - set(CMAKE_CTEST_ARGUMENTS "--output-on-failure") + set(CMAKE_CTEST_ARGUMENTS "--output-on-failure;--label-exclude;fuzzing") enable_testing() add_subdirectory(tests) endif () diff --git a/README.md b/README.md index 9355f3037..4705845a1 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ - **Low overhead**: minimal resource consumption with maximized efficiency - **Developer-friendly**: clean architecture with clear separation of components -**bpfilter** combines three components: a CLI that allows users to define filtering rules in human-readable text, a daemon that converts these rules into efficient BPF programs, and a library that facilitates seamless communication between applications and the filtering subsystem. +**bpfilter** combines two components: a core library that translates filtering rules into efficient BPF programs and manages their lifecycle, and a CLI that allows users to define and manage filtering rules in human-readable text. Want to know more about **bpfilter**? Check the [user's guide](https://bpfilter.io/usage/index.html), the [developer documentation](https://bpfilter.io/developers/build.html), our [contributing guide](https://bpfilter.io/developers/contributing.html), or watch our latest [public talk](https://www.youtube.com/watch?v=fzaPEm4PXn0)! @@ -61,9 +61,6 @@ make -C $BUILD_DIR ### Usage ```shell -# Start the daemon -sudo $BUILD_DIR/output/sbin/bpfilter - # Count the number of ping coming to interface #2 sudo $BUILD_DIR/output/sbin/bfcli ruleset set --from-str "chain my_chain BF_HOOK_XDP{ifindex=2} ACCEPT rule ip4.proto icmp counter ACCEPT" ``` diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 962fc63d0..b5a72046a 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -80,7 +80,6 @@ list(FILTER bf_srcs EXCLUDE REGEX "${CMAKE_SOURCE_DIR}/src/external/.*") set(doc_srcs ${CMAKE_CURRENT_SOURCE_DIR}/index.rst ${CMAKE_CURRENT_SOURCE_DIR}/usage/bfcli.rst - ${CMAKE_CURRENT_SOURCE_DIR}/usage/daemon.rst ${CMAKE_CURRENT_SOURCE_DIR}/usage/index.rst ${CMAKE_CURRENT_SOURCE_DIR}/developers/build.rst ${CMAKE_CURRENT_SOURCE_DIR}/developers/contributing.rst @@ -89,7 +88,6 @@ set(doc_srcs ${CMAKE_CURRENT_SOURCE_DIR}/developers/style.rst ${CMAKE_CURRENT_SOURCE_DIR}/developers/tests.rst ${CMAKE_CURRENT_SOURCE_DIR}/developers/modules/index.rst - ${CMAKE_CURRENT_SOURCE_DIR}/developers/modules/bpfilter/bpfilter.rst ${CMAKE_CURRENT_SOURCE_DIR}/developers/modules/libbpfilter/libbpfilter.rst ${CMAKE_CURRENT_SOURCE_DIR}/external/benchmarks/index.rst ${CMAKE_CURRENT_SOURCE_DIR}/external/coverage/index.rst diff --git a/doc/developers/build.rst b/doc/developers/build.rst index 55072014e..f74853003 100644 --- a/doc/developers/build.rst +++ b/doc/developers/build.rst @@ -1,7 +1,7 @@ Build from sources ================== -This document describes the process to build ``bpfilter`` from sources. While ``bpfilter`` can be built on most systems, a recent (6.6+) Linux kernel is required with ``libbpf`` 1.2+ to run the ``bpfilter`` daemon. ``bpfilter`` officially supports Fedora 40+, CentOS Stream 9+, and Ubuntu 24.04+. There is also a nix flake which supports all the make targets. +This document describes the process to build ``bpfilter`` from sources. While ``bpfilter`` can be built on most systems, a recent (6.6+) Linux kernel is required with ``libbpf`` 1.2+ to run ``bpfilter``. ``bpfilter`` officially supports Fedora 40+, CentOS Stream 9+, and Ubuntu 24.04+. There is also a nix flake which supports all the make targets except for ``doc``. If you want to perform a full build of ``bpfilter`` (including all test tests, code check, benchmarks, and documentation), the following dependencies are required: @@ -101,9 +101,10 @@ The usual CMake options are allowed (e.g. ``CMAKE_BUILD_TYPE``, ``CMAKE_INSTALL_ A full configuration (without any part disabled) will provide the following targets: -- ``core``, ``bpfilter``, ``libbpfilter``, ``bfcli``: the ``bpfilter`` binaries. +- ``core``, ``libbpfilter``, ``bfcli``: the ``bpfilter`` binaries. - ``test_bin``: build the binaries needed to run the tests (below). -- ``test``: run all the tests. This command will run ``unit``, ``check``, ``e2e``, ``fuzzing``, and ``integration`` targets. See :doc:`tests` for more information. +- ``test``: run all the tests. This command will run ``unit``, ``check``, ``e2e``, and ``integration`` targets. See :doc:`tests` for more information. +- ``fuzzing``: fuzz the CLI parser for 60 seconds. - ``check``: run ``clang-tidy`` and ``clang-format`` against the source files. - ``benchmarks``: run the benchmarks on ``bpfilter``. diff --git a/doc/developers/modules/bpfilter/bpfilter.rst b/doc/developers/modules/bpfilter/bpfilter.rst deleted file mode 100644 index c5024e7b7..000000000 --- a/doc/developers/modules/bpfilter/bpfilter.rst +++ /dev/null @@ -1,4 +0,0 @@ -bpfilter -======== - -.. doxygenfile:: ctx.h diff --git a/doc/developers/modules/index.rst b/doc/developers/modules/index.rst index 94e81dbb4..8f14d85d8 100644 --- a/doc/developers/modules/index.rst +++ b/doc/developers/modules/index.rst @@ -6,12 +6,10 @@ Modules :caption: Modules libbpfilter/libbpfilter - bpfilter/bpfilter -``bpfilter`` is composed of multiple modules depending on each other. Splitting the project in different modules allows for the source code to be efficiently reused, be it for ``bfcli``, ``bpfilter``'s daemon, or ``libbpfilter``: +``bpfilter`` is composed of multiple modules depending on each other. Splitting the project in different modules allows for the source code to be efficiently reused: -- ``core``: core definitions used by the daemon, ``bfcli``, and ``libbpfilter``. -- ``bpfilter``: daemon logic, including deserializing data sent by the client into ``bpfilter``'s internal format, and the BPF bytecode generation logic. -- ``bfcli``: generic client to communicate with the daemon. -- ``libbpfilter``: static and shared library to communicate with the daemon. +- ``core``: core definitions used by ``bfcli`` and ``libbpfilter``. +- ``libbpfilter``: core library containing all filtering logic, BPF code generation, and program lifecycle management. +- ``bfcli``: CLI tool for defining and managing filtering rules via ``libbpfilter``. - ``external``: non-``bpfilter`` code, imported into the project to provide consistent external definitions. diff --git a/doc/developers/modules/libbpfilter/libbpfilter.rst b/doc/developers/modules/libbpfilter/libbpfilter.rst index 4e7005a84..cc78494d2 100644 --- a/doc/developers/modules/libbpfilter/libbpfilter.rst +++ b/doc/developers/modules/libbpfilter/libbpfilter.rst @@ -4,13 +4,6 @@ libbpfilter .. doxygenfile:: bpfilter/bpfilter.h -Namespaces ----------- - -.. doxygenfile:: ns.h - :sections: briefdescription detaileddescription typedef struct innerclass enum var define func - - Pack ---- diff --git a/doc/developers/style.rst b/doc/developers/style.rst index 16004a575..6fdb8da1e 100644 --- a/doc/developers/style.rst +++ b/doc/developers/style.rst @@ -341,7 +341,7 @@ Commit messages should be formatted as ``component: subcomponent: short descript - No period at the end - Keep under 72 characters -Components are ``lib``, ``daemon``, ``cli``, ``tests``, ``build``, ``tools``, ``doc``. Subcomponents reflect the directory structure (e.g., ``tests: e2e:``, ``daemon: cgen: link:``). If you're unsure, check the commit history for a hint. +Components are ``lib``, ``cli``, ``tests``, ``build``, ``tools``, ``doc``. Subcomponents reflect the directory structure (e.g., ``tests: e2e:``, ``lib: cgen: link:``). If you're unsure, check the commit history for a hint. Examples: diff --git a/doc/developers/tests.rst b/doc/developers/tests.rst index 17175becd..a7f0689c6 100644 --- a/doc/developers/tests.rst +++ b/doc/developers/tests.rst @@ -84,7 +84,7 @@ End-to-end tests are designed to validate bpfilter's behaviour as seen by the us **Example** -``e2e_test_util.sh`` provides functions to create a sandboxed environment and start the ``bpfilter`` daemon. Here is an example of a simple end-to-end test that creates a sandbox and starts ``bpfilter``: +``e2e_test_util.sh`` provides functions to create a sandboxed environment. Here is an example of a simple end-to-end test that creates a sandbox: .. code-block:: shell @@ -96,7 +96,6 @@ End-to-end tests are designed to validate bpfilter's behaviour as seen by the us . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox - start_bpfilter # Ping the sandbox's IPv4 address from the sandboxed namespace ${FROM_NS} ping -c 1 -W 0.1 ${NS_IP_ADDR} diff --git a/doc/index.rst b/doc/index.rst index 0215c6dba..44bc7733f 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -61,6 +61,6 @@ - **Low overhead**: minimal resource consumption with maximized efficiency - **Developer-friendly**: clean architecture with clear separation of components -**bpfilter** combines three components: a CLI that allows users to define filtering rules in human-readable text, a daemon that converts these rules into efficient BPF programs, and a library that facilitates seamless communication between applications and the filtering subsystem. +**bpfilter** combines two components: ``bfcli``, a CLI that allows users to define filtering rules in human-readable text, and ``libbpfilter``, a library that converts these rules into efficient BPF programs and manages their lifecycle. Want to know more about **bpfilter**? Check the :doc:`user's guide `, the :doc:`developer documentation `, or watch our talk at `Scale `_! diff --git a/doc/usage/bfcli.rst b/doc/usage/bfcli.rst index 1d85e3f92..94d0a9074 100644 --- a/doc/usage/bfcli.rst +++ b/doc/usage/bfcli.rst @@ -1,7 +1,20 @@ ``bfcli`` ========= -``bfcli`` is a command line tool to communicate with the bpfilter daemon. +``bfcli`` is the command line tool for defining and managing bpfilter filtering rules. It calls ``libbpfilter`` directly to generate, load, and manage BPF programs. + +Environment variables +--------------------- + +``bfcli`` reads the following environment variables to configure the library before processing commands. These variables are ignored when ``--dry-run`` is used. + +- ``BF_BPFFS_PATH``: path to the BPF filesystem directory. Defaults to ``/sys/fs/bpf``. bpfilter pins BPF objects under a ``bpfilter`` subdirectory at this path. +- ``BF_WITH_BPF_TOKEN``: if set (any value), associate a BPF token to every ``bpf()`` system call. Required when running in user namespaces. The token is created from the bpffs at ``BF_BPFFS_PATH``. Only supported for kernel v6.9+. +- ``BF_VERBOSE``: comma-separated list of verbose flags. Supported values: + + - ``debug``: enable debug logs. + - ``bpf``: insert log messages into BPF programs to log failed kernel function calls. View with ``bpftool prog tracelog`` or ``cat /sys/kernel/debug/tracing/trace_pipe``. + - ``bytecode``: dump a program's bytecode before loading it. Commands -------- @@ -32,7 +45,7 @@ Chains with valid hook options defined are attached to their hook. Chains withou ``ruleset get`` ~~~~~~~~~~~~~~~ -Print the ruleset: request all the chains and rules from the daemon with counters values. +Print the ruleset: request all the chains and rules with counters values. **Example** @@ -49,7 +62,7 @@ Print the ruleset: request all the chains and rules from the daemon with counter ``ruleset flush`` ~~~~~~~~~~~~~~~~~ -Remove all the chains and rules defined by the daemon. Once this command completes, the daemon doesn't contain any filtering rules, as if it was freshly started. +Remove all the chains and rules. Once this command completes, bpfilter doesn't contain any filtering rules. **Examples** @@ -69,14 +82,14 @@ Remove all the chains and rules defined by the daemon. Once this command complet ``chain set`` ~~~~~~~~~~~~~ -Generate and load a chain into the kernel. If the chain definition contains hook options, the daemon will attach it to its hook. Any existing chain with the same name (attached or not) will be discarded and replaced with the new one. +Generate and load a chain into the kernel. If the chain definition contains hook options, bpfilter will attach it to its hook. Any existing chain with the same name (attached or not) will be discarded and replaced with the new one. If you want to update an existing chain without downtime, use ``bfcli chain update`` instead. **Options** - ``--from-str CHAIN``: read the chain to set from the command line arguments. - ``--from-file FILEPATH``: read the chain from a file. - - ``--name NAME``: if ``--from-str`` or ``--from-file`` provide multiple chains, ``NAME`` specify which one to send to the daemon. + - ``--name NAME``: if ``--from-str`` or ``--from-file`` provide multiple chains, ``NAME`` specifies which one to use. - ``--dry-run``: parse and validate the chain, but do not apply it. **Examples** @@ -158,7 +171,7 @@ If a chain with the same name already exist, it won't be replaced. See ``bfcli c **Options** - ``--from-str CHAIN``: read the chain to set from the command line arguments. - ``--from-file FILEPATH``: read the chain from a file. - - ``--name NAME``: if ``--from-str`` or ``--from-file`` provide multiple chains, ``NAME`` specify which one to send to the daemon. + - ``--name NAME``: if ``--from-str`` or ``--from-file`` provide multiple chains, ``NAME`` specifies which one to use. - ``--dry-run``: parse and validate the chain, but do not apply it. **Examples** @@ -213,7 +226,7 @@ If you want to modify the hook options, use ``bfcli chain set`` instead. **Options** - ``--from-str CHAIN``: read the chain to set from the command line arguments. - ``--from-file FILEPATH``: read the chain from a file. - - ``--name NAME``: if ``--from-str`` or ``--from-file`` provide multiple chains, ``NAME`` specify which one to send to the daemon. + - ``--name NAME``: if ``--from-str`` or ``--from-file`` provide multiple chains, ``NAME`` specifies which one to use. - ``--dry-run``: parse and validate the chain, but do not apply it. **Examples** diff --git a/doc/usage/daemon.rst b/doc/usage/daemon.rst deleted file mode 100644 index 1fcf85ddd..000000000 --- a/doc/usage/daemon.rst +++ /dev/null @@ -1,27 +0,0 @@ -The daemon -========== - -The ``bpfilter`` daemon is responsible for creating the BPF program corresponding to the user-provided filtering rules. The daemon will also load and manage the BPF programs on the system. - -It is possible to customize the daemon's behavior using the following command-line flags: - -- ``-t``, ``--transient``: if used, ``bpfilter`` won't pin any BPF program or map, and no data will be serialized to the filesystem. Hence, as soon as the daemon is stopped, the loaded BPF programs and maps will be removed from the system. -- ``--with-bpf-token``: if set, the daemon will associate a BPF token to every ``bpf()`` system call. This is required when the daemon runs in user namespaces. The daemon will create the token from the bpffs mounted at ``--bpffs-path``. The user is responsible for configuring the file system, so a token can be created. Only supported for kernel v6.9+, if the current kernel doesn't support BPF token, the daemon will stop with a non-zero exit code. -- ``--bpffs-path``: use a custom BPF filesystem directory. By default, bpfilter will pin the BPF objects in a ``bpfilter`` directory in ``/sys/fs/bpf``, this option will move the ``bpfilter`` folder into a different directory. The path provided must be a directory on a BPF filesystem. -- ``-v=VERBOSE_FLAG``, ``--verbose=VERBOSE_FLAG``: enable verbose logs for ``VERBOSE_FLAG``. Currently, 3 verbose flags are supported: - - - ``debug``: enable all the debug logs in the application. - - ``bpf``: insert log messages into the BPF programs to log failed kernel function calls. Those messages can be printed with ``bpftool prog tracelog`` or ``cat /sys/kernel/debug/tracing/trace_pipe``. - - ``bytecode``: dump a program's bytecode before loading it. - -- ``--usage``: print a short usage message. -- ``-?``, ``--help``: print the help message. - -Namespaces ----------- - -``bpfilter`` supports the network and mount Linux namespaces. The daemon will automatically switch to the client's namespace before attaching a BPF program, so it is guaranteed to have the same view of the system as the client. - -The network namespace will define the available interface indexes to attach the XDP and TC chains, as well as the interface indexes to filter packets on. - -The mount namespace is required to ensure the daemon will attach a cgroup_skb chain to the proper cgroup. diff --git a/doc/usage/index.rst b/doc/usage/index.rst index 32eb3bee0..3338f8c90 100644 --- a/doc/usage/index.rst +++ b/doc/usage/index.rst @@ -6,15 +6,12 @@ Usage :maxdepth: 2 :caption: Usage - daemon bfcli -``bpfilter`` is composed of two main parts that work together: the client used by the users to define the filtering rules and send them to the **daemon** that performs the heavy lifting of generating the BPF bytecode. +``bpfilter`` is composed of two main parts: ``libbpfilter``, the core library that generates and manages BPF programs, and ``bfcli``, the CLI used to define filtering rules. ``bfcli`` calls ``libbpfilter`` directly to translate rules into BPF programs and load them into the kernel. -Before anything, you will have to run the daemon on your system, see :doc:`daemon` for more details. - -Then, use ``bfcli`` to create, update, or read chains. +See :doc:`bfcli` for the full command reference and filter syntax. Install ------- @@ -31,7 +28,7 @@ If you use a different distribution, you can still build and use **bpfilter** if Example usage ------------- -From here on, we assume **bpfilter** has been installed on your system. If you build it locally, you will need to substitute the ``bpfilter`` command with ``$BUILD_DIR/output/sbin/bpfilter``, same for ``bfcli``. The example below is meant to familiarize you with **bpfilter**, more in-depth information can be found throughout the documentation. +From here on, we assume **bpfilter** has been installed on your system. If you build it locally, you will need to substitute the ``bfcli`` command with ``$BUILD_DIR/output/bin/bfcli``. The example below is meant to familiarize you with **bpfilter**, more in-depth information can be found throughout the documentation. This example will block ``ping`` requests sent going out of the local host to a remote server. @@ -53,19 +50,9 @@ Let's check if we can ping ``facebook.com`` before we do anything: rtt min/avg/max/mdev = 23.596/25.493/28.622/1.880 ms -**Start the daemon** - -The daemon is responsible for receiving the user-defined filtering rules, and translating them into BPF programs. We will start it in ``--transient`` mode, so all the filtering programs defined will be discarded when we stop it, preventing any mistake on our side! - -.. code-block:: bash - - $ sudo bpfilter --transient - info : waiting for requests... - - **Create a new filtering rule** -Now that the daemon is up and running, we will use ``bfcli`` to send a filtering chain. A chain is a set of rules to filter packets on: +Use ``bfcli`` to create a filtering chain. A chain is a set of rules to filter packets on: .. code-block:: bash diff --git a/src/bfcli/main.c b/src/bfcli/main.c index 71c885000..792061336 100644 --- a/src/bfcli/main.c +++ b/src/bfcli/main.c @@ -6,19 +6,15 @@ #include #include #include -#include #include -#include -#include #include #include +#include #include #include #include #include -#include -#include #include #include @@ -50,7 +46,18 @@ int main(int argc, char *argv[]) if (r < 0) return r; - return opts.cmd->cb(&opts); + if (!opts.dry_run) { + r = bf_ctx_setup(opts.with_bpf_token, opts.bpffs_path, opts.verbose); + if (r < 0) + return r; + } + + r = opts.cmd->cb(&opts); + + if (!opts.dry_run) + bf_ctx_teardown(); + + return r; } void yyerror(struct bfc_ruleset *ruleset, const char *fmt, ...) diff --git a/src/bfcli/opts.c b/src/bfcli/opts.c index 688d4507d..c7b642726 100644 --- a/src/bfcli/opts.c +++ b/src/bfcli/opts.c @@ -6,8 +6,12 @@ #include "opts.h" #include +#include +#include +#include #include +#include #include "bpfilter/list.h" #include "chain.h" @@ -43,6 +47,9 @@ */ #define BFC_OPT_LONG_FLAG_ONLY(id) (1000 + (id)) +/// Index of the ACTION argument in argv, set during stage-1 parsing. +static int _bfc_action_argv_idx = 0; + static const char * const _bfc_object_strs[] = { "ruleset", // BFC_OBJECT_RULESET "chain", // BFC_OBJECT_CHAIN @@ -95,6 +102,36 @@ enum bfc_action bfc_action_from_str(const char *str) return -EINVAL; } +static const char * const _bfc_verbose_strs[] = { + [BF_VERBOSE_DEBUG] = "debug", + [BF_VERBOSE_BPF] = "bpf", + [BF_VERBOSE_BYTECODE] = "bytecode", +}; +static_assert_enum_mapping(_bfc_verbose_strs, _BF_VERBOSE_MAX); + +static enum bf_verbose _bfc_verbose_from_str(const char *str) +{ + assert(str); + + for (enum bf_verbose op = 0; op < _BF_VERBOSE_MAX; ++op) { + if (bf_streq(_bfc_verbose_strs[op], str)) + return op; + } + + return -EINVAL; +} + +/** + * Deprecated global option keys. These are stage-1 only flags and must not + * be part of @ref bfc_opts_option_id (which indexes @c _bfc_options[]). + */ +enum +{ + _BFC_DEPRECATED_NO_IPTABLES = 100, + _BFC_DEPRECATED_NO_NFTABLES, + _BFC_DEPRECATED_NO_CLI, +}; + enum bfc_opts_option_id { BFC_OPT_HELP, @@ -168,8 +205,7 @@ static const struct bfc_opts_cmd _bfc_opts_cmds[] = { BFC_OPT_CHAIN_NAME), .required_opts = BF_FLAGS(BFC_OPT_CHAIN_NAME), .doc = - "Print an existing chain\vRequest the chain --name from the daemon " - "and print it.", + "Print an existing chain\vRequest the chain --name and print it.", .cb = bfc_chain_get, }, { @@ -308,6 +344,35 @@ static error_t _bfc_opts_parser(int key, char *arg, struct argp_state *state) case 'V': _bfc_opts_version(state, arg, opts); break; + case BFC_OPT_LONG_FLAG_ONLY(_BFC_DEPRECATED_NO_IPTABLES): + bf_warn("option --no-iptables is deprecated"); + break; + case BFC_OPT_LONG_FLAG_ONLY(_BFC_DEPRECATED_NO_NFTABLES): + bf_warn("option --no-nftables is deprecated"); + break; + case BFC_OPT_LONG_FLAG_ONLY(_BFC_DEPRECATED_NO_CLI): + bf_warn("option --no-cli is deprecated"); + break; + case 't': + opts->with_bpf_token = true; + break; + case 'b': + opts->bpffs_path = arg; + break; + case 'v': { + enum bf_verbose opt = _bfc_verbose_from_str(arg); + if ((int)opt < 0) { + argp_error( + state, + "unknown --verbose option '%s', valid options: [debug, bpf, bytecode]", + arg); + break; + } + if (opt == BF_VERBOSE_DEBUG) + bf_log_set_level(BF_LOG_DBG); + opts->verbose |= BF_FLAG(opt); + break; + } case ARGP_KEY_ARG: if (state->arg_num == 0) { opts->object = bfc_object_from_str(arg); @@ -322,6 +387,7 @@ static error_t _bfc_opts_parser(int key, char *arg, struct argp_state *state) argp_error(state, "object '%s' does not support action '%s'", bfc_object_to_str(opts->object), bfc_action_to_str(opts->action)); + _bfc_action_argv_idx = state->next - 1; state->next = state->argc; } else { return ARGP_ERR_UNKNOWN; @@ -652,15 +718,64 @@ int bfc_opts_parse(struct bfc_opts *opts, int argc, char **argv) BFC_HELP_ENTRY(BFC_ACTION_UPDATE, "Update an existing chain"), BFC_HELP_ENTRY(BFC_ACTION_UPDATE_SET, "Update a set in a chain"), BFC_HELP_ENTRY(BFC_ACTION_FLUSH, "Remove a chain"), - {.name = "help", .key = 'h', .group = -1, .doc = "Print help"}, - {.name = "usage", - .key = BFC_OPT_LONG_FLAG_ONLY(BFC_OPT_USAGE), - .group = -1, - .doc = "Print short usage message"}, - {.name = "version", - .key = 'V', - .group = -1, - .doc = "Print program version"}, + { + .name = "no-iptables", + .key = BFC_OPT_LONG_FLAG_ONLY(_BFC_DEPRECATED_NO_IPTABLES), + .doc = "DEPRECATED. Disable iptables support", + .group = -1, + }, + { + .name = "no-nftables", + .key = BFC_OPT_LONG_FLAG_ONLY(_BFC_DEPRECATED_NO_NFTABLES), + .doc = "DEPRECATED. Disable nftables support", + .group = -1, + }, + { + .name = "no-cli", + .key = BFC_OPT_LONG_FLAG_ONLY(_BFC_DEPRECATED_NO_CLI), + .doc = "DEPRECATED. Disable CLI support", + .group = -1, + }, + { + .name = "with-bpf-token", + .key = 't', + .doc = + "Use a BPF token with the bpf() system calls. The token is created from the bpffs instance mounted at /sys/fs/bpf.", + .group = -1, + }, + { + .name = "bpffs-path", + .key = 'b', + .arg = "BPFFS_PATH", + .doc = + "Path to the bpffs to pin the BPF objects into. Defaults to /sys/fs/bpf.", + .group = -1, + }, + { + .name = "verbose", + .key = 'v', + .arg = "VERBOSE_FLAG", + .doc = "Verbose flags to enable. Can be used more than once.", + .group = -1, + }, + { + .name = "help", + .key = 'h', + .group = -1, + .doc = "Print help", + }, + { + .name = "usage", + .key = BFC_OPT_LONG_FLAG_ONLY(BFC_OPT_USAGE), + .group = -1, + .doc = "Print short usage message", + }, + { + .name = "version", + .key = 'V', + .group = -1, + .doc = "Print program version", + }, {0}, }; static const struct argp parser = { @@ -706,9 +821,9 @@ int bfc_opts_parse(struct bfc_opts *opts, int argc, char **argv) (void)snprintf(_bfc_name, _BFC_NAME_LEN, "%s %s %s", argv[0], bfc_object_to_str(opts->object), bfc_action_to_str(opts->action)); - argv[2] = _bfc_name; - argc -= 2; - argv += 2; + argv[_bfc_action_argv_idx] = _bfc_name; + argc -= _bfc_action_argv_idx; + argv += _bfc_action_argv_idx; r = argp_parse(&subparser, argc, argv, ARGP_NO_HELP, NULL, opts); if (r) diff --git a/src/bfcli/opts.h b/src/bfcli/opts.h index 0ccfa4b83..56f7dc5b7 100644 --- a/src/bfcli/opts.h +++ b/src/bfcli/opts.h @@ -6,15 +6,16 @@ #pragma once #include +#include #include /** * @file opts.h * - * bfcli commands are constructed as `bfcli OBJECT ACTION [OPTIONS...]`, with - * `OBJECT` the type of bpfilter object to manipulate, and `ACTION` the action - * to apply to the object. + * bfcli commands are constructed as + * `bfcli [OPTIONS...] OBJECT ACTION [OPTIONS...]`, with `OBJECT` the type of + * bpfilter object to manipulate, and `ACTION` the action to apply to the object. * * This file provides the mechanism to define and parse command line object for * all the existing commands supported by bfcli. @@ -79,6 +80,10 @@ struct bfc_opts bf_list set_remove; bool dry_run; + + bool with_bpf_token; + const char *bpffs_path; + uint16_t verbose; }; struct bfc_opts_cmd @@ -99,7 +104,8 @@ struct bfc_opts_cmd {.object = _BFC_OBJECT_MAX, \ .action = _BFC_ACTION_MAX, \ .set_add = bf_list_default(NULL, NULL), \ - .set_remove = bf_list_default(NULL, NULL)}; + .set_remove = bf_list_default(NULL, NULL), \ + .bpffs_path = "/sys/fs/bpf"}; void bfc_opts_clean(struct bfc_opts *opts); int bfc_opts_parse(struct bfc_opts *opts, int argc, char **argv); diff --git a/src/bpfilter/CMakeLists.txt b/src/bpfilter/CMakeLists.txt deleted file mode 100644 index f951efc78..000000000 --- a/src/bpfilter/CMakeLists.txt +++ /dev/null @@ -1,82 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0-only -# Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - -include(ElfStubs) - -configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/bpfilter.service.in - ${CMAKE_BINARY_DIR}/output/usr/lib/systemd/system/bpfilter.service - @ONLY -) - -add_executable(bpfilter - ${CMAKE_CURRENT_SOURCE_DIR}/main.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/handle.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/handle.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/jmp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/jmp.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip4.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip4.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip6.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip6.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/tcp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/tcp.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/udp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/udp.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/meta.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/meta.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/set.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/set.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/icmp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/icmp.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/nf.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/nf.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/printer.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/printer.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/program.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/program.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/link.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/link.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/map.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/map.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/runtime.h - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/stub.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/stub.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/swich.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/swich.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/tc.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/tc.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/xdp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/xdp.c - ${CMAKE_CURRENT_SOURCE_DIR}/ctx.h ${CMAKE_CURRENT_SOURCE_DIR}/ctx.c - ${CMAKE_CURRENT_SOURCE_DIR}/xlate.c - - ${CMAKE_SOURCE_DIR}/src/external/include/disasm.h ${CMAKE_SOURCE_DIR}/src/external/disasm.c -) - -file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/include/cgen) -bf_target_add_elfstubs(bpfilter - DIR ${CMAKE_CURRENT_SOURCE_DIR}/bpf - SYM_PREFIX "_bf_rawstubs_" - DECL_HDR_PATH ${CMAKE_CURRENT_BINARY_DIR}/include/cgen/rawstubs.h - STUBS - "parse_ipv6_eh" - "parse_ipv6_nh" - "update_counters" - "log" - "flow_hash" -) - -target_compile_definitions(bpfilter - PRIVATE - BF_CONTACT="${BF_CONTACT}" -) - -target_include_directories(bpfilter - PRIVATE - ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_BINARY_DIR}/include - ${CMAKE_SOURCE_DIR}/src/external/include -) - -target_link_libraries(bpfilter - PRIVATE - bf_global_flags - libbpfilter -) - -install(TARGETS bpfilter - DESTINATION ${CMAKE_INSTALL_SBINDIR} -) - -install( - FILES ${CMAKE_BINARY_DIR}/output/usr/lib/systemd/system/bpfilter.service - DESTINATION ${CMAKE_INSTALL_PREFIX}/lib/systemd/system -) diff --git a/src/bpfilter/bpfilter.service.in b/src/bpfilter/bpfilter.service.in deleted file mode 100644 index 85876acfa..000000000 --- a/src/bpfilter/bpfilter.service.in +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=BPF-based packet filtering framework - -[Service] -ExecStart=/usr/sbin/bpfilter -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/src/bpfilter/main.c b/src/bpfilter/main.c deleted file mode 100644 index 6a45e1371..000000000 --- a/src/bpfilter/main.c +++ /dev/null @@ -1,393 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#define _GNU_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "ctx.h" - -#define BF_DEFAULT_BPFFS_PATH "/sys/fs/bpf" - -enum -{ - BF_OPT_NO_IPTABLES_KEY, - BF_OPT_NO_NFTABLES_KEY, - BF_OPT_NO_CLI_KEY, - BF_OPT_WITH_BPF_TOKEN, - BF_OPT_BPFFS_PATH, -}; - -struct bf_options -{ - bool transient; - bool with_bpf_token; - const char *bpffs_path; - uint16_t verbose; -}; - -static const char *_bf_verbose_strs[] = { - [BF_VERBOSE_DEBUG] = "debug", - [BF_VERBOSE_BPF] = "bpf", - [BF_VERBOSE_BYTECODE] = "bytecode", -}; - -static_assert_enum_mapping(_bf_verbose_strs, _BF_VERBOSE_MAX); - -static enum bf_verbose _bf_verbose_from_str(const char *str) -{ - assert(str); - - for (enum bf_verbose verbose = 0; verbose < _BF_VERBOSE_MAX; ++verbose) { - if (bf_streq(_bf_verbose_strs[verbose], str)) - return verbose; - } - - return -EINVAL; -} - -static struct argp_option _bf_options[] = { - {"transient", 't', 0, 0, - "Do not load or save runtime context and remove all BPF programs on shutdown", - 0}, - {"buffer-len", 'b', "BUF_LEN_POW", 0, - "DEPRECATED. Size of the BPF log buffer as a power of 2 (only used when --verbose is used). Default: 16.", - 0}, - {"no-iptables", BF_OPT_NO_IPTABLES_KEY, 0, 0, - "DEPRECATED. Disable iptables support", 0}, - {"no-nftables", BF_OPT_NO_NFTABLES_KEY, 0, 0, - "DEPRECATED. Disable nftables support", 0}, - {"no-cli", BF_OPT_NO_CLI_KEY, 0, 0, "DEPRECATED. Disable CLI support", 0}, - {"with-bpf-token", BF_OPT_WITH_BPF_TOKEN, NULL, 0, - "Use a BPF token with the bpf() system calls. The token is created from the bpffs instance mounted at /sys/fs/bpf.", - 0}, - {"bpffs-path", BF_OPT_BPFFS_PATH, "BPFFS_PATH", 0, - "Path to the bpffs to pin the BPF objects into. Defaults to " BF_DEFAULT_BPFFS_PATH - ".", - 0}, - {"verbose", 'v', "VERBOSE_FLAG", 0, - "Verbose flags to enable. Can be used more than once.", 0}, - {0}, -}; - -static error_t _bf_opts_parser(int key, char *arg, struct argp_state *state) -{ - struct bf_options *args = state->input; - enum bf_verbose opt; - - (void)arg; - - switch (key) { - case 't': - args->transient = true; - break; - case 'b': - bf_warn( - "--buffer-len is deprecated, buffer size is defined automatically"); - break; - case BF_OPT_NO_IPTABLES_KEY: - bf_warn("--no-iptables is deprecated"); - break; - case BF_OPT_NO_NFTABLES_KEY: - bf_warn("--no-nftables is deprecated"); - break; - case BF_OPT_NO_CLI_KEY: - bf_warn("--no-cli is deprecated"); - break; - case BF_OPT_WITH_BPF_TOKEN: - args->with_bpf_token = true; - bf_info("using a BPF token"); - break; - case BF_OPT_BPFFS_PATH: - args->bpffs_path = arg; - bf_info("using bpffs at %s", args->bpffs_path); - break; - case 'v': - opt = _bf_verbose_from_str(arg); - if ((int)opt < 0) { - return bf_err_r( - (int)opt, - "unknown --verbose option '%s', valid --verbose options: [debug, bpf, bytecode]", - arg); - } - bf_info("enabling verbose for '%s'", arg); - if (opt == BF_VERBOSE_DEBUG) - bf_log_set_level(BF_LOG_DBG); - args->verbose |= BF_FLAG(opt); - break; - default: - return ARGP_ERR_UNKNOWN; - } - - return 0; -} - -static int _bf_opts_init(struct bf_options *opts, int argc, char *argv[]) -{ - struct argp argp = {_bf_options, _bf_opts_parser, NULL, NULL, 0, NULL, - NULL}; - - return argp_parse(&argp, argc, argv, 0, 0, opts); -} - -/** - * Global flag to indicate whether the daemon should stop. - */ -static volatile sig_atomic_t _bf_stop_received = 0; - -/** - * Set atomic flag to stop the daemon if specific signals are received. - * - * @param sig Signal number. - */ -void _bf_sig_handler(int sig) -{ - (void)sig; - - _bf_stop_received = 1; -} - -/** - * Initialize bpfilter's daemon runtime. - * - * Setup signal handler (for graceful shutdown), initialize a fresh context, - * discover existing chains from bpffs, and initialise various front-ends. - * - * @return 0 on success, negative error code on failure. - */ -static int _bf_init(int argc, char *argv[]) -{ - struct sigaction sighandler = {.sa_handler = _bf_sig_handler}; - struct bf_options opts = { - .transient = false, - .with_bpf_token = false, - .bpffs_path = BF_DEFAULT_BPFFS_PATH, - .verbose = 0, - }; - int r; - - if (sigaction(SIGINT, &sighandler, NULL) < 0) - return bf_err_r(errno, "can't override handler for SIGINT"); - - if (sigaction(SIGTERM, &sighandler, NULL) < 0) - return bf_err_r(errno, "can't override handler for SIGTERM"); - - bf_info("starting bpfilter version %s", BF_VERSION); - - r = _bf_opts_init(&opts, argc, argv); - if (r < 0) - return bf_err_r(r, "failed to parse command line arguments"); - - r = bf_ensure_dir(BF_RUNTIME_DIR); - if (r) - return bf_err_r(r, "failed to ensure runtime directory exists"); - - r = bf_ctx_setup(opts.transient, opts.with_bpf_token, opts.bpffs_path, - opts.verbose); - if (r) - return bf_err_r(r, "failed to setup context"); - - bf_ctx_dump(EMPTY_PREFIX); - - return 0; -} - -extern int bf_request_handler(const struct bf_request *request, - struct bf_response **response); - -/** - * Process a request. - * - * If the handler returns 0, @p response is expected to be filled, and ready - * to be returned to the client. - * If the handler returns a negative error code, @p response is filled by @ref - * _bf_process_request with a generated error response and 0 is returned. If - * generating the error response fails, then 0 is returned. - * - * In other words, if 0 is returned, @p response is ready to be sent back, if - * a negative error code is returned, an error occured during @p request - * processing, and no response is available. - * - * @param request Request to process. Can't be NULL. - * @param response Response to fill. Can't be NULL. - * @return 0 on success, negative error code on failure. - */ -static int _bf_process_request(struct bf_request *request, - struct bf_response **response) -{ - int r; - - assert(request); - assert(response); - - if (bf_request_cmd(request) < 0 || - bf_request_cmd(request) >= _BF_REQ_CMD_MAX) { - bf_warn("received a request with command %d, unknown command, ignoring", - bf_request_cmd(request)); - return bf_response_new_failure(response, -EINVAL); - } - - bf_info("processing request %s", - bf_request_cmd_to_str(bf_request_cmd(request))); - - r = bf_request_handler(request, response); - if (r) { - /* We failed to process the request, so we need to generate an - * error. If the error response is successfully generated, then we - * return 0, otherwise we return the error code. */ - r = bf_response_new_failure(response, r); - } - - return r; -} - -/** - * Loop and process requests. - * - * Create a socket and perform blocking accept() calls. For each connection, - * receive a request, process it, and send the response back. - * - * If a signal is received, @ref _bf_stop_received will be set to 1 by @ref - * _bf_sig_handler and blocking call to `accept()` will be interrupted. - * - * @return 0 on success, negative error code on failure. - */ -static int _bf_run(void) -{ - _cleanup_close_ int fd = -1; - _cleanup_close_ int lock = -1; - struct sockaddr_un addr = {}; - struct ucred peer_cred; - socklen_t peer_cred_len = sizeof(peer_cred); - int r; - - lock = bf_acquire_lock(BF_LOCK_PATH); - if (lock < 0) { - return bf_err_r( - lock, - "failed to acquire the daemon lock, is the daemon already running? Error"); - } - - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - return bf_err_r(errno, "failed to create socket"); - - // We have a lock on the lock file, so no other daemon is running, we can - // remove the socket file (if any). - unlink(BF_SOCKET_PATH); - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, BF_SOCKET_PATH, sizeof(addr.sun_path) - 1); - - r = bind(fd, (struct sockaddr *)&addr, sizeof(addr)); - if (r < 0) { - return bf_err_r(errno, "failed to bind socket to %s", BF_SOCKET_PATH); - } - - r = listen(fd, 1); - if (r < 0) - return bf_err_r(errno, "listen() failed"); - - bf_info("waiting for requests..."); - - while (!_bf_stop_received) { - _cleanup_close_ int client_fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _clean_bf_ns_ struct bf_ns ns = bf_ns_default(); - - client_fd = accept(fd, NULL, NULL); - if (client_fd < 0) { - if (_bf_stop_received) { - bf_info("received stop signal, exiting..."); - continue; - } - - bf_err_r(errno, "failed to accept connection, ignoring"); - continue; - } - - // NOLINTNEXTLINE: SOL_SOCKET and SO_PEERCRED can't be directly included - r = getsockopt(client_fd, SOL_SOCKET, SO_PEERCRED, &peer_cred, - &peer_cred_len); - if (r) { - bf_err_r(errno, - "failed to read the client's credentials, ignoring"); - continue; - } - - r = bf_ns_init(&ns, peer_cred.pid); - if (r) { - bf_err_r(r, "failed to open the client's namespaces, ignoring"); - continue; - } - - r = bf_recv_request(client_fd, &request); - if (r) { - bf_err_r(r, "failed to receive request, ignoring"); - continue; - } - - bf_request_set_ns(request, &ns); - bf_request_set_fd(request, client_fd); - - r = _bf_process_request(request, &response); - if (r) { - bf_err_r(r, "failed to process request, ignoring"); - continue; - } - - r = bf_send_response(client_fd, response); - if (r) { - bf_err_r(r, "failed to send response, ignoring"); - continue; - } - } - - return 0; -} - -int main(int argc, char *argv[]) -{ - int r; - - bf_logger_setup(); - - argp_program_version = "bpfilter version " BF_VERSION; - argp_program_bug_address = BF_CONTACT; - - r = bf_btf_setup(); - if (r < 0) - return bf_err_r(r, "failed to setup BTF module"); - - r = _bf_init(argc, argv); - if (r < 0) - return bf_err_r(r, "failed to initialize bpfilter"); - - r = _bf_run(); - if (r < 0) - return bf_err_r(r, "run() failed"); - - bf_ctx_teardown(); - bf_btf_teardown(); - - return r; -} diff --git a/src/bpfilter/xlate.c b/src/bpfilter/xlate.c deleted file mode 100644 index 1dcfd42f5..000000000 --- a/src/bpfilter/xlate.c +++ /dev/null @@ -1,654 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. - */ - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "bpfilter/set.h" -#include "cgen/cgen.h" -#include "cgen/handle.h" -#include "cgen/prog/link.h" -#include "cgen/prog/map.h" -#include "cgen/program.h" -#include "ctx.h" - -int _bf_cli_ruleset_flush(const struct bf_request *request, - struct bf_response **response) -{ - (void)request; - (void)response; - - bf_ctx_flush(); - - return 0; -} - -static int _bf_cli_ruleset_get(const struct bf_request *request, - struct bf_response **response) -{ - _clean_bf_list_ bf_list cgens = bf_list_default(NULL, NULL); - _clean_bf_list_ bf_list chains = bf_list_default(NULL, bf_chain_pack); - _clean_bf_list_ bf_list hookopts = bf_list_default(NULL, bf_hookopts_pack); - _clean_bf_list_ bf_list counters = - bf_list_default(bf_list_free, bf_list_pack); - _free_bf_wpack_ bf_wpack_t *pack = NULL; - int r; - - (void)request; - - r = bf_wpack_new(&pack); - if (r) - return r; - - r = bf_ctx_get_cgens(&cgens); - if (r < 0) - return bf_err_r(r, "failed to get cgen list"); - - bf_list_foreach (&cgens, cgen_node) { - struct bf_cgen *cgen = bf_list_node_get_data(cgen_node); - _free_bf_list_ bf_list *cgen_counters = NULL; - - r = bf_list_add_tail(&chains, cgen->chain); - if (r) - return bf_err_r(r, "failed to add chain to list"); - - r = bf_list_add_tail(&hookopts, cgen->handle->link ? - cgen->handle->link->hookopts : - NULL); - if (r) - return bf_err_r(r, "failed to add hookopts to list"); - - r = bf_list_new(&cgen_counters, - &bf_list_ops_default(bf_counter_free, bf_counter_pack)); - if (r) - return r; - - r = bf_cgen_get_counters(cgen, cgen_counters); - if (r) - return r; - - r = bf_list_add_tail(&counters, cgen_counters); - if (r) - return r; - - TAKE_PTR(cgen_counters); - } - - bf_wpack_open_object(pack, "ruleset"); - bf_wpack_kv_list(pack, "chains", &chains); - bf_wpack_kv_list(pack, "hookopts", &hookopts); - bf_wpack_kv_list(pack, "counters", &counters); - bf_wpack_close_object(pack); - - return bf_response_new_from_pack(response, pack); -} - -int _bf_cli_ruleset_set(const struct bf_request *request, - struct bf_response **response) -{ - _clean_bf_list_ bf_list cgens = bf_list_default(NULL, NULL); - _free_bf_rpack_ bf_rpack_t *pack; - bf_rpack_node_t child, node; - int r; - - assert(request); - - (void)response; - - bf_ctx_flush(); - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_array(bf_rpack_root(pack), "ruleset", &child); - if (r) - return r; - bf_rpack_array_foreach (child, node) { - _free_bf_cgen_ struct bf_cgen *cgen = NULL; - _free_bf_chain_ struct bf_chain *chain = NULL; - _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; - bf_rpack_node_t child; - - r = bf_rpack_kv_obj(node, "chain", &child); - if (r) - goto err_load; - - r = bf_chain_new_from_pack(&chain, child); - if (r) - goto err_load; - - r = bf_rpack_kv_node(node, "hookopts", &child); - if (r) - goto err_load; - if (!bf_rpack_is_nil(child)) { - r = bf_hookopts_new_from_pack(&hookopts, child); - if (r) - goto err_load; - } - - r = bf_cgen_new(&cgen, &chain); - if (r) - goto err_load; - - r = bf_cgen_set(cgen, bf_request_ns(request), - hookopts ? &hookopts : NULL); - if (r) { - bf_err_r(r, "failed to set chain '%s'", cgen->chain->name); - goto err_load; - } - - r = bf_ctx_set_cgen(cgen); - if (r) { - /* The codegen is loaded already, if the daemon runs in persistent - * mode, cleaning the codegen won't be sufficient to discard the - * chain, it must be unpinned. */ - bf_cgen_unload(cgen); - goto err_load; - } - - TAKE_PTR(cgen); - } - - return 0; - -err_load: - bf_ctx_flush(); - return r; -} - -int _bf_cli_chain_set(const struct bf_request *request, - struct bf_response **response) -{ - struct bf_cgen *old_cgen; - _free_bf_cgen_ struct bf_cgen *new_cgen = NULL; - _free_bf_chain_ struct bf_chain *chain = NULL; - _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - bf_rpack_node_t root, child; - int r; - - assert(request); - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - root = bf_rpack_root(pack); - - r = bf_rpack_kv_obj(root, "chain", &child); - if (r) - return r; - r = bf_chain_new_from_pack(&chain, child); - if (r) - return r; - - r = bf_rpack_kv_node(root, "hookopts", &child); - if (r) - return r; - if (!bf_rpack_is_nil(child)) { - r = bf_hookopts_new_from_pack(&hookopts, child); - if (r) - return r; - } - - r = bf_cgen_new(&new_cgen, &chain); - if (r) - return r; - - old_cgen = bf_ctx_get_cgen(new_cgen->chain->name); - if (old_cgen) { - /* bf_ctx_delete_cgen() can only fail if the codegen is not found, - * but we know this codegen exist. */ - (void)bf_ctx_delete_cgen(old_cgen, true); - } - - r = bf_cgen_set(new_cgen, bf_request_ns(request), - hookopts ? &hookopts : NULL); - if (r) - return r; - - r = bf_ctx_set_cgen(new_cgen); - if (r) { - bf_cgen_unload(new_cgen); - return r; - } - - TAKE_PTR(new_cgen); - - return r; -} - -static int _bf_cli_chain_get(const struct bf_request *request, - struct bf_response **response) -{ - _clean_bf_list_ bf_list counters = - bf_list_default(bf_counter_free, bf_counter_pack); - struct bf_cgen *cgen; - _cleanup_free_ char *name = NULL; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; - _free_bf_rpack_ bf_rpack_t *rpack = NULL; - int r; - - r = bf_rpack_new(&rpack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_str(bf_rpack_root(rpack), "name", &name); - if (r) - return r; - - cgen = bf_ctx_get_cgen(name); - if (!cgen) - return bf_err_r(-ENOENT, "chain '%s' not found", name); - - r = bf_cgen_get_counters(cgen, &counters); - if (r) - return bf_err_r(r, "failed to request counters for '%s'", name); - - r = bf_wpack_new(&wpack); - if (r) - return r; - - bf_wpack_open_object(wpack, "chain"); - r = bf_chain_pack(cgen->chain, wpack); - if (r) - return r; - bf_wpack_close_object(wpack); - - if (cgen->handle->link) { - bf_wpack_open_object(wpack, "hookopts"); - r = bf_hookopts_pack(cgen->handle->link->hookopts, wpack); - if (r) - return r; - bf_wpack_close_object(wpack); - } else { - bf_wpack_kv_nil(wpack, "hookopts"); - } - - bf_wpack_kv_list(wpack, "counters", &counters); - - return bf_response_new_from_pack(response, wpack); -} - -int _bf_cli_chain_prog_fd(const struct bf_request *request, - struct bf_response **response) -{ - struct bf_cgen *cgen; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - _cleanup_free_ char *name = NULL; - int r; - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_str(bf_rpack_root(pack), "name", &name); - if (r) - return r; - - cgen = bf_ctx_get_cgen(name); - if (!cgen) - return bf_err_r(-ENOENT, "failed to find chain '%s'", name); - - if (cgen->handle->prog_fd == -1) - return bf_err_r(-ENODEV, "chain '%s' has no loaded program", name); - - r = bf_send_fd(bf_request_fd(request), cgen->handle->prog_fd); - if (r < 0) - return bf_err_r(errno, "failed to send prog FD for '%s'", name); - - return 0; -} - -int _bf_cli_chain_logs_fd(const struct bf_request *request, - struct bf_response **response) -{ - struct bf_cgen *cgen; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - _cleanup_free_ char *name = NULL; - int r; - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_str(bf_rpack_root(pack), "name", &name); - if (r) - return r; - - cgen = bf_ctx_get_cgen(name); - if (!cgen) - return bf_err_r(-ENOENT, "failed to find chain '%s'", name); - - if (!cgen->handle->lmap) - return bf_err_r(-ENOENT, "chain '%s' has no logs buffer", name); - - r = bf_send_fd(bf_request_fd(request), cgen->handle->lmap->fd); - if (r < 0) - return bf_err_r(errno, "failed to send logs FD for '%s'", name); - - return 0; -} - -int _bf_cli_chain_load(const struct bf_request *request, - struct bf_response **response) -{ - _free_bf_cgen_ struct bf_cgen *cgen = NULL; - _free_bf_chain_ struct bf_chain *chain = NULL; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - bf_rpack_node_t child; - int r; - - assert(request); - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_obj(bf_rpack_root(pack), "chain", &child); - if (r) - return r; - r = bf_chain_new_from_pack(&chain, child); - if (r) - return r; - - if (bf_ctx_get_cgen(chain->name)) { - return bf_err_r(-EEXIST, - "_bf_cli_chain_load: chain '%s' already exists", - chain->name); - } - - r = bf_cgen_new(&cgen, &chain); - if (r) - return r; - - r = bf_cgen_load(cgen); - if (r) - return r; - - r = bf_ctx_set_cgen(cgen); - if (r) { - bf_cgen_unload(cgen); - return bf_err_r( - r, "bf_ctx_set_cgen: failed to add cgen to the runtime context"); - } - - TAKE_PTR(cgen); - - return r; -} - -int _bf_cli_chain_attach(const struct bf_request *request, - struct bf_response **response) -{ - _free_bf_chain_ struct bf_chain *chain = NULL; - _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - _cleanup_free_ char *name = NULL; - struct bf_cgen *cgen = NULL; - bf_rpack_node_t child; - int r; - - assert(request); - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_str(bf_rpack_root(pack), "name", &name); - if (r) - return r; - - r = bf_rpack_kv_obj(bf_rpack_root(pack), "hookopts", &child); - if (r) - return r; - r = bf_hookopts_new_from_pack(&hookopts, child); - if (r) - return r; - - cgen = bf_ctx_get_cgen(name); - if (!cgen) - return bf_err_r(-ENOENT, "chain '%s' does not exist", name); - if (cgen->handle->link) - return bf_err_r(-EBUSY, "chain '%s' is already linked to a hook", name); - - r = bf_hookopts_validate(hookopts, cgen->chain->hook); - if (r) - return bf_err_r(r, "failed to validate hook options"); - - r = bf_cgen_attach(cgen, bf_request_ns(request), &hookopts); - if (r) - return bf_err_r(r, "failed to attach codegen to hook"); - - return r; -} - -int _bf_cli_chain_update(const struct bf_request *request, - struct bf_response **response) -{ - _free_bf_chain_ struct bf_chain *chain = NULL; - struct bf_cgen *cgen = NULL; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - bf_rpack_node_t child; - int r; - - assert(request); - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_obj(bf_rpack_root(pack), "chain", &child); - if (r) - return r; - r = bf_chain_new_from_pack(&chain, child); - if (r) - return r; - - cgen = bf_ctx_get_cgen(chain->name); - if (!cgen) - return -ENOENT; - - r = bf_cgen_update(cgen, &chain, 0); - if (r) - return -EINVAL; - - return r; -} - -int _bf_cli_chain_flush(const struct bf_request *request, - struct bf_response **response) -{ - struct bf_cgen *cgen = NULL; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - _cleanup_free_ char *name = NULL; - int r; - - assert(request); - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_str(bf_rpack_root(pack), "name", &name); - if (r) - return r; - - cgen = bf_ctx_get_cgen(name); - if (!cgen) - return -ENOENT; - - return bf_ctx_delete_cgen(cgen, true); -} - -int _bf_cli_chain_update_set(const struct bf_request *request, - struct bf_response **response) -{ - _free_bf_set_ struct bf_set *to_add = NULL; - _free_bf_set_ struct bf_set *to_remove = NULL; - _free_bf_chain_ struct bf_chain *new_chain = NULL; - _free_bf_rpack_ bf_rpack_t *pack = NULL; - struct bf_set *dest_set = NULL; - _cleanup_free_ char *chain_name = NULL; - struct bf_cgen *cgen = NULL; - bf_rpack_node_t child; - int r; - - assert(request); - - (void)response; - - r = bf_rpack_new(&pack, bf_request_data(request), - bf_request_data_len(request)); - if (r) - return r; - - r = bf_rpack_kv_str(bf_rpack_root(pack), "name", &chain_name); - if (r) - return r; - - r = bf_rpack_kv_obj(bf_rpack_root(pack), "to_add", &child); - if (r) - return r; - r = bf_set_new_from_pack(&to_add, child); - if (r) - return r; - - r = bf_rpack_kv_obj(bf_rpack_root(pack), "to_remove", &child); - if (r) - return r; - r = bf_set_new_from_pack(&to_remove, child); - if (r) - return r; - - if (!bf_streq(to_add->name, to_remove->name)) - return bf_err_r(-EINVAL, "to_add->name must match to_remove->name"); - - cgen = bf_ctx_get_cgen(chain_name); - if (!cgen) - return bf_err_r(-ENOENT, "chain '%s' does not exist", chain_name); - - r = bf_chain_new_from_copy(&new_chain, cgen->chain); - if (r) - return r; - - dest_set = bf_chain_get_set_by_name(new_chain, to_add->name); - if (!dest_set) - return bf_err_r(-ENOENT, "set '%s' does not exist", to_add->name); - - r = bf_set_add_many(dest_set, &to_add); - if (r) - return bf_err_r(r, "failed to calculate set union"); - - r = bf_set_remove_many(dest_set, &to_remove); - if (r) - return bf_err_r(r, "failed to calculate set difference"); - - r = bf_cgen_update(cgen, &new_chain, - BF_FLAG(BF_CGEN_UPDATE_PRESERVE_COUNTERS)); - if (r) - return bf_err_r(r, "failed to update chain with new set data"); - - return 0; -} - -int bf_request_handler(const struct bf_request *request, - struct bf_response **response) -{ - int r; - - assert(request); - assert(response); - - switch (bf_request_cmd(request)) { - case BF_REQ_RULESET_FLUSH: - r = _bf_cli_ruleset_flush(request, response); - break; - case BF_REQ_RULESET_SET: - r = _bf_cli_ruleset_set(request, response); - break; - case BF_REQ_RULESET_GET: - r = _bf_cli_ruleset_get(request, response); - break; - case BF_REQ_CHAIN_SET: - r = _bf_cli_chain_set(request, response); - break; - case BF_REQ_CHAIN_GET: - r = _bf_cli_chain_get(request, response); - break; - case BF_REQ_CHAIN_PROG_FD: - r = _bf_cli_chain_prog_fd(request, response); - break; - case BF_REQ_CHAIN_LOGS_FD: - r = _bf_cli_chain_logs_fd(request, response); - break; - case BF_REQ_CHAIN_LOAD: - r = _bf_cli_chain_load(request, response); - break; - case BF_REQ_CHAIN_ATTACH: - r = _bf_cli_chain_attach(request, response); - break; - case BF_REQ_CHAIN_UPDATE: - r = _bf_cli_chain_update(request, response); - break; - case BF_REQ_CHAIN_FLUSH: - r = _bf_cli_chain_flush(request, response); - break; - case BF_REQ_CHAIN_UPDATE_SET: - r = _bf_cli_chain_update_set(request, response); - break; - default: - r = bf_err_r(-EINVAL, "unsupported command %d", - bf_request_cmd(request)); - break; - } - - /* If the callback don't need to send data back to the client, it can skip - * the response creation and return a status code instead (0 on success, - * negative errno value on error). The response is created based on the - * status code. */ - if (!*response) { - if (!r) - r = bf_response_new_success(response, NULL, 0); - else - r = bf_response_new_failure(response, r); - } - - return r; -} diff --git a/src/libbpfilter/CMakeLists.txt b/src/libbpfilter/CMakeLists.txt index be6a5205c..4c81c32fa 100644 --- a/src/libbpfilter/CMakeLists.txt +++ b/src/libbpfilter/CMakeLists.txt @@ -3,6 +3,9 @@ find_package(PkgConfig REQUIRED) pkg_check_modules(bpf REQUIRED IMPORTED_TARGET libbpf) +pkg_check_modules(nl REQUIRED IMPORTED_TARGET libnl-3.0) + +include(ElfStubs) set(libbpfilter_srcs # Public interface @@ -12,8 +15,10 @@ set(libbpfilter_srcs ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/btf.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/chain.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/counter.h + ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/ctx.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/dump.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/dynbuf.h + ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/elfstub.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/flavor.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/helper.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/hook.h @@ -22,23 +27,22 @@ set(libbpfilter_srcs ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/list.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/logger.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/matcher.h - ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/ns.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/pack.h - ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/request.h - ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/response.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/rule.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/runtime.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/set.h ${CMAKE_CURRENT_SOURCE_DIR}/include/bpfilter/verdict.h - # Private sources and headers + # Private sources and headers ${CMAKE_CURRENT_SOURCE_DIR}/bpf.c ${CMAKE_CURRENT_SOURCE_DIR}/btf.c ${CMAKE_CURRENT_SOURCE_DIR}/chain.c ${CMAKE_CURRENT_SOURCE_DIR}/cli.c ${CMAKE_CURRENT_SOURCE_DIR}/counter.c + ${CMAKE_CURRENT_SOURCE_DIR}/ctx.c ${CMAKE_CURRENT_SOURCE_DIR}/dump.c ${CMAKE_CURRENT_SOURCE_DIR}/dynbuf.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c ${CMAKE_CURRENT_SOURCE_DIR}/flavor.c ${CMAKE_CURRENT_SOURCE_DIR}/helper.c ${CMAKE_CURRENT_SOURCE_DIR}/hook.c @@ -48,17 +52,40 @@ set(libbpfilter_srcs ${CMAKE_CURRENT_SOURCE_DIR}/logger.c ${CMAKE_CURRENT_SOURCE_DIR}/matcher.c ${CMAKE_CURRENT_SOURCE_DIR}/pack.c - ${CMAKE_CURRENT_SOURCE_DIR}/ns.c - ${CMAKE_CURRENT_SOURCE_DIR}/request.c - ${CMAKE_CURRENT_SOURCE_DIR}/response.c ${CMAKE_CURRENT_SOURCE_DIR}/rule.c ${CMAKE_CURRENT_SOURCE_DIR}/set.c ${CMAKE_CURRENT_SOURCE_DIR}/verdict.c ${CMAKE_CURRENT_SOURCE_DIR}/version.c + # Code generation engine + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/handle.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/handle.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/jmp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/jmp.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip4.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip4.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip6.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/ip6.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/tcp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/tcp.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/udp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/udp.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/meta.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/meta.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/set.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/set.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/icmp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/icmp.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/nf.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/nf.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/printer.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/printer.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/program.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/program.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/link.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/link.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/map.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/map.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/runtime.h + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/stub.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/stub.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/swich.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/swich.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/tc.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/tc.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/xdp.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/xdp.c + # External ${CMAKE_SOURCE_DIR}/src/external/include/mpack.h ${CMAKE_SOURCE_DIR}/src/external/mpack.c + ${CMAKE_SOURCE_DIR}/src/external/include/disasm.h ${CMAKE_SOURCE_DIR}/src/external/disasm.c ) configure_file( @@ -78,6 +105,19 @@ add_library(libbpfilter ${libbpfilter_srcs} ) +file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/include/cgen) +bf_target_add_elfstubs(libbpfilter + DIR ${CMAKE_CURRENT_SOURCE_DIR}/bpf + SYM_PREFIX "_bf_rawstubs_" + DECL_HDR_PATH ${CMAKE_CURRENT_BINARY_DIR}/include/cgen/rawstubs.h + STUBS + "parse_ipv6_eh" + "parse_ipv6_nh" + "update_counters" + "log" + "flow_hash" +) + target_compile_definitions(libbpfilter PRIVATE # MPack should use the C standard library API @@ -97,6 +137,7 @@ target_link_libraries(libbpfilter PRIVATE bf_global_flags m + PkgConfig::nl PUBLIC PkgConfig::bpf ) diff --git a/src/bpfilter/bpf/flow_hash.bpf.c b/src/libbpfilter/bpf/flow_hash.bpf.c similarity index 100% rename from src/bpfilter/bpf/flow_hash.bpf.c rename to src/libbpfilter/bpf/flow_hash.bpf.c diff --git a/src/bpfilter/bpf/log.bpf.c b/src/libbpfilter/bpf/log.bpf.c similarity index 100% rename from src/bpfilter/bpf/log.bpf.c rename to src/libbpfilter/bpf/log.bpf.c diff --git a/src/bpfilter/bpf/parse_ipv6_eh.bpf.c b/src/libbpfilter/bpf/parse_ipv6_eh.bpf.c similarity index 100% rename from src/bpfilter/bpf/parse_ipv6_eh.bpf.c rename to src/libbpfilter/bpf/parse_ipv6_eh.bpf.c diff --git a/src/bpfilter/bpf/parse_ipv6_nh.bpf.c b/src/libbpfilter/bpf/parse_ipv6_nh.bpf.c similarity index 100% rename from src/bpfilter/bpf/parse_ipv6_nh.bpf.c rename to src/libbpfilter/bpf/parse_ipv6_nh.bpf.c diff --git a/src/bpfilter/bpf/update_counters.bpf.c b/src/libbpfilter/bpf/update_counters.bpf.c similarity index 100% rename from src/bpfilter/bpf/update_counters.bpf.c rename to src/libbpfilter/bpf/update_counters.bpf.c diff --git a/src/bpfilter/cgen/cgen.c b/src/libbpfilter/cgen/cgen.c similarity index 80% rename from src/bpfilter/cgen/cgen.c rename to src/libbpfilter/cgen/cgen.c index 1d03b49da..c952a5b37 100644 --- a/src/bpfilter/cgen/cgen.c +++ b/src/libbpfilter/cgen/cgen.c @@ -17,13 +17,13 @@ #include #include #include +#include #include #include #include #include #include #include -#include #include #include "cgen/dump.h" @@ -31,7 +31,6 @@ #include "cgen/prog/link.h" #include "cgen/prog/map.h" #include "cgen/program.h" -#include "ctx.h" #define _BF_PROG_NAME "bf_prog" #define _BF_CTX_PIN_NAME "bf_ctx" @@ -235,7 +234,8 @@ void bf_cgen_free(struct bf_cgen **cgen) * the chain hasn't been pinned (e.g. due to a failure), the pin directory * will be empty and will be removed. If the chain is valid and pinned, then * the removal of the pin directory will fail, but that's alright. */ - if (!bf_ctx_is_transient() && (pin_fd = bf_ctx_get_pindir_fd()) >= 0) + pin_fd = bf_ctx_get_pindir_fd(); + if (pin_fd >= 0) bf_rmdir_at(pin_fd, (*cgen)->chain->name, false); bf_handle_free(&(*cgen)->handle); @@ -305,21 +305,17 @@ int bf_cgen_get_counter(const struct bf_cgen *cgen, return bf_handle_get_counter(cgen->handle, counter_idx, counter); } -int bf_cgen_set(struct bf_cgen *cgen, const struct bf_ns *ns, - struct bf_hookopts **hookopts) +int bf_cgen_set(struct bf_cgen *cgen, struct bf_hookopts **hookopts) { _free_bf_program_ struct bf_program *prog = NULL; _cleanup_close_ int pindir_fd = -1; - bool persist = !bf_ctx_is_transient(); int r; assert(cgen); - if (persist) { - pindir_fd = _bf_cgen_get_chain_pindir_fd(cgen->chain->name); - if (pindir_fd < 0) - return pindir_fd; - } + pindir_fd = _bf_cgen_get_chain_pindir_fd(cgen->chain->name); + if (pindir_fd < 0) + return pindir_fd; r = bf_program_new(&prog, cgen->chain, cgen->handle); if (r < 0) @@ -334,29 +330,20 @@ int bf_cgen_set(struct bf_cgen *cgen, const struct bf_ns *ns, return bf_err_r(r, "failed to load the chain"); if (hookopts) { - r = bf_ns_set(ns, bf_ctx_get_ns()); - if (r) - return bf_err_r(r, "failed to switch to the client's namespaces"); - r = bf_handle_attach(cgen->handle, cgen->chain->hook, hookopts); if (r < 0) return bf_err_r(r, "failed to load and attach the chain"); - - if (bf_ns_set(bf_ctx_get_ns(), ns)) - bf_abort("failed to restore previous namespaces, aborting"); } - if (persist) { - r = bf_handle_pin(cgen->handle, pindir_fd); - if (r) - return r; + r = bf_handle_pin(cgen->handle, pindir_fd); + if (r) + return r; - r = _bf_cgen_persist(cgen, pindir_fd); - if (r) { - bf_handle_unpin(cgen->handle, pindir_fd); - return bf_err_r(r, "failed to persist cgen for '%s'", - cgen->chain->name); - } + r = _bf_cgen_persist(cgen, pindir_fd); + if (r) { + bf_handle_unpin(cgen->handle, pindir_fd); + return bf_err_r(r, "failed to persist cgen for '%s'", + cgen->chain->name); } return 0; @@ -366,16 +353,13 @@ int bf_cgen_load(struct bf_cgen *cgen) { _free_bf_program_ struct bf_program *prog = NULL; _cleanup_close_ int pindir_fd = -1; - bool persist = !bf_ctx_is_transient(); int r; assert(cgen); - if (persist) { - pindir_fd = _bf_cgen_get_chain_pindir_fd(cgen->chain->name); - if (pindir_fd < 0) - return pindir_fd; - } + pindir_fd = _bf_cgen_get_chain_pindir_fd(cgen->chain->name); + if (pindir_fd < 0) + return pindir_fd; r = bf_program_new(&prog, cgen->chain, cgen->handle); if (r < 0) @@ -389,17 +373,15 @@ int bf_cgen_load(struct bf_cgen *cgen) if (r < 0) return bf_err_r(r, "failed to load the chain"); - if (persist) { - r = bf_handle_pin(cgen->handle, pindir_fd); - if (r) - return r; + r = bf_handle_pin(cgen->handle, pindir_fd); + if (r) + return r; - r = _bf_cgen_persist(cgen, pindir_fd); - if (r) { - bf_handle_unpin(cgen->handle, pindir_fd); - return bf_err_r(r, "failed to persist cgen for '%s'", - cgen->chain->name); - } + r = _bf_cgen_persist(cgen, pindir_fd); + if (r) { + bf_handle_unpin(cgen->handle, pindir_fd); + return bf_err_r(r, "failed to persist cgen for '%s'", + cgen->chain->name); } bf_info("load %s", cgen->chain->name); @@ -408,52 +390,38 @@ int bf_cgen_load(struct bf_cgen *cgen) return 0; } -int bf_cgen_attach(struct bf_cgen *cgen, const struct bf_ns *ns, - struct bf_hookopts **hookopts) +int bf_cgen_attach(struct bf_cgen *cgen, struct bf_hookopts **hookopts) { _cleanup_close_ int pindir_fd = -1; - bool persist = !bf_ctx_is_transient(); int r; assert(cgen); - assert(ns); assert(hookopts); bf_info("attaching %s to %s", cgen->chain->name, bf_hook_to_str(cgen->chain->hook)); bf_hookopts_dump(*hookopts, EMPTY_PREFIX); - if (persist) { - pindir_fd = _bf_cgen_get_chain_pindir_fd(cgen->chain->name); - if (pindir_fd < 0) - return pindir_fd; - } - - r = bf_ns_set(ns, bf_ctx_get_ns()); - if (r) - return bf_err_r(r, "failed to switch to the client's namespaces"); + pindir_fd = _bf_cgen_get_chain_pindir_fd(cgen->chain->name); + if (pindir_fd < 0) + return pindir_fd; r = bf_handle_attach(cgen->handle, cgen->chain->hook, hookopts); if (r < 0) return bf_err_r(r, "failed to attach chain '%s'", cgen->chain->name); - if (bf_ns_set(bf_ctx_get_ns(), ns)) - bf_abort("failed to restore previous namespaces, aborting"); - - if (persist) { - r = bf_link_pin(cgen->handle->link, pindir_fd); - if (r) { - bf_handle_detach(cgen->handle); - return r; - } + r = bf_link_pin(cgen->handle->link, pindir_fd); + if (r) { + bf_handle_detach(cgen->handle); + return r; + } - r = _bf_cgen_persist(cgen, pindir_fd); - if (r) { - bf_link_unpin(cgen->handle->link, pindir_fd); - bf_handle_detach(cgen->handle); - return bf_err_r(r, "failed to persist cgen for '%s'", - cgen->chain->name); - } + r = _bf_cgen_persist(cgen, pindir_fd); + if (r) { + bf_link_unpin(cgen->handle->link, pindir_fd); + bf_handle_detach(cgen->handle); + return bf_err_r(r, "failed to persist cgen for '%s'", + cgen->chain->name); } return r; @@ -508,7 +476,6 @@ int bf_cgen_update(struct bf_cgen *cgen, struct bf_chain **new_chain, _free_bf_program_ struct bf_program *new_prog = NULL; _free_bf_handle_ struct bf_handle *new_handle = NULL; _cleanup_close_ int pindir_fd = -1; - bool persist = !bf_ctx_is_transient(); struct bf_handle *old_handle; int r; @@ -520,11 +487,9 @@ int bf_cgen_update(struct bf_cgen *cgen, struct bf_chain **new_chain, old_handle = cgen->handle; - if (persist) { - pindir_fd = _bf_cgen_get_chain_pindir_fd((*new_chain)->name); - if (pindir_fd < 0) - return pindir_fd; - } + pindir_fd = _bf_cgen_get_chain_pindir_fd((*new_chain)->name); + if (pindir_fd < 0) + return pindir_fd; r = bf_handle_new(&new_handle, _BF_PROG_NAME); if (r) @@ -557,14 +522,13 @@ int bf_cgen_update(struct bf_cgen *cgen, struct bf_chain **new_chain, return bf_err_r(r, "failed to transfer counters"); } - if (persist) - bf_handle_unpin(old_handle, pindir_fd); + bf_handle_unpin(old_handle, pindir_fd); if (old_handle->link) { r = bf_link_update(old_handle->link, new_handle->prog_fd); if (r) { bf_err_r(r, "failed to update bf_link object with new program"); - if (persist && bf_handle_pin(old_handle, pindir_fd) < 0) + if (bf_handle_pin(old_handle, pindir_fd) < 0) bf_err("failed to repin old handle, ignoring"); return r; } @@ -575,29 +539,25 @@ int bf_cgen_update(struct bf_cgen *cgen, struct bf_chain **new_chain, bf_swap(cgen->handle, new_handle); - if (persist) { - r = bf_handle_pin(cgen->handle, pindir_fd); - if (r) - return bf_err_r(r, "failed to pin new handle"); + r = bf_handle_pin(cgen->handle, pindir_fd); + if (r) + return bf_err_r(r, "failed to pin new handle"); - r = _bf_cgen_persist(cgen, pindir_fd); - if (r) { - bf_handle_unpin(cgen->handle, pindir_fd); - return bf_err_r(r, "failed to persist cgen for '%s'", - cgen->chain->name); - } + r = _bf_cgen_persist(cgen, pindir_fd); + if (r) { + bf_handle_unpin(cgen->handle, pindir_fd); + return bf_err_r(r, "failed to persist cgen for '%s'", + cgen->chain->name); } bf_chain_free(&cgen->chain); cgen->chain = TAKE_PTR(*new_chain); - if (persist) { - r = _bf_cgen_persist(cgen, pindir_fd); - if (r) { - bf_handle_unpin(cgen->handle, pindir_fd); - return bf_err_r(r, "failed to persist cgen for '%s'", - cgen->chain->name); - } + r = _bf_cgen_persist(cgen, pindir_fd); + if (r) { + bf_handle_unpin(cgen->handle, pindir_fd); + return bf_err_r(r, "failed to persist cgen for '%s'", + cgen->chain->name); } return 0; diff --git a/src/bpfilter/cgen/cgen.h b/src/libbpfilter/cgen/cgen.h similarity index 93% rename from src/bpfilter/cgen/cgen.h rename to src/libbpfilter/cgen/cgen.h index dde1891ca..e5760b9da 100644 --- a/src/bpfilter/cgen/cgen.h +++ b/src/libbpfilter/cgen/cgen.h @@ -14,7 +14,6 @@ struct bf_chain; struct bf_handle; -struct bf_ns; struct bf_hookopts; #define _free_bf_cgen_ __attribute__((cleanup(bf_cgen_free))) @@ -68,7 +67,7 @@ int bf_cgen_new_from_dir_fd(struct bf_cgen **cgen, int dir_fd); * If one or more programs are loaded, they won't be unloaded. Use @ref * bf_cgen_unload first to ensure programs are unloaded. This behaviour * is expected so @ref bf_cgen can be freed without unloading the BPF - * program, during a daemon restart for example. + * program, during a restart for example. * * @param cgen Codegen to free. Can't be NULL. */ @@ -90,12 +89,10 @@ int bf_cgen_pack(const struct bf_cgen *cgen, bf_wpack_t *pack); * is assumed that no chain with the same name exist. * * @param cgen Codegen to attach to the kernel. Can't be NULL. - * @param ns Namespaces to switch to before attaching the programs. Can't be NULL. * @param hookopts Hook options. * @return 0 on success, or negative errno value on failure. */ -int bf_cgen_set(struct bf_cgen *cgen, const struct bf_ns *ns, - struct bf_hookopts **hookopts); +int bf_cgen_set(struct bf_cgen *cgen, struct bf_hookopts **hookopts); /** * Create and load a `bf_program` into the kernel. @@ -118,12 +115,10 @@ int bf_cgen_load(struct bf_cgen *cgen); * the program filters on (e.g. `meta.iface`, for all hooks) is correct too. * * @param cgen Codegen to attach to the kernel. Can't be NULL. - * @param ns Namespaces to switch to before attaching the programs. Can't be NULL. * @param hookopts Hook options. Can't be NULL. * @return 0 on success, or negative errno value on failure. */ -int bf_cgen_attach(struct bf_cgen *cgen, const struct bf_ns *ns, - struct bf_hookopts **hookopts); +int bf_cgen_attach(struct bf_cgen *cgen, struct bf_hookopts **hookopts); /** * Flags to control the behavior of `bf_cgen_update`. diff --git a/src/bpfilter/cgen/cgroup_skb.c b/src/libbpfilter/cgen/cgroup_skb.c similarity index 100% rename from src/bpfilter/cgen/cgroup_skb.c rename to src/libbpfilter/cgen/cgroup_skb.c diff --git a/src/bpfilter/cgen/cgroup_skb.h b/src/libbpfilter/cgen/cgroup_skb.h similarity index 100% rename from src/bpfilter/cgen/cgroup_skb.h rename to src/libbpfilter/cgen/cgroup_skb.h diff --git a/src/bpfilter/cgen/dump.c b/src/libbpfilter/cgen/dump.c similarity index 100% rename from src/bpfilter/cgen/dump.c rename to src/libbpfilter/cgen/dump.c diff --git a/src/bpfilter/cgen/dump.h b/src/libbpfilter/cgen/dump.h similarity index 100% rename from src/bpfilter/cgen/dump.h rename to src/libbpfilter/cgen/dump.h diff --git a/src/bpfilter/cgen/elfstub.c b/src/libbpfilter/cgen/elfstub.c similarity index 99% rename from src/bpfilter/cgen/elfstub.c rename to src/libbpfilter/cgen/elfstub.c index 0e96ef184..56efa2e99 100644 --- a/src/bpfilter/cgen/elfstub.c +++ b/src/libbpfilter/cgen/elfstub.c @@ -3,14 +3,13 @@ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ -#include "cgen/elfstub.h" - #include #include #include #include +#include #include #include diff --git a/src/bpfilter/cgen/fixup.c b/src/libbpfilter/cgen/fixup.c similarity index 100% rename from src/bpfilter/cgen/fixup.c rename to src/libbpfilter/cgen/fixup.c diff --git a/src/bpfilter/cgen/fixup.h b/src/libbpfilter/cgen/fixup.h similarity index 98% rename from src/bpfilter/cgen/fixup.h rename to src/libbpfilter/cgen/fixup.h index bf43a8468..8b5f832bb 100644 --- a/src/bpfilter/cgen/fixup.h +++ b/src/libbpfilter/cgen/fixup.h @@ -8,8 +8,7 @@ #include #include - -#include "cgen/elfstub.h" +#include /** * Field to fixup in a @c bpf_insn structure. diff --git a/src/bpfilter/cgen/handle.c b/src/libbpfilter/cgen/handle.c similarity index 100% rename from src/bpfilter/cgen/handle.c rename to src/libbpfilter/cgen/handle.c diff --git a/src/bpfilter/cgen/handle.h b/src/libbpfilter/cgen/handle.h similarity index 100% rename from src/bpfilter/cgen/handle.h rename to src/libbpfilter/cgen/handle.h diff --git a/src/bpfilter/cgen/jmp.c b/src/libbpfilter/cgen/jmp.c similarity index 100% rename from src/bpfilter/cgen/jmp.c rename to src/libbpfilter/cgen/jmp.c diff --git a/src/bpfilter/cgen/jmp.h b/src/libbpfilter/cgen/jmp.h similarity index 100% rename from src/bpfilter/cgen/jmp.h rename to src/libbpfilter/cgen/jmp.h diff --git a/src/bpfilter/cgen/matcher/icmp.c b/src/libbpfilter/cgen/matcher/icmp.c similarity index 100% rename from src/bpfilter/cgen/matcher/icmp.c rename to src/libbpfilter/cgen/matcher/icmp.c diff --git a/src/bpfilter/cgen/matcher/icmp.h b/src/libbpfilter/cgen/matcher/icmp.h similarity index 100% rename from src/bpfilter/cgen/matcher/icmp.h rename to src/libbpfilter/cgen/matcher/icmp.h diff --git a/src/bpfilter/cgen/matcher/ip4.c b/src/libbpfilter/cgen/matcher/ip4.c similarity index 100% rename from src/bpfilter/cgen/matcher/ip4.c rename to src/libbpfilter/cgen/matcher/ip4.c diff --git a/src/bpfilter/cgen/matcher/ip4.h b/src/libbpfilter/cgen/matcher/ip4.h similarity index 100% rename from src/bpfilter/cgen/matcher/ip4.h rename to src/libbpfilter/cgen/matcher/ip4.h diff --git a/src/bpfilter/cgen/matcher/ip6.c b/src/libbpfilter/cgen/matcher/ip6.c similarity index 100% rename from src/bpfilter/cgen/matcher/ip6.c rename to src/libbpfilter/cgen/matcher/ip6.c diff --git a/src/bpfilter/cgen/matcher/ip6.h b/src/libbpfilter/cgen/matcher/ip6.h similarity index 100% rename from src/bpfilter/cgen/matcher/ip6.h rename to src/libbpfilter/cgen/matcher/ip6.h diff --git a/src/bpfilter/cgen/matcher/meta.c b/src/libbpfilter/cgen/matcher/meta.c similarity index 99% rename from src/bpfilter/cgen/matcher/meta.c rename to src/libbpfilter/cgen/matcher/meta.c index 02f123006..2c9019c23 100644 --- a/src/bpfilter/cgen/matcher/meta.c +++ b/src/libbpfilter/cgen/matcher/meta.c @@ -17,10 +17,10 @@ #include #include +#include #include #include -#include "cgen/elfstub.h" #include "cgen/program.h" #include "cgen/runtime.h" #include "cgen/swich.h" diff --git a/src/bpfilter/cgen/matcher/meta.h b/src/libbpfilter/cgen/matcher/meta.h similarity index 100% rename from src/bpfilter/cgen/matcher/meta.h rename to src/libbpfilter/cgen/matcher/meta.h diff --git a/src/bpfilter/cgen/matcher/set.c b/src/libbpfilter/cgen/matcher/set.c similarity index 100% rename from src/bpfilter/cgen/matcher/set.c rename to src/libbpfilter/cgen/matcher/set.c diff --git a/src/bpfilter/cgen/matcher/set.h b/src/libbpfilter/cgen/matcher/set.h similarity index 100% rename from src/bpfilter/cgen/matcher/set.h rename to src/libbpfilter/cgen/matcher/set.h diff --git a/src/bpfilter/cgen/matcher/tcp.c b/src/libbpfilter/cgen/matcher/tcp.c similarity index 100% rename from src/bpfilter/cgen/matcher/tcp.c rename to src/libbpfilter/cgen/matcher/tcp.c diff --git a/src/bpfilter/cgen/matcher/tcp.h b/src/libbpfilter/cgen/matcher/tcp.h similarity index 100% rename from src/bpfilter/cgen/matcher/tcp.h rename to src/libbpfilter/cgen/matcher/tcp.h diff --git a/src/bpfilter/cgen/matcher/udp.c b/src/libbpfilter/cgen/matcher/udp.c similarity index 100% rename from src/bpfilter/cgen/matcher/udp.c rename to src/libbpfilter/cgen/matcher/udp.c diff --git a/src/bpfilter/cgen/matcher/udp.h b/src/libbpfilter/cgen/matcher/udp.h similarity index 100% rename from src/bpfilter/cgen/matcher/udp.h rename to src/libbpfilter/cgen/matcher/udp.h diff --git a/src/bpfilter/cgen/nf.c b/src/libbpfilter/cgen/nf.c similarity index 100% rename from src/bpfilter/cgen/nf.c rename to src/libbpfilter/cgen/nf.c diff --git a/src/bpfilter/cgen/nf.h b/src/libbpfilter/cgen/nf.h similarity index 100% rename from src/bpfilter/cgen/nf.h rename to src/libbpfilter/cgen/nf.h diff --git a/src/bpfilter/cgen/printer.c b/src/libbpfilter/cgen/printer.c similarity index 100% rename from src/bpfilter/cgen/printer.c rename to src/libbpfilter/cgen/printer.c diff --git a/src/bpfilter/cgen/printer.h b/src/libbpfilter/cgen/printer.h similarity index 99% rename from src/bpfilter/cgen/printer.h rename to src/libbpfilter/cgen/printer.h index f073eafa6..1e8ceb2fd 100644 --- a/src/bpfilter/cgen/printer.h +++ b/src/libbpfilter/cgen/printer.h @@ -9,11 +9,10 @@ #include +#include #include #include -#include "ctx.h" - /** * @file printer.h * diff --git a/src/bpfilter/cgen/prog/link.c b/src/libbpfilter/cgen/prog/link.c similarity index 100% rename from src/bpfilter/cgen/prog/link.c rename to src/libbpfilter/cgen/prog/link.c diff --git a/src/bpfilter/cgen/prog/link.h b/src/libbpfilter/cgen/prog/link.h similarity index 100% rename from src/bpfilter/cgen/prog/link.h rename to src/libbpfilter/cgen/prog/link.h diff --git a/src/bpfilter/cgen/prog/map.c b/src/libbpfilter/cgen/prog/map.c similarity index 99% rename from src/bpfilter/cgen/prog/map.c rename to src/libbpfilter/cgen/prog/map.c index f52aa3d89..42e9d238e 100644 --- a/src/bpfilter/cgen/prog/map.c +++ b/src/libbpfilter/cgen/prog/map.c @@ -18,12 +18,11 @@ #include #include #include +#include #include #include #include -#include "ctx.h" - #define _free_bf_btf_ __attribute__((__cleanup__(_bf_btf_free))) static void _bf_btf_free(struct bf_btf **btf); diff --git a/src/bpfilter/cgen/prog/map.h b/src/libbpfilter/cgen/prog/map.h similarity index 100% rename from src/bpfilter/cgen/prog/map.h rename to src/libbpfilter/cgen/prog/map.h diff --git a/src/bpfilter/cgen/program.c b/src/libbpfilter/cgen/program.c similarity index 99% rename from src/bpfilter/cgen/program.c rename to src/libbpfilter/cgen/program.c index 33853f0c1..8af61fb05 100644 --- a/src/bpfilter/cgen/program.c +++ b/src/libbpfilter/cgen/program.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -55,7 +56,6 @@ #include "cgen/stub.h" #include "cgen/tc.h" #include "cgen/xdp.h" -#include "ctx.h" #include "filter.h" #define _BF_LOG_BUF_SIZE \ diff --git a/src/bpfilter/cgen/program.h b/src/libbpfilter/cgen/program.h similarity index 99% rename from src/bpfilter/cgen/program.h rename to src/libbpfilter/cgen/program.h index 6aa0434fe..c5bd81db1 100644 --- a/src/bpfilter/cgen/program.h +++ b/src/libbpfilter/cgen/program.h @@ -10,12 +10,12 @@ #include #include +#include #include #include #include #include -#include "cgen/elfstub.h" #include "cgen/fixup.h" #include "cgen/printer.h" #include "cgen/runtime.h" @@ -257,7 +257,7 @@ int bf_program_generate(struct bf_program *program); * loaded, all the maps are destroyed. * * Once the loading succeeds, the program and the maps are pinned to the - * filesystem, unless the daemon is in transient mode. If the BPF objects can't + * filesystem, unless bpfilter is in transient mode. If the BPF objects can't * be pinned, the program is unloaded and the maps destroyed. * * @param prog Program to load into the kernel. Can't be NULL and must contain diff --git a/src/bpfilter/cgen/runtime.h b/src/libbpfilter/cgen/runtime.h similarity index 100% rename from src/bpfilter/cgen/runtime.h rename to src/libbpfilter/cgen/runtime.h diff --git a/src/bpfilter/cgen/stub.c b/src/libbpfilter/cgen/stub.c similarity index 99% rename from src/bpfilter/cgen/stub.c rename to src/libbpfilter/cgen/stub.c index f867d6c34..e76d7112a 100644 --- a/src/bpfilter/cgen/stub.c +++ b/src/libbpfilter/cgen/stub.c @@ -20,17 +20,17 @@ #include #include +#include +#include #include #include #include #include -#include "cgen/elfstub.h" #include "cgen/jmp.h" #include "cgen/printer.h" #include "cgen/program.h" #include "cgen/swich.h" -#include "ctx.h" #include "filter.h" #define _BF_LOW_EH_BITMASK 0x1801800000000801ULL diff --git a/src/bpfilter/cgen/stub.h b/src/libbpfilter/cgen/stub.h similarity index 100% rename from src/bpfilter/cgen/stub.h rename to src/libbpfilter/cgen/stub.h diff --git a/src/bpfilter/cgen/swich.c b/src/libbpfilter/cgen/swich.c similarity index 100% rename from src/bpfilter/cgen/swich.c rename to src/libbpfilter/cgen/swich.c diff --git a/src/bpfilter/cgen/swich.h b/src/libbpfilter/cgen/swich.h similarity index 100% rename from src/bpfilter/cgen/swich.h rename to src/libbpfilter/cgen/swich.h diff --git a/src/bpfilter/cgen/tc.c b/src/libbpfilter/cgen/tc.c similarity index 100% rename from src/bpfilter/cgen/tc.c rename to src/libbpfilter/cgen/tc.c diff --git a/src/bpfilter/cgen/tc.h b/src/libbpfilter/cgen/tc.h similarity index 100% rename from src/bpfilter/cgen/tc.h rename to src/libbpfilter/cgen/tc.h diff --git a/src/bpfilter/cgen/xdp.c b/src/libbpfilter/cgen/xdp.c similarity index 100% rename from src/bpfilter/cgen/xdp.c rename to src/libbpfilter/cgen/xdp.c diff --git a/src/bpfilter/cgen/xdp.h b/src/libbpfilter/cgen/xdp.h similarity index 100% rename from src/bpfilter/cgen/xdp.h rename to src/libbpfilter/cgen/xdp.h diff --git a/src/libbpfilter/cli.c b/src/libbpfilter/cli.c index be7dbabf2..3a40a4380 100644 --- a/src/libbpfilter/cli.c +++ b/src/libbpfilter/cli.c @@ -3,9 +3,13 @@ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ -#include +#include #include +#include +#include + +#include "bpfilter/btf.h" #include "bpfilter/chain.h" #include "bpfilter/counter.h" #include "bpfilter/helper.h" @@ -14,102 +18,84 @@ #include "bpfilter/list.h" #include "bpfilter/logger.h" #include "bpfilter/pack.h" -#include "bpfilter/request.h" -#include "bpfilter/response.h" #include "bpfilter/set.h" +#include "cgen/cgen.h" +#include "cgen/handle.h" +#include "cgen/prog/link.h" +#include "cgen/prog/map.h" + +static int copy_hookopts(struct bf_hookopts **dest, + const struct bf_hookopts *src) +{ + struct bf_hookopts *copy; + + copy = bf_memdup(src, sizeof(*src)); + if (!copy) + return -ENOMEM; + + if (src->cgpath) { + copy->cgpath = strdup(src->cgpath); + if (!copy->cgpath) { + free(copy); + return -ENOMEM; + } + } + + *dest = copy; + + return 0; +} int bf_ruleset_get(bf_list *chains, bf_list *hookopts, bf_list *counters) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; + _clean_bf_list_ bf_list cgens = bf_list_default(NULL, NULL); _clean_bf_list_ bf_list _chains = bf_list_default_from(*chains); _clean_bf_list_ bf_list _hookopts = bf_list_default_from(*hookopts); _clean_bf_list_ bf_list _counters = bf_list_default_from(*counters); - _free_bf_rpack_ bf_rpack_t *pack = NULL; - bf_rpack_node_t root, node, child; int r; - r = bf_request_new(&request, BF_REQ_RULESET_GET, NULL, 0); + r = bf_ctx_get_cgens(&cgens); if (r < 0) - return bf_err_r(r, "failed to init request"); + return bf_err_r(r, "failed to get cgen list"); - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); - - r = bf_send(fd, request, &response, NULL); - if (r < 0) - return bf_err_r(r, "failed to send a ruleset get request"); - - if (bf_response_status(response) != 0) - return bf_response_status(response); - - r = bf_rpack_new(&pack, bf_response_data(response), - bf_response_data_len(response)); - if (r) - return r; - - r = bf_rpack_kv_obj(bf_rpack_root(pack), "ruleset", &root); - if (r) - return r; - - r = bf_rpack_kv_array(root, "chains", &node); - if (r) - return r; - bf_rpack_array_foreach (node, child) { + bf_list_foreach (&cgens, cgen_node) { + struct bf_cgen *cgen = bf_list_node_get_data(cgen_node); _free_bf_chain_ struct bf_chain *chain = NULL; + _free_bf_hookopts_ struct bf_hookopts *hookopts_copy = NULL; + _free_bf_list_ bf_list *cgen_counters = NULL; + + r = bf_chain_new_from_copy(&chain, cgen->chain); + if (r) + return bf_err_r(r, "failed to copy chain"); - r = bf_list_emplace(&_chains, bf_chain_new_from_pack, chain, child); + r = bf_list_add_tail(&_chains, chain); if (r) return r; - } + TAKE_PTR(chain); - r = bf_rpack_kv_array(root, "hookopts", &node); - if (r) - return r; - bf_rpack_array_foreach (node, child) { - _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; - - if (!bf_rpack_is_nil(child)) { - r = bf_list_emplace(&_hookopts, bf_hookopts_new_from_pack, hookopts, - child); - } else { - r = bf_list_add_tail(&_hookopts, NULL); + if (cgen->handle->link && cgen->handle->link->hookopts) { + r = copy_hookopts(&hookopts_copy, cgen->handle->link->hookopts); + if (r) + return bf_err_r(r, "failed to copy hookopts"); } - + r = bf_list_add_tail(&_hookopts, hookopts_copy); if (r) return r; - } - - r = bf_rpack_kv_array(root, "counters", &node); - if (r) - return r; - bf_rpack_array_foreach (node, child) { - _free_bf_list_ bf_list *nested = NULL; - bf_rpack_node_t subchild; - - if (!bf_rpack_is_array(child)) - return -EDOM; + TAKE_PTR(hookopts_copy); - r = bf_list_new(&nested, &bf_list_ops_default(bf_counter_free, NULL)); + r = bf_list_new(&cgen_counters, + &bf_list_ops_default(bf_counter_free, NULL)); if (r) return r; - bf_rpack_array_foreach (child, subchild) { - _free_bf_counter_ struct bf_counter *counter = NULL; - - r = bf_list_emplace(nested, bf_counter_new_from_pack, counter, - subchild); - if (r) - return r; - } - - r = bf_list_add_tail(&_counters, nested); + r = bf_cgen_get_counters(cgen, cgen_counters); if (r) return r; - TAKE_PTR(nested); + r = bf_list_add_tail(&_counters, cgen_counters); + if (r) + return r; + TAKE_PTR(cgen_counters); } *chains = bf_list_move(_chains); @@ -121,10 +107,6 @@ int bf_ruleset_get(bf_list *chains, bf_list *hookopts, bf_list *counters) int bf_ruleset_set(bf_list *chains, bf_list *hookopts) { - _cleanup_close_ int fd = -1; - _free_bf_wpack_ bf_wpack_t *pack = NULL; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; struct bf_list_node *chain_node = bf_list_get_head(chains); struct bf_list_node *hookopts_node = bf_list_get_head(hookopts); int r; @@ -132,185 +114,136 @@ int bf_ruleset_set(bf_list *chains, bf_list *hookopts) if (bf_list_size(chains) != bf_list_size(hookopts)) return -EINVAL; - r = bf_wpack_new(&pack); - if (r) - return r; + bf_ctx_flush(); - bf_wpack_open_array(pack, "ruleset"); while (chain_node && hookopts_node) { + _free_bf_cgen_ struct bf_cgen *cgen = NULL; + _free_bf_chain_ struct bf_chain *chain_copy = NULL; + _free_bf_hookopts_ struct bf_hookopts *hookopts_copy = NULL; struct bf_chain *chain = bf_list_node_get_data(chain_node); - struct bf_hookopts *hookopts = bf_list_node_get_data(hookopts_node); + struct bf_hookopts *node_hookopts = + bf_list_node_get_data(hookopts_node); + + r = bf_chain_new_from_copy(&chain_copy, chain); + if (r) + goto err_load; + + if (node_hookopts) { + r = copy_hookopts(&hookopts_copy, node_hookopts); + if (r) + goto err_load; + } - bf_wpack_open_object(pack, NULL); + r = bf_cgen_new(&cgen, &chain_copy); + if (r) + goto err_load; - bf_wpack_open_object(pack, "chain"); - bf_chain_pack(chain, pack); - bf_wpack_close_object(pack); + r = bf_cgen_set(cgen, hookopts_copy ? &hookopts_copy : NULL); + if (r) { + bf_err_r(r, "failed to set chain '%s'", cgen->chain->name); + goto err_load; + } - if (hookopts) { - bf_wpack_open_object(pack, "hookopts"); - bf_hookopts_pack(hookopts, pack); - bf_wpack_close_object(pack); - } else { - bf_wpack_kv_nil(pack, "hookopts"); + r = bf_ctx_set_cgen(cgen); + if (r) { + bf_cgen_unload(cgen); + goto err_load; } - bf_wpack_close_object(pack); + TAKE_PTR(cgen); chain_node = bf_list_node_next(chain_node); hookopts_node = bf_list_node_next(hookopts_node); } - bf_wpack_close_array(pack); - r = bf_request_new_from_pack(&request, BF_REQ_RULESET_SET, pack); - if (r) - return bf_err_r(r, "failed to create request for chain"); - - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); - - r = bf_send(fd, request, &response, NULL); - if (r) - return bf_err_r(r, "failed to send chain to the daemon"); + return 0; - return bf_response_status(response); +err_load: + bf_ctx_flush(); + return r; } int bf_ruleset_flush(void) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - int r; - - r = bf_request_new(&request, BF_REQ_RULESET_FLUSH, NULL, 0); - if (r) - return bf_err_r(r, "failed to create a ruleset flush request"); - - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); - - r = bf_send(fd, request, &response, NULL); - if (r) - return bf_err_r(r, "failed to send a ruleset flush request"); + bf_ctx_flush(); - return bf_response_status(response); + return 0; } int bf_chain_set(struct bf_chain *chain, struct bf_hookopts *hookopts) { - _cleanup_close_ int fd = -1; - _free_bf_wpack_ bf_wpack_t *pack = NULL; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; + struct bf_cgen *old_cgen; + _free_bf_cgen_ struct bf_cgen *new_cgen = NULL; + _free_bf_chain_ struct bf_chain *chain_copy = NULL; + _free_bf_hookopts_ struct bf_hookopts *hookopts_copy = NULL; int r; - r = bf_wpack_new(&pack); - if (r) - return r; + assert(chain); - bf_wpack_open_object(pack, "chain"); - r = bf_chain_pack(chain, pack); + r = bf_chain_new_from_copy(&chain_copy, chain); if (r) return r; - bf_wpack_close_object(pack); if (hookopts) { - bf_wpack_open_object(pack, "hookopts"); - r = bf_hookopts_pack(hookopts, pack); + r = copy_hookopts(&hookopts_copy, hookopts); if (r) return r; - bf_wpack_close_object(pack); - } else { - bf_wpack_kv_nil(pack, "hookopts"); } - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_SET, pack); + r = bf_cgen_new(&new_cgen, &chain_copy); if (r) - return bf_err_r(r, "bf_chain_set: failed to create request"); + return r; - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + old_cgen = bf_ctx_get_cgen(new_cgen->chain->name); + if (old_cgen) + (void)bf_ctx_delete_cgen(old_cgen, true); - r = bf_send(fd, request, &response, NULL); + r = bf_cgen_set(new_cgen, hookopts_copy ? &hookopts_copy : NULL); if (r) - return bf_err_r(r, "bf_chain_set: failed to send request"); + return r; - return bf_response_status(response); + r = bf_ctx_set_cgen(new_cgen); + if (r) { + bf_cgen_unload(new_cgen); + return r; + } + + TAKE_PTR(new_cgen); + + return 0; } int bf_chain_get(const char *name, struct bf_chain **chain, struct bf_hookopts **hookopts, bf_list *counters) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; _free_bf_chain_ struct bf_chain *_chain = NULL; _free_bf_hookopts_ struct bf_hookopts *_hookopts = NULL; _clean_bf_list_ bf_list _counters = bf_list_default_from(*counters); - _free_bf_wpack_ bf_wpack_t *wpack = NULL; - _free_bf_rpack_ bf_rpack_t *rpack = NULL; - bf_rpack_node_t child, array_node; + struct bf_cgen *cgen; int r; - r = bf_wpack_new(&wpack); - if (r) - return r; - - bf_wpack_kv_str(wpack, "name", name); - if (!bf_wpack_is_valid(wpack)) - return -EINVAL; - - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_GET, wpack); - if (r < 0) - return bf_err_r(r, "failed to init request"); - - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); - - r = bf_send(fd, request, &response, NULL); - if (r < 0) - return bf_err_r(r, "failed to send a ruleset get request"); + assert(name); + assert(chain); + assert(hookopts); + assert(counters); - if (bf_response_status(response) != 0) - return bf_response_status(response); + cgen = bf_ctx_get_cgen(name); + if (!cgen) + return bf_err_r(-ENOENT, "chain '%s' not found", name); - r = bf_rpack_new(&rpack, bf_response_data(response), - bf_response_data_len(response)); + r = bf_chain_new_from_copy(&_chain, cgen->chain); if (r) return r; - r = bf_rpack_kv_obj(bf_rpack_root(rpack), "chain", &child); - if (r) - return r; - r = bf_chain_new_from_pack(&_chain, child); - if (r) - return r; - - r = bf_rpack_kv_node(bf_rpack_root(rpack), "hookopts", &child); - if (r) - return r; - if (!bf_rpack_is_nil(child)) { - r = bf_hookopts_new_from_pack(&_hookopts, child); + if (cgen->handle->link && cgen->handle->link->hookopts) { + r = copy_hookopts(&_hookopts, cgen->handle->link->hookopts); if (r) return r; } - r = bf_rpack_kv_array(bf_rpack_root(rpack), "counters", &child); + r = bf_cgen_get_counters(cgen, &_counters); if (r) - return r; - bf_rpack_array_foreach (child, array_node) { - _free_bf_counter_ struct bf_counter *counter = NULL; - - r = bf_list_emplace(&_counters, bf_counter_new_from_pack, counter, - array_node); - if (r) - return r; - } + return bf_err_r(r, "failed to get counters for '%s'", name); *chain = TAKE_PTR(_chain); *hookopts = TAKE_PTR(_hookopts); @@ -321,252 +254,222 @@ int bf_chain_get(const char *name, struct bf_chain **chain, int bf_chain_prog_fd(const char *name) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _cleanup_close_ int prog_fd = -1; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; - int r; + struct bf_cgen *cgen; if (!name) return -EINVAL; - r = bf_wpack_new(&wpack); - if (r) - return r; - - bf_wpack_kv_str(wpack, "name", name); - if (!bf_wpack_is_valid(wpack)) - return -EINVAL; - - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_PROG_FD, wpack); - if (r < 0) - return bf_err_r(r, "failed to init request"); + cgen = bf_ctx_get_cgen(name); + if (!cgen) + return bf_err_r(-ENOENT, "failed to find chain '%s'", name); - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + if (cgen->handle->prog_fd == -1) + return bf_err_r(-ENODEV, "chain '%s' has no loaded program", name); - r = bf_send(fd, request, &response, &prog_fd); - if (r) - return bf_err_r(r, "failed to request prog FD from the daemon"); - - if (bf_response_status(response) != 0) - return bf_err_r(bf_response_status(response), - "BF_REQ_CHAIN_PROG_FD failed"); - - return TAKE_FD(prog_fd); + return dup(cgen->handle->prog_fd); } int bf_chain_logs_fd(const char *name) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _cleanup_close_ int logs_fd = -1; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; - int r; + struct bf_cgen *cgen; if (!name) return -EINVAL; - r = bf_wpack_new(&wpack); - if (r) - return r; + cgen = bf_ctx_get_cgen(name); + if (!cgen) + return bf_err_r(-ENOENT, "failed to find chain '%s'", name); - bf_wpack_kv_str(wpack, "name", name); - if (!bf_wpack_is_valid(wpack)) - return -EINVAL; - - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_LOGS_FD, wpack); - if (r < 0) - return bf_err_r(r, "failed to init request"); + if (!cgen->handle->lmap) + return bf_err_r(-ENOENT, "chain '%s' has no logs buffer", name); - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); - - r = bf_send(fd, request, &response, &logs_fd); - if (r) - return bf_err_r(r, "failed to request logs FD from the daemon"); - - if (bf_response_status(response) != 0) - return bf_err_r(bf_response_status(response), - "BF_REQ_CHAIN_LOGS failed"); - - return TAKE_FD(logs_fd); + return dup(cgen->handle->lmap->fd); } int bf_chain_load(struct bf_chain *chain) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; + _free_bf_cgen_ struct bf_cgen *cgen = NULL; + _free_bf_chain_ struct bf_chain *chain_copy = NULL; int r; - r = bf_wpack_new(&wpack); + assert(chain); + + if (bf_ctx_get_cgen(chain->name)) + return bf_err_r(-EEXIST, "chain '%s' already exists", chain->name); + + r = bf_chain_new_from_copy(&chain_copy, chain); if (r) return r; - bf_wpack_open_object(wpack, "chain"); - r = bf_chain_pack(chain, wpack); + r = bf_cgen_new(&cgen, &chain_copy); if (r) return r; - bf_wpack_close_object(wpack); - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_LOAD, wpack); + r = bf_cgen_load(cgen); if (r) - return bf_err_r(r, "bf_chain_load: failed to create a new request"); + return r; - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + r = bf_ctx_set_cgen(cgen); + if (r) { + bf_cgen_unload(cgen); + return bf_err_r(r, "failed to add cgen to the runtime context"); + } - r = bf_send(fd, request, &response, NULL); - if (r) - return bf_err_r(r, "bf_chain_set: failed to send request"); + TAKE_PTR(cgen); - return bf_response_status(response); + return 0; } int bf_chain_attach(const char *name, const struct bf_hookopts *hookopts) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; + struct bf_cgen *cgen; + _free_bf_hookopts_ struct bf_hookopts *hookopts_copy = NULL; int r; - r = bf_wpack_new(&wpack); + assert(name); + assert(hookopts); + + cgen = bf_ctx_get_cgen(name); + if (!cgen) + return bf_err_r(-ENOENT, "chain '%s' does not exist", name); + + if (cgen->handle->link) + return bf_err_r(-EBUSY, "chain '%s' is already linked to a hook", name); + + r = bf_hookopts_validate(hookopts, cgen->chain->hook); if (r) - return r; + return bf_err_r(r, "failed to validate hook options"); - bf_wpack_kv_str(wpack, "name", name); - bf_wpack_open_object(wpack, "hookopts"); - r = bf_hookopts_pack(hookopts, wpack); + r = copy_hookopts(&hookopts_copy, hookopts); if (r) return r; - bf_wpack_close_object(wpack); - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_ATTACH, wpack); + r = bf_cgen_attach(cgen, &hookopts_copy); if (r) - return bf_err_r(r, "bf_chain_attach: failed to create a new request"); + return bf_err_r(r, "failed to attach codegen to hook"); + + return 0; +} + +int bf_chain_update(const struct bf_chain *chain) +{ + _free_bf_chain_ struct bf_chain *chain_copy = NULL; + struct bf_cgen *cgen; + int r; + + assert(chain); + + cgen = bf_ctx_get_cgen(chain->name); + if (!cgen) + return -ENOENT; - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + r = bf_chain_new_from_copy(&chain_copy, chain); + if (r) + return r; - r = bf_send(fd, request, &response, NULL); + r = bf_cgen_update(cgen, &chain_copy, 0); if (r) - return bf_err_r(r, "bf_chain_attach: failed to send request"); + return -EINVAL; - return bf_response_status(response); + return 0; } -int bf_chain_update(const struct bf_chain *chain) +static int copy_set(struct bf_set **dest, const struct bf_set *src) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; _free_bf_wpack_ bf_wpack_t *wpack = NULL; + _free_bf_rpack_ bf_rpack_t *rpack = NULL; + const void *data; + size_t data_len; int r; r = bf_wpack_new(&wpack); if (r) return r; - bf_wpack_open_object(wpack, "chain"); - r = bf_chain_pack(chain, wpack); + bf_wpack_open_object(wpack, "set"); + r = bf_set_pack(src, wpack); if (r) return r; bf_wpack_close_object(wpack); - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_UPDATE, wpack); + r = bf_wpack_get_data(wpack, &data, &data_len); if (r) - return bf_err_r(r, "bf_chain_update: failed to create a new request"); + return r; - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + r = bf_rpack_new(&rpack, data, data_len); + if (r) + return r; - r = bf_send(fd, request, &response, NULL); + bf_rpack_node_t child; + r = bf_rpack_kv_obj(bf_rpack_root(rpack), "set", &child); if (r) - return bf_err_r(r, "bf_chain_update: failed to send request"); + return r; - return bf_response_status(response); + return bf_set_new_from_pack(dest, child); } int bf_chain_update_set(const char *name, const struct bf_set *to_add, const struct bf_set *to_remove) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; + _free_bf_chain_ struct bf_chain *new_chain = NULL; + struct bf_set *dest_set = NULL; + struct bf_cgen *cgen; + _free_bf_set_ struct bf_set *add_copy = NULL; + _free_bf_set_ struct bf_set *remove_copy = NULL; int r; assert(name); + assert(to_add); + assert(to_remove); - r = bf_wpack_new(&wpack); + if (!bf_streq(to_add->name, to_remove->name)) + return bf_err_r(-EINVAL, "to_add->name must match to_remove->name"); + + cgen = bf_ctx_get_cgen(name); + if (!cgen) + return bf_err_r(-ENOENT, "chain '%s' does not exist", name); + + r = bf_chain_new_from_copy(&new_chain, cgen->chain); if (r) return r; - bf_wpack_kv_str(wpack, "name", name); + dest_set = bf_chain_get_set_by_name(new_chain, to_add->name); + if (!dest_set) + return bf_err_r(-ENOENT, "set '%s' does not exist", to_add->name); - bf_wpack_open_object(wpack, "to_add"); - r = bf_set_pack(to_add, wpack); + r = copy_set(&add_copy, to_add); if (r) return r; - bf_wpack_close_object(wpack); - bf_wpack_open_object(wpack, "to_remove"); - r = bf_set_pack(to_remove, wpack); + r = copy_set(&remove_copy, to_remove); if (r) return r; - bf_wpack_close_object(wpack); - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_UPDATE_SET, wpack); + r = bf_set_add_many(dest_set, &add_copy); if (r) - return bf_err_r(r, - "bf_chain_update_set: failed to create a new request"); + return bf_err_r(r, "failed to calculate set union"); - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + r = bf_set_remove_many(dest_set, &remove_copy); + if (r) + return bf_err_r(r, "failed to calculate set difference"); - r = bf_send(fd, request, &response, NULL); + r = bf_cgen_update(cgen, &new_chain, + BF_FLAG(BF_CGEN_UPDATE_PRESERVE_COUNTERS)); if (r) - return bf_err_r(r, "bf_chain_update_set: failed to send request"); + return bf_err_r(r, "failed to update chain with new set data"); - return bf_response_status(response); + return 0; } int bf_chain_flush(const char *name) { - _cleanup_close_ int fd = -1; - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - _free_bf_wpack_ bf_wpack_t *wpack = NULL; - int r; - - r = bf_wpack_new(&wpack); - if (r) - return r; + struct bf_cgen *cgen; - bf_wpack_kv_str(wpack, "name", name); - - r = bf_request_new_from_pack(&request, BF_REQ_CHAIN_FLUSH, wpack); - if (r) - return bf_err_r(r, "failed to create request for chain"); - - fd = bf_connect_to_daemon(); - if (fd < 0) - return bf_err_r(fd, "failed to connect to the daemon"); + assert(name); - r = bf_send(fd, request, &response, NULL); - if (r) - return bf_err_r(r, "failed to send chain to the daemon"); + cgen = bf_ctx_get_cgen(name); + if (!cgen) + return -ENOENT; - return bf_response_status(response); + return bf_ctx_delete_cgen(cgen, true); } diff --git a/src/bpfilter/ctx.c b/src/libbpfilter/ctx.c similarity index 86% rename from src/bpfilter/ctx.c rename to src/libbpfilter/ctx.c index c3405cfb8..01eda1224 100644 --- a/src/bpfilter/ctx.c +++ b/src/libbpfilter/ctx.c @@ -3,53 +3,48 @@ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ -#include "ctx.h" - #include #include #include #include #include +#include #include #include #include #include +#include #include +#include #include #include #include #include #include -#include #include #include "cgen/cgen.h" -#include "cgen/elfstub.h" #define _free_bf_ctx_ __attribute__((cleanup(_bf_ctx_free))) /** * @struct bf_ctx * - * bpfilter working context. Only one context is used during the daemon's + * bpfilter working context. Only one context is used during the library's * lifetime. */ struct bf_ctx { - /// Namespaces the daemon was started in. - struct bf_ns ns; - /// BPF token file descriptor int token_fd; + int lock_fd; + bf_list cgens; struct bf_elfstub *stubs[_BF_ELFSTUB_MAX]; - /// If true, don't persist state and unload programs on exit. - bool transient; - /// Pass a token to BPF system calls, obtained from bpffs. bool with_bpf_token; @@ -62,7 +57,7 @@ struct bf_ctx static void _bf_ctx_free(struct bf_ctx **ctx); -/// Global daemon context. Hidden in this translation unit. +/// Global runtime context. Hidden in this translation unit. static struct bf_ctx *_bf_global_ctx = NULL; static int _bf_ctx_gen_token(const char *bpffs_path) @@ -94,13 +89,12 @@ static int _bf_ctx_gen_token(const char *bpffs_path) * On failure, @p ctx is left unchanged. * * @param ctx New context to create. Can't be NULL. - * @param transient If true, don't persist state and unload programs on exit. * @param with_bpf_token If true, create a BPF token from bpffs. * @param bpffs_path Path to the bpffs mountpoint. Can't be NULL. * @param verbose Bitmask of verbose flags. * @return 0 on success, negative errno value on failure. */ -static int _bf_ctx_new(struct bf_ctx **ctx, bool transient, bool with_bpf_token, +static int _bf_ctx_new(struct bf_ctx **ctx, bool with_bpf_token, const char *bpffs_path, uint16_t verbose) { _free_bf_ctx_ struct bf_ctx *_ctx = NULL; @@ -109,18 +103,18 @@ static int _bf_ctx_new(struct bf_ctx **ctx, bool transient, bool with_bpf_token, assert(ctx); assert(bpffs_path); + r = bf_btf_setup(); + if (r) + return bf_err_r(r, "failed to load vmlinux BTF"); + _ctx = calloc(1, sizeof(*_ctx)); if (!_ctx) return -ENOMEM; - _ctx->transient = transient; _ctx->with_bpf_token = with_bpf_token; _ctx->bpffs_path = bpffs_path; _ctx->verbose = verbose; - - r = bf_ns_init(&_ctx->ns, getpid()); - if (r) - return bf_err_r(r, "failed to initialise current bf_ns"); + _ctx->lock_fd = -1; _ctx->token_fd = -1; if (_ctx->with_bpf_token) { @@ -170,13 +164,15 @@ static void _bf_ctx_free(struct bf_ctx **ctx) if (!*ctx) return; - bf_ns_clean(&(*ctx)->ns); closep(&(*ctx)->token_fd); + closep(&(*ctx)->lock_fd); bf_list_clean(&(*ctx)->cgens); for (enum bf_elfstub_id id = 0; id < _BF_ELFSTUB_MAX; ++id) bf_elfstub_free(&(*ctx)->stubs[id]); + bf_btf_teardown(); + freep((void *)ctx); } @@ -189,24 +185,6 @@ static void _bf_ctx_dump(const struct bf_ctx *ctx, prefix_t *prefix) bf_dump_prefix_push(prefix); - // Namespaces - DUMP(prefix, "ns: struct bf_ns") - bf_dump_prefix_push(prefix); - - DUMP(prefix, "net: struct bf_ns_info"); - bf_dump_prefix_push(prefix); - DUMP(prefix, "fd: %d", ctx->ns.net.fd); - DUMP(bf_dump_prefix_last(prefix), "inode: %u", ctx->ns.net.inode); - bf_dump_prefix_pop(prefix); - - DUMP(bf_dump_prefix_last(prefix), "mnt: struct bf_ns_info"); - bf_dump_prefix_push(prefix); - DUMP(prefix, "fd: %d", ctx->ns.mnt.fd); - DUMP(bf_dump_prefix_last(prefix), "inode: %u", ctx->ns.mnt.inode); - bf_dump_prefix_pop(prefix); - - bf_dump_prefix_pop(prefix); - DUMP(prefix, "token_fd: %d", ctx->token_fd); // Codegens @@ -402,26 +380,36 @@ static int _bf_ctx_discover(void) return 0; } -int bf_ctx_setup(bool transient, bool with_bpf_token, const char *bpffs_path, - uint16_t verbose) +int bf_ctx_setup(bool with_bpf_token, const char *bpffs_path, uint16_t verbose) { + _cleanup_close_ int pindir_fd = -1; _free_bf_ctx_ struct bf_ctx *_ctx = NULL; int r; - r = _bf_ctx_new(&_ctx, transient, with_bpf_token, bpffs_path, verbose); + r = _bf_ctx_new(&_ctx, with_bpf_token, bpffs_path, verbose); if (r) return bf_err_r(r, "failed to create new context"); - _bf_global_ctx = TAKE_PTR(_ctx); + _bf_global_ctx = _ctx; - if (!bf_ctx_is_transient()) { - r = _bf_ctx_discover(); - if (r) { - _bf_ctx_free(&_bf_global_ctx); - return bf_err_r(r, "failed to discover chains"); - } + pindir_fd = bf_ctx_get_pindir_fd(); + if (pindir_fd < 0) + return bf_err_r(pindir_fd, "failed to get pin directory FD"); + + r = flock(pindir_fd, LOCK_EX | LOCK_NB); + if (r) + return bf_err_r(-errno, "failed to lock pin directory"); + + r = _bf_ctx_discover(); + if (r) { + _bf_ctx_free(&_bf_global_ctx); + return bf_err_r(r, "failed to discover chains"); } + _bf_global_ctx->lock_fd = TAKE_FD(pindir_fd); + + TAKE_PTR(_ctx); + return 0; } @@ -472,11 +460,6 @@ int bf_ctx_delete_cgen(struct bf_cgen *cgen, bool unload) return _bf_ctx_delete_cgen(_bf_global_ctx, cgen, unload); } -struct bf_ns *bf_ctx_get_ns(void) -{ - return &_bf_global_ctx->ns; -} - int bf_ctx_token(void) { return _bf_global_ctx->token_fd; @@ -525,11 +508,6 @@ const struct bf_elfstub *bf_ctx_get_elfstub(enum bf_elfstub_id id) return _bf_global_ctx->stubs[id]; } -bool bf_ctx_is_transient(void) -{ - return _bf_global_ctx->transient; -} - bool bf_ctx_is_verbose(enum bf_verbose opt) { return _bf_global_ctx->verbose & BF_FLAG(opt); diff --git a/src/libbpfilter/include/bpfilter/bpfilter.h b/src/libbpfilter/include/bpfilter/bpfilter.h index b27a38d0b..1d9e983c2 100644 --- a/src/libbpfilter/include/bpfilter/bpfilter.h +++ b/src/libbpfilter/include/bpfilter/bpfilter.h @@ -16,7 +16,7 @@ struct bf_set; struct bf_hookopts; /** - * @brief Get the ruleset from the daemon. + * @brief Get the current ruleset. * * **Request payload format** * The request doesn't contain data. @@ -61,7 +61,7 @@ int bf_ruleset_get(bf_list *chains, bf_list *hookopts, bf_list *counters); /** * @brief Load a ruleset. * - * The daemon will flush the whole ruleset and install the chains defined in + * The library will flush the whole ruleset and install the chains defined in * the provided lists instead. * * `hookopts` should contain as many elements as `chains`, so they can be diff --git a/src/bpfilter/ctx.h b/src/libbpfilter/include/bpfilter/ctx.h similarity index 80% rename from src/bpfilter/ctx.h rename to src/libbpfilter/include/bpfilter/ctx.h index 20ece3ec4..54694ac7a 100644 --- a/src/bpfilter/ctx.h +++ b/src/libbpfilter/include/bpfilter/ctx.h @@ -9,17 +9,16 @@ #include #include +#include #include -#include "cgen/elfstub.h" - /** * @file ctx.h * - * Global runtime context for `bpfilter` daemon. + * Global runtime context for `bpfilter`. * * This file contains the definition of the `bf_ctx` structure, which is - * the main structure used to store the daemon's runtime context. + * the main structure used to store the runtime context. * * All the public `bf_ctx_*` functions manipulate a private global context. * Chain state is persisted in per-chain bpffs context maps and restored @@ -27,7 +26,6 @@ */ struct bf_cgen; -struct bf_ns; enum bf_verbose { @@ -40,14 +38,12 @@ enum bf_verbose /** * Initialise the global context. * - * @param transient If true, don't persist state and unload programs on exit. * @param with_bpf_token If true, create a BPF token from bpffs. * @param bpffs_path Path to the bpffs mountpoint. Can't be NULL. * @param verbose Bitmask of verbose flags. * @return 0 on success, or a negative errno value on failure. */ -int bf_ctx_setup(bool transient, bool with_bpf_token, const char *bpffs_path, - uint16_t verbose); +int bf_ctx_setup(bool with_bpf_token, const char *bpffs_path, uint16_t verbose); /** * Teardown the global context. @@ -106,18 +102,6 @@ int bf_ctx_set_cgen(struct bf_cgen *cgen); */ int bf_ctx_delete_cgen(struct bf_cgen *cgen, bool unload); -/** - * Get the daemon's original namespaces. - * - * During the creation of the global context, the daemon will open a reference - * to its namespaces. This is required to jump a a client's namespace on request - * and come back to the original namespace afterward. This function returns a - * pointer to the `bf_ns` object referencing the original namespaces. - * - * @return A `bf_ns` object pointer. - */ -struct bf_ns *bf_ctx_get_ns(void); - /** * Get the BPF token file descriptor. * @@ -153,11 +137,6 @@ int bf_ctx_rm_pindir(void); */ const struct bf_elfstub *bf_ctx_get_elfstub(enum bf_elfstub_id id); -/** - * @return true if transient mode is enabled. - */ -bool bf_ctx_is_transient(void); - /** * @return true if the given verbose flag is set. */ diff --git a/src/bpfilter/cgen/elfstub.h b/src/libbpfilter/include/bpfilter/elfstub.h similarity index 96% rename from src/bpfilter/cgen/elfstub.h rename to src/libbpfilter/include/bpfilter/elfstub.h index aaf84c6d2..beb3e9b7d 100644 --- a/src/bpfilter/cgen/elfstub.h +++ b/src/libbpfilter/include/bpfilter/elfstub.h @@ -19,13 +19,13 @@ * * ELF stubs source code is part of bpfilter's sources, they are compiled * using clang, the ELF file is stored in a C array and accessible to the - * daemon at runtime. + * libbpfilter at runtime. * * **Creating a new ELF stub** * - * 1. Add a new source file for the BPF program in the daemon's codebase (in the - * `bpf` folder, as `$NAME.bpf.c`). - * 2. Declare the ELF stub in the daemon's CMakeLists.txt (in + * 1. Add a new source file for the BPF program in the library's codebase (in + * the `bpf` folder, as `$NAME.bpf.c`). + * 2. Declare the ELF stub in libbpfilter's CMakeLists.txt (in * `bf_target_add_elfstubs()`). * 3. Add a new ID for this stub in `bf_elfstub_id`. * 4. Write the BPF C code: define a single function (additional inline diff --git a/src/libbpfilter/include/bpfilter/if.h b/src/libbpfilter/include/bpfilter/if.h index 4aa3bbf09..bcc0c99f9 100644 --- a/src/libbpfilter/include/bpfilter/if.h +++ b/src/libbpfilter/include/bpfilter/if.h @@ -33,7 +33,7 @@ int bf_if_index_from_name(const char *name); * * This function copy the interface name into a static buffer, this would * probably be an issue for multi-threaded application, but thankfully bpfilter - * is a single-threaded daemon. + * is single-threaded. * * @param index Index of the interface. * @return Pointer to a static buffer containing the interface name, or NULL diff --git a/src/libbpfilter/include/bpfilter/io.h b/src/libbpfilter/include/bpfilter/io.h index cd9845f66..5ebb2d424 100644 --- a/src/libbpfilter/include/bpfilter/io.h +++ b/src/libbpfilter/include/bpfilter/io.h @@ -6,74 +6,6 @@ #pragma once #include -#include - -#define BF_RUNTIME_DIR "/run/bpfilter" -#define BF_SOCKET_PATH BF_RUNTIME_DIR "/daemon.sock" -#define BF_LOCK_PATH BF_RUNTIME_DIR "/daemon.lock" - -struct bf_request; -struct bf_response; - -/** - * @brief Connect to the bpfilter daemon and return the socket. - * - * @return A file descriptor to communicate with the daemon on success, or a - * negative error value on failure. - */ -int bf_connect_to_daemon(void); - -/** - * @brief Send a request to the daemon, receive a response. Can receive an extra - * file descriptor. - * - * Communicate back and forth with the daemon (send a request, receive a - * response). Some responses include a file descriptor. - * - * @pre - * - `request` is a valid, non-NULL request - * - `response != NULL` - * - * @param fd File descriptor of the socket to send the data over. - * @param request Request to send to the daemon. - * @param response Response received from the daemon, allocated by - * `bf_send()`. - * @param recv_fd File descriptor sent by the daemon. If NULL, no file - * descriptor is expected. - * @return 0 on success, negative error value on failure. - */ -int bf_send(int fd, const struct bf_request *request, - struct bf_response **response, int *recv_fd); - -/** - * Received a request from the file descriptor. - * - * @param fd File descriptor to receive the request from. Must be a valid file - * descriptor. - * @param request Request to receive. Can't be NULL. Will be allocated by the - * function. - * @return 0 on success, negative error code on failure. - */ -int bf_recv_request(int fd, struct bf_request **request); - -/** - * Send a response to the given file descriptor. - * - * @param fd File descriptor to send the response to. Must be a valid file - * descriptor. - * @param response Response to send. Can't be NULL. - * @return 0 on success, negative error code on failure. - */ -int bf_send_response(int fd, struct bf_response *response); - -/** - * @brief Send a file descriptor over a Unix Domain Socket. - * - * @param sock_fd File descriptor of a Unix Domain Socket, used to send `fd`. - * @param fd File descriptor to send. - * @return 0, or a negative error value on failure. - */ -int bf_send_fd(int sock_fd, int fd); /** * Ensure @p dir exists and can be read/writen by the current process. diff --git a/src/libbpfilter/include/bpfilter/ns.h b/src/libbpfilter/include/bpfilter/ns.h deleted file mode 100644 index eecdf3852..000000000 --- a/src/libbpfilter/include/bpfilter/ns.h +++ /dev/null @@ -1,121 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#pragma once - -#include -#include -#include - -/** - * @file ns.h - * - * `bpfilter` supports the following namespaces: - * - **Network**: for interfaces index to attach XDP and TC programs to, and - * interface indexes to filter on. - * - **Mount**: for CGroup path to attach `cgroup_skb` programs to. - * - * For each supported namespace, the `bf_ns` structure stores the namespace's - * ID (the namespace file inode number), and a file descriptor to the namespace. - * - * When a request is received, `bpfilter` will create a new `bf_ns` object - * to refer to the client's namespaces. Before calling - * `bf_flavor_ops.attach_prog`, `bpfilter` will jump to the request's - * namespace, attach the program, then jump back to the original namespace. - */ - -struct bf_ns_info -{ - int fd; - uint32_t inode; -}; - -/** - * Contains information about namespaces relevant to bpfilter. - */ -struct bf_ns -{ - struct bf_ns_info net; - struct bf_ns_info mnt; -}; - -/** - * Call `bf_ns_clean` on an `auto` stored `bf_ns` when it goes out of scope to - * avoid resources leakage. - */ -#define _clean_bf_ns_ __attribute__((cleanup(bf_ns_clean))) - -/** - * Initialize a new `bf_ns` to default values. - * - * Ensure an `auto` stored `bf_ns` are initialized to sane defaults, so - * `bf_ns_clean()` can be called safely. - * - * @return An initialized `bf_ns` object. - */ -#define bf_ns_default() \ - (struct bf_ns) \ - { \ - .net = {.fd = -1}, .mnt = {.fd = -1} \ - } - -/** - * Move a `bf_ns` object. - * - * Move the `bf_ns` object from `ns` and return it. Once moved, `ns` will be - * reset to default values (see `bf_ns_default()`) on which `bf_ns_clean()` can - * safely be called. The caller is responsible for cleaning up the `bf_ns` - * object returned. - * - * @param ns Variable to move the `bf_ns` object out of. - * @return A `bf_ns` object. - */ -#define bf_ns_move(ns) \ - ({ \ - struct bf_ns *__ns = &(ns); \ - struct bf_ns _ns = *__ns; \ - *__ns = bf_ns_default(); \ - _ns; \ - }) - -/** - * Initialize an allocated `bf_ns` object. - * - * The `procfs` entry of `pid` will be used to open a reference to its - * network and mount namespaces and store it in `ns`. - * - * @param ns Object to initialize. On failure, this parameter is unchanged. - * Can't be NULL. - * @param pid PID of the process to open the namespaces of. - * @return 0 on success, or a negative errno value on failure. - */ -int bf_ns_init(struct bf_ns *ns, pid_t pid); - -/** - * Clean a `bf_ns` object. - * - * @param ns Object to clean. Can't be NULL. - */ -void bf_ns_clean(struct bf_ns *ns); - -/** - * Move the current process to different namespaces. - * - * This function will change the current namespace to the one defined in `ns`. - * It is critical for this function to succeed; otherwise the process will be - * in an unstable state: partially in a new namespace, partially in its original - * namespace. - * - * @param ns Namespaces to move to. Can't be NULL. - * @param oldns Namespaces to move out of. This information is needed as - * `setns()` will fail if we try to move to a namespace we are already in. - * It is not possible for `setns()` to look up the current namespace - * itself, as we must assume a new `/proc` has been mounted too, - * hiding the information about the current process. Hence, the only - * reliable solution is to collect this information before calling - * `setns()`. - * @return 0 on success, or a negative errno value on failure. - */ -int bf_ns_set(const struct bf_ns *ns, const struct bf_ns *oldns); diff --git a/src/libbpfilter/include/bpfilter/pack.h b/src/libbpfilter/include/bpfilter/pack.h index a9db36186..39262d996 100644 --- a/src/libbpfilter/include/bpfilter/pack.h +++ b/src/libbpfilter/include/bpfilter/pack.h @@ -14,8 +14,8 @@ /** * @file pack.h * - * Serialization is used to send/receive bpfilter objects to and from the - * daemon. While bpfilter originally used a custom logic to convert its objects + * Serialization is used to persist and transfer bpfilter objects. While + * bpfilter originally used a custom logic to convert its objects * into binary data, it was inefficient and didn't support different versions of * the same object (when fields are added or removed). Instead, the new packing * logic provides an API to (de)serialize bpfilter objects using diff --git a/src/libbpfilter/include/bpfilter/request.h b/src/libbpfilter/include/bpfilter/request.h deleted file mode 100644 index 948c76352..000000000 --- a/src/libbpfilter/include/bpfilter/request.h +++ /dev/null @@ -1,115 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#pragma once - -#include - -#include -#include - -struct bf_dynbuf; -struct bf_ns; - -#define _free_bf_request_ __attribute__((cleanup(bf_request_free))) - -/** - * @enum bf_request_cmd - * - * Defines a request type, so bpfilter can understand the client-specific - * data contained in the request, and call the proper handler. - * - * @var bf_request_cmd::BF_REQ_CUSTOM - * Custom request. - */ -enum bf_request_cmd -{ - /* Flush the ruleset: remove all the filtering rules defined. */ - BF_REQ_RULESET_FLUSH, - BF_REQ_RULESET_GET, - - /** Set the current ruleset. Existing chains are flushed and replaced with - * the chains defined in the request. */ - BF_REQ_RULESET_SET, - - BF_REQ_CHAIN_SET, - BF_REQ_CHAIN_GET, - BF_REQ_CHAIN_PROG_FD, - BF_REQ_CHAIN_LOGS_FD, - BF_REQ_CHAIN_LOAD, - BF_REQ_CHAIN_ATTACH, - BF_REQ_CHAIN_UPDATE, - BF_REQ_CHAIN_UPDATE_SET, - BF_REQ_CHAIN_FLUSH, - - BF_REQ_COUNTERS_SET, - BF_REQ_COUNTERS_GET, - BF_REQ_CUSTOM, - _BF_REQ_CMD_MAX, -}; - -struct bf_request; - -/** - * Allocate and initialise a new request. - * - * @param request Pointer to the request to allocate. Must be non-NULL. - * @param cmd Request command. - * @param data Client-specific data. - * @param data_len Length of the client-specific data. - * @return 0 on success or negative errno code on failure. - */ -int bf_request_new(struct bf_request **request, enum bf_request_cmd cmd, - const void *data, size_t data_len); - -int bf_request_new_from_dynbuf(struct bf_request **request, - struct bf_dynbuf *dynbuf); -int bf_request_new_from_pack(struct bf_request **request, - enum bf_request_cmd cmd, bf_wpack_t *pack); - -/** - * Free a request. - * - * If @p request points to a NULL pointer, this function does nothing. Once the - * function returns, @p request points to a NULL pointer. - * - * @param request Request to free. Can't be NULL. - */ -void bf_request_free(struct bf_request **request); - -/** - * Copy a request. - * - * @param dest The destination request. It will be allocated during the call. - * Can't be NULL. - * @param src The source request, to copy. Can't be NULL. - * @return 0 on success, negative error code on failure. - */ -int bf_request_copy(struct bf_request **dest, const struct bf_request *src); - -struct bf_ns *bf_request_ns(const struct bf_request *request); -enum bf_request_cmd bf_request_cmd(const struct bf_request *request); -int bf_request_fd(const struct bf_request *request); -const void *bf_request_data(const struct bf_request *request); -size_t bf_request_data_len(const struct bf_request *request); - -void bf_request_set_ns(struct bf_request *request, struct bf_ns *ns); -void bf_request_set_fd(struct bf_request *request, int fd); - -/** - * Get the total size of the request: request structure and data. - * - * @param request Request to get the size of. Can't be NULL. - * @return Total size of the request. - */ -size_t bf_request_size(const struct bf_request *request); - -/** - * @brief Convert a `bf_request_cmd` value to a string. - * - * @param cmd The request command to convert. Must be a valid command. - * @return String representation of `cmd`. - */ -const char *bf_request_cmd_to_str(enum bf_request_cmd cmd); diff --git a/src/libbpfilter/include/bpfilter/response.h b/src/libbpfilter/include/bpfilter/response.h deleted file mode 100644 index 0660c43ca..000000000 --- a/src/libbpfilter/include/bpfilter/response.h +++ /dev/null @@ -1,86 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#pragma once - -#include - -#include -#include - -#define _free_bf_response_ __attribute__((cleanup(bf_response_free))) - -struct bf_dynbuf; -struct bf_response; - -/** - * Allocate a response without copying data. - * - * Space will be allocated in the response for @p data_len bytes of data, but - * no data will be copied, nor will the response's data be initialized. - * - * The response's status will be set to 0. - * - * @param response Pointer to the response to allocate. Must be non-NULL. - * @param data_len Size of the data to allocate. - * @return 0 on success, or negative errno code on failure. - */ -int bf_response_new_raw(struct bf_response **response, size_t data_len); - -/** - * Allocate and initialise a new successful response. - * - * @param response Pointer to the response to allocate. Must be non-NULL. - * @param data Client-specific data. - * @param data_len Length of the client-specific data. - * @return 0 on success, or negative errno code on failure. - */ -int bf_response_new_success(struct bf_response **response, const char *data, - size_t data_len); - -int bf_response_new_from_dynbuf(struct bf_response **response, - struct bf_dynbuf *dynbuf); -int bf_response_new_from_pack(struct bf_response **response, bf_wpack_t *pack); - -/** - * Allocate and initialise a new failure response. - * - * @param response Pointer to the response to allocate. Must be non-NULL. - * @param error Error code that store in the response. - * @return 0 on success, or negative errno code on failure. - */ -int bf_response_new_failure(struct bf_response **response, int error); - -/** - * Free a response. - * - * If @p response points to a NULL pointer, this function does nothing. Once the - * function returns, @p response points to a NULL pointer. - * - * @param response Response to free. Can't be NULL. - */ -void bf_response_free(struct bf_response **response); - -/** - * Copy a response. - * - * @param dest The destination response. It will be allocated during the call. - * Can't be NULL. - * @param src The source response, to copy. Can't be NULL. - * @return 0 on success, negative error code on failure. - */ -int bf_response_copy(struct bf_response **dest, const struct bf_response *src); - -int bf_response_status(const struct bf_response *response); -const void *bf_response_data(const struct bf_response *response); -size_t bf_response_data_len(const struct bf_response *response); - -/** - * Get the total size of the response: request structure and data (if any). - * - * @param response Response to get the size of. Can't be NULL. - * @return Total size of the response. - */ -size_t bf_response_size(const struct bf_response *response); diff --git a/src/libbpfilter/io.c b/src/libbpfilter/io.c index bb5e15ec9..5fd5cc26a 100644 --- a/src/libbpfilter/io.c +++ b/src/libbpfilter/io.c @@ -8,192 +8,14 @@ #include #include #include -#include -#include -#include #include -#include #include -#include #include -#include "bpfilter/dynbuf.h" #include "bpfilter/helper.h" #include "bpfilter/logger.h" -#include "bpfilter/request.h" -#include "bpfilter/response.h" #define BF_PERM_755 (S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) -#define BF_MSG_BUF_SIZE 1024U - -static int _bf_recv_in_buff(int fd, struct bf_dynbuf *buf) -{ - size_t remaining = 1; - - assert(buf); - - while (remaining > 0) { - ssize_t r; - uint8_t tmpbuf[BF_MSG_BUF_SIZE]; - - struct iovec iov[2] = { - { - .iov_base = &remaining, - .iov_len = sizeof(remaining), - }, - { - .iov_base = tmpbuf, - .iov_len = BF_MSG_BUF_SIZE, - }, - }; - - struct msghdr msg = { - .msg_iov = iov, - .msg_iovlen = ARRAY_SIZE(iov), - .msg_name = NULL, - .msg_namelen = 0, - .msg_control = NULL, - .msg_controllen = 0, - }; - - r = recvmsg(fd, &msg, 0); - if (r < 0) - return bf_err_r(-errno, "failed to receive data"); - if ((size_t)r < sizeof(remaining)) - return bf_err_r(-EIO, "received partial data"); - - r = bf_dynbuf_write(buf, tmpbuf, r - sizeof(remaining)); - if (r) { - return bf_err_r((int)r, - "failed to write received data to dynamic buffer"); - } - } - - return 0; -} - -static int _bf_send_from_buff(int fd, void *buf, size_t buf_len) -{ - size_t sent = 0; - - assert(buf); - - while (buf_len > 0) { - size_t send_size = bf_min(BF_MSG_BUF_SIZE, buf_len); - ssize_t r; - size_t rem = buf_len - send_size; - - struct iovec iov[2] = { - { - .iov_base = &rem, - .iov_len = sizeof(buf_len), - }, - { - .iov_base = buf + sent, - .iov_len = send_size, - }, - }; - - struct msghdr msg = { - .msg_iov = iov, - .msg_iovlen = ARRAY_SIZE(iov), - .msg_name = NULL, - .msg_namelen = 0, - .msg_control = NULL, - .msg_controllen = 0, - }; - - r = sendmsg(fd, &msg, MSG_NOSIGNAL); - if (r < 0) - return bf_err_r(-errno, "failed to send data from buff"); - if ((size_t)r != send_size + sizeof(buf_len)) - return bf_err_r(-EIO, "sent partial data"); - - sent += (size_t)r - sizeof(buf_len); - buf_len -= (size_t)r - sizeof(buf_len); - } - - return 0; -} - -/** - * Send a request to the given file descriptor. - * - * @param fd File descriptor to send the request to. Must be a valid file - * descriptor. - * @param request Request to send. Can't be NULL. - * @return 0 on success, negative error code on failure. - */ -static int _bf_send_request(int fd, const struct bf_request *request) -{ - int r; - - assert(request); - - r = _bf_send_from_buff(fd, (void *)request, bf_request_size(request)); - if (r < 0) - return bf_err_r(r, "failed to send request"); - - return 0; -} - -int bf_recv_request(int fd, struct bf_request **request) -{ - _clean_bf_dynbuf_ struct bf_dynbuf dynbuf = bf_dynbuf_default(); - int r; - - assert(request); - - r = _bf_recv_in_buff(fd, &dynbuf); - if (r) - return bf_err_r(r, "failed to receive request"); - - r = bf_request_new_from_dynbuf(request, &dynbuf); - if (r) - return bf_err_r((int)r, "failed to create request from buffer"); - - return 0; -} - -int bf_send_response(int fd, struct bf_response *response) -{ - int r; - - assert(response); - - r = _bf_send_from_buff(fd, (void *)response, bf_response_size(response)); - if (r < 0) - return bf_err_r(r, "failed to send response"); - - return 0; -} - -/** - * Received a response from the file descriptor. - * - * @param fd File descriptor to receive the response from. Must be a valid file - * descriptor. - * @param response Response to receive. Can't be NULL. Will be allocated by the - * function. - * @return 0 on success, negative error code on failure. - */ -static int _bf_recv_response(int fd, struct bf_response **response) -{ - _clean_bf_dynbuf_ struct bf_dynbuf dynbuf = bf_dynbuf_default(); - int r; - - assert(response); - - r = _bf_recv_in_buff(fd, &dynbuf); - if (r) - return bf_err_r((int)r, "failed to receive response"); - - r = bf_response_new_from_dynbuf(response, &dynbuf); - if (r) - return bf_err_r((int)r, "failed to create response from buffer"); - - return 0; -} int bf_ensure_dir(const char *dir) { @@ -329,121 +151,3 @@ int bf_acquire_lock(const char *path) return TAKE_FD(fd); } - -int bf_send_fd(int sock_fd, int fd) -{ - char dummy = 'X'; - struct cmsghdr *cmsg; - struct msghdr msg = {0}; - char buf[CMSG_SPACE(sizeof(int))]; - struct iovec iov = {.iov_base = &dummy, .iov_len = 1}; - ssize_t r; - - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - - memcpy(CMSG_DATA(cmsg), &fd, sizeof(int)); - - r = sendmsg(sock_fd, &msg, 0); - if (r < 0) - return bf_err_r(errno, "failed to send file descriptor"); - - return 0; -} - -/** - * @brief Receive a file descriptor over a Unix Domain Socket. - * - * @param sock_fd Socket file descriptor to receive the file descriptor through. - * @return A file descriptor, or a negative error value on failure. The caller - * owns the file descriptor. - */ -static int _bf_recv_fd(int sock_fd) -{ - int fd; - char dummy; - struct cmsghdr *cmsg; - struct msghdr msg = {0}; - char buf[CMSG_SPACE(sizeof(int))]; - struct iovec iov = {.iov_base = &dummy, .iov_len = 1}; - ssize_t r; - - msg.msg_iov = &iov; - msg.msg_iovlen = 1; - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - - r = recvmsg(sock_fd, &msg, 0); - if (r < 0) - return bf_err_r(errno, "failed to receive file descriptor"); - - cmsg = CMSG_FIRSTHDR(&msg); - if (!cmsg) - return bf_err_r(-ENOENT, "no control message received"); - if (cmsg->cmsg_level != SOL_SOCKET) - return bf_err_r(-EINVAL, "invalid control message level"); - if (cmsg->cmsg_type != SCM_RIGHTS) - return bf_err_r(-EINVAL, "invalid control message type"); - - memcpy(&fd, CMSG_DATA(cmsg), sizeof(int)); - - return fd; -} - -int bf_connect_to_daemon(void) -{ - _cleanup_close_ int fd = -1; - struct sockaddr_un addr = {}; - int r; - - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) - return bf_err_r(errno, "bpfilter: can't create socket"); - - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, BF_SOCKET_PATH, sizeof(addr.sun_path) - 1); - - r = connect(fd, (struct sockaddr *)&addr, sizeof(addr)); - if (r < 0) - return bf_err_r(errno, "bpfilter: failed to connect to socket"); - - return TAKE_FD(fd); -} - -int bf_send(int fd, const struct bf_request *request, - struct bf_response **response, int *recv_fd) -{ - _cleanup_close_ int _recv_fd = -1; - int r; - - assert(request); - assert(response); - - r = _bf_send_request(fd, request); - if (r < 0) - return bf_err_r(r, "bpfilter: failed to send request to the daemon"); - - if (recv_fd) { - _recv_fd = _bf_recv_fd(fd); - if (_recv_fd < 0) - return bf_err_r(_recv_fd, "failed to receive file descriptor"); - } - - r = _bf_recv_response(fd, response); - if (r < 0) { - return bf_err_r(r, - "bpfilter: failed to receive response from the daemon"); - } - - if (recv_fd) - *recv_fd = TAKE_FD(_recv_fd); - - return 0; -} diff --git a/src/libbpfilter/ns.c b/src/libbpfilter/ns.c deleted file mode 100644 index 3f1a5da2d..000000000 --- a/src/libbpfilter/ns.c +++ /dev/null @@ -1,112 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#define _GNU_SOURCE - -#include "bpfilter/ns.h" - -#include -#include -#include -#include -#include -#include - -#include "bpfilter/helper.h" -#include "bpfilter/logger.h" - -#define NS_DIR_PATH_LEN 32 - -/** - * Initialize a `bf_ns_info` structure for a given namespace. - * - * @param info `bf_ns_info` object to initialise. On failure, this parameter is - * unchanged. Can't be NULL. - * @param name Name of the namespace to open. Can't be NULL. - * @param dir_fd File descriptor of the directory to open the namespace from. - * @return 0 on success, or a negative errno value on failure. - */ -static int _bf_ns_info_init(struct bf_ns_info *info, const char *name, - int dir_fd) -{ - _cleanup_close_ int fd = -1; - struct stat stats; - int r; - - assert(info); - assert(name); - - fd = openat(dir_fd, name, O_RDONLY, 0); - if (fd < 0) - return -errno; - - r = fstat(fd, &stats); - if (r) - return -errno; - - info->fd = TAKE_FD(fd); - info->inode = stats.st_ino; - - return 0; -} - -int bf_ns_init(struct bf_ns *ns, pid_t pid) -{ - _clean_bf_ns_ struct bf_ns _ns = bf_ns_default(); - _cleanup_close_ int dirfd = -1; - char ns_dir_path[NS_DIR_PATH_LEN]; - int r; - - assert(ns); - - /// @todo What if ``/proc`` is not readable? - (void)snprintf(ns_dir_path, NS_DIR_PATH_LEN, "/proc/%d/ns", pid); - dirfd = open(ns_dir_path, O_DIRECTORY, O_RDONLY); - if (dirfd < 0) - return bf_err_r(errno, "failed to open ns directory '%s'", ns_dir_path); - - r = _bf_ns_info_init(&_ns.net, "net", dirfd); - if (r) { - return bf_err_r(r, "failed to read 'net' namespace in '%s'", - ns_dir_path); - } - - r = _bf_ns_info_init(&_ns.mnt, "mnt", dirfd); - if (r) { - return bf_err_r(r, "failed to read 'mnt' namespace in '%s'", - ns_dir_path); - } - - *ns = bf_ns_move(_ns); - - return 0; -} - -void bf_ns_clean(struct bf_ns *ns) -{ - assert(ns); - - closep(&ns->net.fd); - closep(&ns->mnt.fd); -} - -int bf_ns_set(const struct bf_ns *ns, const struct bf_ns *oldns) -{ - int r; - - if (!oldns || ns->net.inode != oldns->net.inode) { - r = setns(ns->net.fd, CLONE_NEWNET); - if (r) - return bf_err_r(r, "failed to switch to a network namespace"); - } - - if (!oldns || ns->mnt.inode != oldns->mnt.inode) { - r = setns(ns->mnt.fd, CLONE_NEWNS); - if (r) - return bf_err_r(r, "failed to switch to a mount namespace"); - } - - return 0; -} diff --git a/src/libbpfilter/request.c b/src/libbpfilter/request.c deleted file mode 100644 index b4db141bc..000000000 --- a/src/libbpfilter/request.c +++ /dev/null @@ -1,207 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#include "bpfilter/request.h" - -#include -#include -#include -#include -#include - -#include "bpfilter/dynbuf.h" -#include "bpfilter/helper.h" -#include "bpfilter/pack.h" - -/** - * @struct bf_request - * - * Generic request format sent by the client to the daemon. - * - * @var bf_request::cmd - * Command. - * @var bf_request::data_len - * Length of the client-specific data. - * @var bf_request::data - * Client-specific data. - */ -struct bf_request -{ - enum bf_request_cmd cmd; - - /** Namespaces the request is coming from. This field will be automatically - * populated by the daemon when receiving the request. */ - struct bf_ns *ns; - - /** File descriptor of the receiver socket. This field is automatically - * populated by the daemon when receiving the request. The request doesn't - * own the file descriptor. */ - int fd; - - size_t data_len; - - /// @todo Return a user-readable error message if the request fails. - char data[]; -}; - -int bf_request_new(struct bf_request **request, enum bf_request_cmd cmd, - const void *data, size_t data_len) -{ - _free_bf_request_ struct bf_request *_request = NULL; - - assert(request); - assert(!(!!data ^ !!data_len)); - - _request = calloc(1, sizeof(*_request) + data_len); - if (!_request) - return -ENOMEM; - - if (data) { - memcpy(_request->data, data, data_len); - _request->data_len = data_len; - } - - _request->cmd = cmd; - - *request = TAKE_PTR(_request); - - return 0; -} - -int bf_request_new_from_dynbuf(struct bf_request **request, - struct bf_dynbuf *dynbuf) -{ - struct bf_request *tmpreq; - - assert(request); - assert(dynbuf); - - if (dynbuf->len < sizeof(*tmpreq)) - return -EINVAL; - - tmpreq = dynbuf->data; - if (bf_request_size(tmpreq) != dynbuf->len) - return -EINVAL; - - *request = bf_dynbuf_take(dynbuf); - - return 0; -} - -int bf_request_new_from_pack(struct bf_request **request, - enum bf_request_cmd cmd, bf_wpack_t *pack) -{ - const void *data; - size_t data_len; - int r; - - assert(request); - assert(pack); - - if (!bf_wpack_is_valid(pack)) - return -EINVAL; - - r = bf_wpack_get_data(pack, &data, &data_len); - if (r) - return r; - - return bf_request_new(request, cmd, data, data_len); -} - -int bf_request_copy(struct bf_request **dest, const struct bf_request *src) -{ - _free_bf_request_ struct bf_request *_request = NULL; - - assert(dest); - assert(src); - - _request = bf_memdup(src, bf_request_size(src)); - if (!_request) - return -ENOMEM; - - *dest = TAKE_PTR(_request); - - return 0; -} - -void bf_request_free(struct bf_request **request) -{ - free(*request); - *request = NULL; -} - -enum bf_request_cmd bf_request_cmd(const struct bf_request *request) -{ - assert(request); - return request->cmd; -} - -struct bf_ns *bf_request_ns(const struct bf_request *request) -{ - assert(request); - return request->ns; -} - -int bf_request_fd(const struct bf_request *request) -{ - assert(request); - return request->fd; -} - -const void *bf_request_data(const struct bf_request *request) -{ - assert(request); - return request->data; -} - -size_t bf_request_data_len(const struct bf_request *request) -{ - assert(request); - return request->data_len; -} - -size_t bf_request_size(const struct bf_request *request) -{ - assert(request); - - return sizeof(struct bf_request) + request->data_len; -} - -void bf_request_set_ns(struct bf_request *request, struct bf_ns *ns) -{ - assert(request); - request->ns = ns; -} - -void bf_request_set_fd(struct bf_request *request, int fd) -{ - assert(request); - request->fd = fd; -} - -const char *bf_request_cmd_to_str(enum bf_request_cmd cmd) -{ - static const char *cmd_strs[] = { - [BF_REQ_RULESET_FLUSH] = "BF_REQ_RULESET_FLUSH", - [BF_REQ_RULESET_GET] = "BF_REQ_RULESET_GET", - [BF_REQ_RULESET_SET] = "BF_REQ_RULESET_SET", - [BF_REQ_CHAIN_SET] = "BF_REQ_CHAIN_SET", - [BF_REQ_CHAIN_GET] = "BF_REQ_CHAIN_GET", - [BF_REQ_CHAIN_LOAD] = "BF_REQ_CHAIN_LOAD", - [BF_REQ_CHAIN_ATTACH] = "BF_REQ_CHAIN_ATTACH", - [BF_REQ_CHAIN_UPDATE] = "BF_REQ_CHAIN_UPDATE", - [BF_REQ_CHAIN_PROG_FD] = "BF_REQ_CHAIN_PROG_FD", - [BF_REQ_CHAIN_LOGS_FD] = "BF_REQ_CHAIN_LOGS_FD", - [BF_REQ_CHAIN_FLUSH] = "BF_REQ_CHAIN_FLUSH", - [BF_REQ_CHAIN_UPDATE_SET] = "BF_REQ_CHAIN_UPDATE_SET", - [BF_REQ_COUNTERS_SET] = "BF_REQ_COUNTERS_SET", - [BF_REQ_COUNTERS_GET] = "BF_REQ_COUNTERS_GET", - [BF_REQ_CUSTOM] = "BF_REQ_CUSTOM", - }; - - static_assert_enum_mapping(cmd_strs, _BF_REQ_CMD_MAX); - - return cmd_strs[cmd]; -} diff --git a/src/libbpfilter/response.c b/src/libbpfilter/response.c deleted file mode 100644 index 4e9531d5b..000000000 --- a/src/libbpfilter/response.c +++ /dev/null @@ -1,169 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#include "bpfilter/response.h" - -#include -#include -#include -#include - -#include "bpfilter/dynbuf.h" -#include "bpfilter/helper.h" - -/** - * @brief Response message sent from the daemon to the client. - */ -struct bf_response -{ - /** Response status: 0 on success, or a negative error value on failure. */ - int status; - - /** Number of bytes stored in `data`. */ - size_t data_len; - - /** Data carried by the response. */ - char data[]; -}; - -int bf_response_new_raw(struct bf_response **response, size_t data_len) -{ - assert(response); - - *response = malloc(sizeof(**response) + data_len); - if (!*response) - return -ENOMEM; - - (*response)->status = 0; - - return 0; -} - -int bf_response_new_success(struct bf_response **response, const char *data, - size_t data_len) -{ - _free_bf_response_ struct bf_response *_response = NULL; - - assert(response); - assert(!(!!data ^ !!data_len)); - - _response = calloc(1, sizeof(*_response) + data_len); - if (!_response) - return -ENOMEM; - - _response->status = 0; - _response->data_len = data_len; - bf_memcpy(_response->data, data, data_len); - - *response = TAKE_PTR(_response); - - return 0; -} - -int bf_response_new_from_dynbuf(struct bf_response **response, - struct bf_dynbuf *dynbuf) -{ - struct bf_response *tmpres; - - assert(response); - assert(dynbuf); - - if (dynbuf->len < sizeof(*tmpres)) - return -EINVAL; - - tmpres = dynbuf->data; - if (bf_response_size(tmpres) != dynbuf->len) - return -EINVAL; - - *response = bf_dynbuf_take(dynbuf); - - return 0; -} - -int bf_response_new_from_pack(struct bf_response **response, bf_wpack_t *pack) -{ - const void *data; - size_t data_len; - int r; - - assert(response); - assert(pack); - - if (!bf_wpack_is_valid(pack)) - return -EINVAL; - - r = bf_wpack_get_data(pack, &data, &data_len); - if (r) - return r; - - return bf_response_new_success(response, data, data_len); -} - -int bf_response_new_failure(struct bf_response **response, int error) -{ - _free_bf_response_ struct bf_response *_response = NULL; - - assert(response); - - _response = calloc(1, sizeof(*_response)); - if (!_response) - return -ENOMEM; - - _response->status = error; - - *response = TAKE_PTR(_response); - - return 0; -} - -void bf_response_free(struct bf_response **response) -{ - free(*response); - *response = NULL; -} - -int bf_response_copy(struct bf_response **dest, const struct bf_response *src) -{ - _free_bf_response_ struct bf_response *_response = NULL; - - assert(dest); - assert(src); - - _response = bf_memdup(src, bf_response_size(src)); - if (!_response) - return -ENOMEM; - - *dest = TAKE_PTR(_response); - - return 0; -} - -int bf_response_status(const struct bf_response *response) -{ - assert(response); - - return response->status; -} - -const void *bf_response_data(const struct bf_response *response) -{ - assert(response); - - return response->data; -} - -size_t bf_response_data_len(const struct bf_response *response) -{ - assert(response); - - return response->data_len; -} - -size_t bf_response_size(const struct bf_response *response) -{ - assert(response); - - return sizeof(*response) + response->data_len; -} diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 95877faba..b3efbb8f3 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -43,7 +43,6 @@ if (${WITH_COVERAGE}) --parallel ${N} --quiet "${CMAKE_SOURCE_DIR}/src/libbpfilter\\*" - "${CMAKE_SOURCE_DIR}/src/bpfilter\\*" COMMAND ${LCOV_BIN} --summary ${CMAKE_BINARY_DIR}/coverage.lcov diff --git a/tests/check/CMakeLists.txt b/tests/check/CMakeLists.txt index 50c964475..8a15a03fe 100644 --- a/tests/check/CMakeLists.txt +++ b/tests/check/CMakeLists.txt @@ -6,7 +6,6 @@ find_program(CLANG_FORMAT_BIN NAMES clang-format-18 clang-format REQUIRED) file(GLOB_RECURSE bf_srcs ${CMAKE_SOURCE_DIR}/src/core/*.h ${CMAKE_SOURCE_DIR}/src/core/*.c - ${CMAKE_SOURCE_DIR}/src/bpfilter/*.h ${CMAKE_SOURCE_DIR}/src/bpfilter/*.c ${CMAKE_SOURCE_DIR}/src/libbpfilter/*.h ${CMAKE_SOURCE_DIR}/src/libbpfilter/*.c ${CMAKE_SOURCE_DIR}/src/bfcli/*.h ${CMAKE_SOURCE_DIR}/src/bfcli/*.c ) @@ -30,7 +29,7 @@ add_test(NAME "check.iwyu" COMMAND /usr/bin/iwyu_tool.py -p ${CMAKE_BINARY_DIR} - ${CMAKE_SOURCE_DIR}/src/bpfilter/cgen/program.c + ${CMAKE_SOURCE_DIR}/src/libbpfilter/cgen/program.c ) set_tests_properties("check.lint" PROPERTIES diff --git a/tests/e2e/CMakeLists.txt b/tests/e2e/CMakeLists.txt index 12ac79093..d27ae534c 100644 --- a/tests/e2e/CMakeLists.txt +++ b/tests/e2e/CMakeLists.txt @@ -42,7 +42,7 @@ function(bf_add_e2e_test GROUP SOURCE) endfunction() add_custom_target(e2e_bin - DEPENDS setuserns libbpfilter bfcli bpfilter + DEPENDS setuserns libbpfilter bfcli COMMENT "Building end-to-end test binaries" ) @@ -62,13 +62,12 @@ bf_add_e2e_test(e2e cli/nf_inet_dual_stack.sh ROOT) bf_add_e2e_test(e2e cli/options_error.sh) bf_add_e2e_test(e2e cli/ruleset.sh ROOT) -bf_add_e2e_test(e2e daemon/already_running.sh ROOT) -bf_add_e2e_test(e2e daemon/host_to_netns.sh ROOT) -bf_add_e2e_test(e2e daemon/netns_to_host.sh ROOT) -bf_add_e2e_test(e2e daemon/pin_updated_chain.sh ROOT) -bf_add_e2e_test(e2e daemon/restore_attached.sh ROOT) -bf_add_e2e_test(e2e daemon/restore_non_attached.sh ROOT) -bf_add_e2e_test(e2e daemon/sock_exists.sh ROOT) +bf_add_e2e_test(e2e namespace/host_to_netns.sh ROOT) +bf_add_e2e_test(e2e namespace/netns_to_host.sh ROOT) + +bf_add_e2e_test(e2e persistence/pin_updated_chain.sh ROOT) +bf_add_e2e_test(e2e persistence/restore_attached.sh ROOT) +bf_add_e2e_test(e2e persistence/restore_non_attached.sh ROOT) bf_add_e2e_test(e2e matchers/icmp_code.sh) bf_add_e2e_test(e2e matchers/icmp_type.sh) diff --git a/tests/e2e/cli/chain_attach.sh b/tests/e2e/cli/chain_attach.sh index 4f6ba9931..f304f0028 100755 --- a/tests/e2e/cli/chain_attach.sh +++ b/tests/e2e/cli/chain_attach.sh @@ -3,49 +3,48 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter -${FROM_NS} bfcli chain load --from-str "chain chain_attach_0 BF_HOOK_XDP ACCEPT" -(! ${FROM_NS} bfcli chain attach --name chain_attach_0 --option family=inet4 --option priorities=101-102) -${FROM_NS} bfcli chain get --name chain_attach_0 -${FROM_NS} bfcli chain flush --name chain_attach_0 +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_0 BF_HOOK_XDP ACCEPT" +(! ${FROM_NS} ${BFCLI} chain attach --name chain_attach_0 --option family=inet4 --option priorities=101-102) +${FROM_NS} ${BFCLI} chain get --name chain_attach_0 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_0 # XDP ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain load --from-str "chain chain_attach_xdp_0 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link,transport,internet counter DROP" -${FROM_NS} bfcli chain load --from-str "chain chain_attach_xdp_1 BF_HOOK_XDP ACCEPT" -${FROM_NS} bfcli chain attach --name chain_attach_xdp_0 --option ifindex=${NS_IFINDEX} -(! ${FROM_NS} bfcli chain attach --name chain_attach_xdp_1 --option ifindex=${NS_IFINDEX}) +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_xdp_0 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link,transport,internet counter DROP" +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_xdp_1 BF_HOOK_XDP ACCEPT" +${FROM_NS} ${BFCLI} chain attach --name chain_attach_xdp_0 --option ifindex=${NS_IFINDEX} +(! ${FROM_NS} ${BFCLI} chain attach --name chain_attach_xdp_1 --option ifindex=${NS_IFINDEX}) (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain flush --name chain_attach_xdp_0 -${FROM_NS} bfcli chain flush --name chain_attach_xdp_1 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_xdp_0 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_xdp_1 # TC ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain load --from-str "chain chain_attach_tc_0 BF_HOOK_TC_EGRESS ACCEPT rule ip4.proto icmp log internet,link,transport counter DROP" -${FROM_NS} bfcli chain load --from-str "chain chain_attach_tc_1 BF_HOOK_TC_EGRESS ACCEPT" -${FROM_NS} bfcli chain attach --name chain_attach_tc_0 --option ifindex=${NS_IFINDEX} -${FROM_NS} bfcli chain attach --name chain_attach_tc_1 --option ifindex=${NS_IFINDEX} +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_tc_0 BF_HOOK_TC_EGRESS ACCEPT rule ip4.proto icmp log internet,link,transport counter DROP" +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_tc_1 BF_HOOK_TC_EGRESS ACCEPT" +${FROM_NS} ${BFCLI} chain attach --name chain_attach_tc_0 --option ifindex=${NS_IFINDEX} +${FROM_NS} ${BFCLI} chain attach --name chain_attach_tc_1 --option ifindex=${NS_IFINDEX} (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain flush --name chain_attach_tc_0 -${FROM_NS} bfcli chain flush --name chain_attach_tc_1 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_tc_0 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_tc_1 # cgroup_skb ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_skb_0 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT" -${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_skb_1 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule ip4.proto icmp log internet counter DROP" -${FROM_NS} bfcli chain attach --name chain_attach_cgroup_skb_0 --option cgpath=/sys/fs/cgroup -${FROM_NS} bfcli chain attach --name chain_attach_cgroup_skb_1 --option cgpath=/sys/fs/cgroup +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_cgroup_skb_0 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT" +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_cgroup_skb_1 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule ip4.proto icmp log internet counter DROP" +${FROM_NS} ${BFCLI} chain attach --name chain_attach_cgroup_skb_0 --option cgpath=/sys/fs/cgroup +${FROM_NS} ${BFCLI} chain attach --name chain_attach_cgroup_skb_1 --option cgpath=/sys/fs/cgroup (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain flush --name chain_attach_cgroup_skb_0 -${FROM_NS} bfcli chain flush --name chain_attach_cgroup_skb_1 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_cgroup_skb_0 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_cgroup_skb_1 # Netfilter ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain load --from-str "chain chain_attach_nf_0 BF_HOOK_NF_LOCAL_IN ACCEPT rule ip4.proto icmp counter DROP" -${FROM_NS} bfcli chain load --from-str "chain chain_attach_nf_1 BF_HOOK_NF_LOCAL_IN ACCEPT" -${FROM_NS} bfcli chain attach --name chain_attach_nf_0 --option family=inet4 --option priorities=101-102 -(! ${FROM_NS} bfcli chain attach --name chain_attach_nf_1 --option family=inet4 --option priorities=101-102) +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_nf_0 BF_HOOK_NF_LOCAL_IN ACCEPT rule ip4.proto icmp counter DROP" +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_attach_nf_1 BF_HOOK_NF_LOCAL_IN ACCEPT" +${FROM_NS} ${BFCLI} chain attach --name chain_attach_nf_0 --option family=inet4 --option priorities=101-102 +(! ${FROM_NS} ${BFCLI} chain attach --name chain_attach_nf_1 --option family=inet4 --option priorities=101-102) (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain flush --name chain_attach_nf_0 -${FROM_NS} bfcli chain flush --name chain_attach_nf_1 \ No newline at end of file +${FROM_NS} ${BFCLI} chain flush --name chain_attach_nf_0 +${FROM_NS} ${BFCLI} chain flush --name chain_attach_nf_1 \ No newline at end of file diff --git a/tests/e2e/cli/chain_load.sh b/tests/e2e/cli/chain_load.sh index a1d2ef4e7..0afb8b718 100755 --- a/tests/e2e/cli/chain_load.sh +++ b/tests/e2e/cli/chain_load.sh @@ -3,23 +3,22 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter # No chain found -(! ${FROM_NS} bfcli chain load --from-str "") +(! ${FROM_NS} ${BFCLI} chain load --from-str "") # Single chain found -(! ${FROM_NS} bfcli chain load --name invalid_name --from-str "chain chain_load_xdp_0 BF_HOOK_XDP ACCEPT") -${FROM_NS} bfcli chain load --from-str "chain chain_load_xdp_1 BF_HOOK_XDP ACCEPT" -${FROM_NS} bfcli chain load --name chain_load_xdp_2 --from-str "chain chain_load_xdp_2 BF_HOOK_XDP ACCEPT" -${FROM_NS} bfcli chain get --name chain_load_xdp_1 -${FROM_NS} bfcli chain get --name chain_load_xdp_2 -${FROM_NS} bfcli chain flush --name chain_load_xdp_1 -${FROM_NS} bfcli chain flush --name chain_load_xdp_2 +(! ${FROM_NS} ${BFCLI} chain load --name invalid_name --from-str "chain chain_load_xdp_0 BF_HOOK_XDP ACCEPT") +${FROM_NS} ${BFCLI} chain load --from-str "chain chain_load_xdp_1 BF_HOOK_XDP ACCEPT" +${FROM_NS} ${BFCLI} chain load --name chain_load_xdp_2 --from-str "chain chain_load_xdp_2 BF_HOOK_XDP ACCEPT" +${FROM_NS} ${BFCLI} chain get --name chain_load_xdp_1 +${FROM_NS} ${BFCLI} chain get --name chain_load_xdp_2 +${FROM_NS} ${BFCLI} chain flush --name chain_load_xdp_1 +${FROM_NS} ${BFCLI} chain flush --name chain_load_xdp_2 # Multiple chains found -(! ${FROM_NS} bfcli chain load --from-str "chain chain_load_tc_0 BF_HOOK_TC_INGRESS ACCEPT chain chain_load_tc_1 BF_HOOK_TC_INGRESS ACCEPT") -(! ${FROM_NS} bfcli chain load --name invalid --from-str "chain chain_load_tc_2 BF_HOOK_TC_INGRESS ACCEPT chain chain_load_tc_3 BF_HOOK_TC_INGRESS ACCEPT") -${FROM_NS} bfcli chain load --name chain_load_tc_4 --from-str "chain chain_load_tc_4 BF_HOOK_TC_INGRESS ACCEPT chain chain_load_tc_5 BF_HOOK_TC_INGRESS ACCEPT" -${FROM_NS} bfcli chain get --name chain_load_tc_4 -${FROM_NS} bfcli chain flush --name chain_load_tc_4 \ No newline at end of file +(! ${FROM_NS} ${BFCLI} chain load --from-str "chain chain_load_tc_0 BF_HOOK_TC_INGRESS ACCEPT chain chain_load_tc_1 BF_HOOK_TC_INGRESS ACCEPT") +(! ${FROM_NS} ${BFCLI} chain load --name invalid --from-str "chain chain_load_tc_2 BF_HOOK_TC_INGRESS ACCEPT chain chain_load_tc_3 BF_HOOK_TC_INGRESS ACCEPT") +${FROM_NS} ${BFCLI} chain load --name chain_load_tc_4 --from-str "chain chain_load_tc_4 BF_HOOK_TC_INGRESS ACCEPT chain chain_load_tc_5 BF_HOOK_TC_INGRESS ACCEPT" +${FROM_NS} ${BFCLI} chain get --name chain_load_tc_4 +${FROM_NS} ${BFCLI} chain flush --name chain_load_tc_4 \ No newline at end of file diff --git a/tests/e2e/cli/chain_set.sh b/tests/e2e/cli/chain_set.sh index 86c36c87f..00264e044 100755 --- a/tests/e2e/cli/chain_set.sh +++ b/tests/e2e/cli/chain_set.sh @@ -3,21 +3,20 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter -(! ${FROM_NS} bfcli chain set --from-str "") -(! ${FROM_NS} bfcli chain set --from-str "chain test0 BF_HOOK_XDP ACCEPT chain test1 BF_HOOK_XDP ACCEPT") -(! ${FROM_NS} bfcli chain set --name invalid --from-str "chain test0 BF_HOOK_XDP ACCEPT chain test1 BF_HOOK_XDP ACCEPT") -${FROM_NS} bfcli chain set --from-str "chain chain_set_xdp_0 BF_HOOK_XDP ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain chain_set_xdp_1 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" -${FROM_NS} bfcli chain set --name chain_set_tc_0 --from-str "chain chain_set_tc_0 BF_HOOK_TC_INGRESS ACCEPT chain chain_set_tc_1 BF_HOOK_TC_INGRESS ACCEPT" -${FROM_NS} bfcli chain set --name chain_set_tc_2 --from-str "chain chain_set_tc_2 BF_HOOK_TC_EGRESS{ifindex=${NS_IFINDEX}} ACCEPT chain chain_set_tc_3 BF_HOOK_TC_INGRESS ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain chain_set_xdp_0 BF_HOOK_NF_LOCAL_IN ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain chain_set_tc_0 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=101-102} ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain chain_set_xdp_1 BF_HOOK_NF_LOCAL_IN ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain chain_set_tc_2 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=103-104} ACCEPT" -${FROM_NS} bfcli chain flush --name chain_set_xdp_0 -${FROM_NS} bfcli chain flush --name chain_set_xdp_1 -${FROM_NS} bfcli chain flush --name chain_set_tc_0 -${FROM_NS} bfcli chain flush --name chain_set_tc_2 -(! ${FROM_NS} bfcli chain get --name chain_set_tc_2) \ No newline at end of file +(! ${FROM_NS} ${BFCLI} chain set --from-str "") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain test0 BF_HOOK_XDP ACCEPT chain test1 BF_HOOK_XDP ACCEPT") +(! ${FROM_NS} ${BFCLI} chain set --name invalid --from-str "chain test0 BF_HOOK_XDP ACCEPT chain test1 BF_HOOK_XDP ACCEPT") +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_set_xdp_0 BF_HOOK_XDP ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_set_xdp_1 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" +${FROM_NS} ${BFCLI} chain set --name chain_set_tc_0 --from-str "chain chain_set_tc_0 BF_HOOK_TC_INGRESS ACCEPT chain chain_set_tc_1 BF_HOOK_TC_INGRESS ACCEPT" +${FROM_NS} ${BFCLI} chain set --name chain_set_tc_2 --from-str "chain chain_set_tc_2 BF_HOOK_TC_EGRESS{ifindex=${NS_IFINDEX}} ACCEPT chain chain_set_tc_3 BF_HOOK_TC_INGRESS ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_set_xdp_0 BF_HOOK_NF_LOCAL_IN ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_set_tc_0 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=101-102} ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_set_xdp_1 BF_HOOK_NF_LOCAL_IN ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_set_tc_2 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=103-104} ACCEPT" +${FROM_NS} ${BFCLI} chain flush --name chain_set_xdp_0 +${FROM_NS} ${BFCLI} chain flush --name chain_set_xdp_1 +${FROM_NS} ${BFCLI} chain flush --name chain_set_tc_0 +${FROM_NS} ${BFCLI} chain flush --name chain_set_tc_2 +(! ${FROM_NS} ${BFCLI} chain get --name chain_set_tc_2) \ No newline at end of file diff --git a/tests/e2e/cli/chain_update.sh b/tests/e2e/cli/chain_update.sh index 7361b4eaf..b9200a93d 100755 --- a/tests/e2e/cli/chain_update.sh +++ b/tests/e2e/cli/chain_update.sh @@ -3,37 +3,36 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter # Failures -(! ${FROM_NS} bfcli chain update --from-str "") -(! ${FROM_NS} bfcli chain update --name invalid_name --from-str "chain chain_load_xdp_0 BF_HOOK_XDP ACCEPT") -(! ${FROM_NS} bfcli chain update --name chain_load_xdp_1 --from-str "chain chain_load_xdp_1 BF_HOOK_XDP ACCEPT") +(! ${FROM_NS} ${BFCLI} chain update --from-str "") +(! ${FROM_NS} ${BFCLI} chain update --name invalid_name --from-str "chain chain_load_xdp_0 BF_HOOK_XDP ACCEPT") +(! ${FROM_NS} ${BFCLI} chain update --name chain_load_xdp_1 --from-str "chain chain_load_xdp_1 BF_HOOK_XDP ACCEPT") # Chain exists and is not attached -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_2 BF_HOOK_XDP ACCEPT" -${FROM_NS} bfcli chain update --from-str "chain chain_load_xdp_2 BF_HOOK_XDP DROP" -${FROM_NS} bfcli chain flush --name chain_load_xdp_2 +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_2 BF_HOOK_XDP ACCEPT" +${FROM_NS} ${BFCLI} chain update --from-str "chain chain_load_xdp_2 BF_HOOK_XDP DROP" +${FROM_NS} ${BFCLI} chain flush --name chain_load_xdp_2 # Chain exists and is attached -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain update --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log transport counter DROP" +${FROM_NS} ${BFCLI} chain update --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log transport counter DROP" (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain update --name chain_load_xdp_3 --from-str "chain chain_load_xdp_3 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" +${FROM_NS} ${BFCLI} chain update --name chain_load_xdp_3 --from-str "chain chain_load_xdp_3 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain flush --name chain_load_xdp_3 +${FROM_NS} ${BFCLI} chain flush --name chain_load_xdp_3 # Counters are reset after chain update -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_4 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_4 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp counter DROP " (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) counter=$(${FROM_NS} bpftool map dump pinned ${WORKDIR}/bpf/bpfilter/chain_load_xdp_4/bf_cmap | jq '.[0].value.count') test "$counter" = "1" -${FROM_NS} bfcli chain update --from-str "chain chain_load_xdp_4 BF_HOOK_XDP ACCEPT +${FROM_NS} ${BFCLI} chain update --from-str "chain chain_load_xdp_4 BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter DROP " counter=$(${FROM_NS} bpftool map dump pinned ${WORKDIR}/bpf/bpfilter/chain_load_xdp_4/bf_cmap | jq '.[0].value.count') test "$counter" = "0" -${FROM_NS} bfcli chain flush --name chain_load_xdp_4 +${FROM_NS} ${BFCLI} chain flush --name chain_load_xdp_4 diff --git a/tests/e2e/cli/chain_update_set.sh b/tests/e2e/cli/chain_update_set.sh index c13957776..65c1d54bd 100755 --- a/tests/e2e/cli/chain_update_set.sh +++ b/tests/e2e/cli/chain_update_set.sh @@ -2,10 +2,9 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter # Adding new elements -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1; 10.0.0.2 @@ -16,12 +15,12 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --add 10.0.0.3 --add 10.0.0.4 -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" echo "$chain_output" | grep -q '10.0.0.1' echo "$chain_output" | grep -q '10.0.0.2' @@ -29,7 +28,7 @@ echo "$chain_output" | grep -q '10.0.0.3' echo "$chain_output" | grep -q '10.0.0.4' # Removing elements -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1; 10.0.0.2; @@ -42,12 +41,12 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --remove 10.0.0.3 --remove 10.0.0.4 -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" echo "$chain_output" | grep -q '10.0.0.1' echo "$chain_output" | grep -q '10.0.0.2' @@ -55,7 +54,7 @@ echo "$chain_output" | grep -q '10.0.0.2' (! echo "$chain_output" | grep -q '10.0.0.4') # Adding and removing in one operation -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1; 10.0.0.2 @@ -66,13 +65,13 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --add 10.0.0.3 --add 10.0.0.4 \ --remove 10.0.0.1 --remove 10.0.0.4 -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" (! echo "$chain_output" | grep -q '10.0.0.1') echo "$chain_output" | grep -q '10.0.0.2' @@ -80,7 +79,7 @@ echo "$chain_output" | grep -q '10.0.0.3' (! echo "$chain_output" | grep -q '10.0.0.4') # Trying to update non-existent set should fail -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1; 10.0.0.2 @@ -91,18 +90,18 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -(! ${FROM_NS} bfcli chain update-set \ +(! ${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name nonexistent_set \ --add 10.0.0.3 2>&1) -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" echo "$chain_output" | grep -q '10.0.0.1' echo "$chain_output" | grep -q '10.0.0.2' # Trying to update with mismatched key format should fail -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1; 10.0.0.2 @@ -113,18 +112,18 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -(! ${FROM_NS} bfcli chain update-set \ +(! ${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --add 10.0.0.1,tcp 2>&1) -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" echo "$chain_output" | grep -q '10.0.0.1' echo "$chain_output" | grep -q '10.0.0.2' # Trying to update with nothing to add or remove should fail -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1; 10.0.0.2 @@ -135,12 +134,12 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -(! ${FROM_NS} bfcli chain update-set \ +(! ${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips 2>&1) # Trying to add duplicate elements is no-op -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1 } @@ -150,12 +149,12 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --add 10.0.0.1 -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" count=$(echo "$chain_output" | grep -o '10.0.0.1' | wc -l) if [ "$count" -ne 1 ]; then @@ -164,7 +163,7 @@ if [ "$count" -ne 1 ]; then fi # Works with compound keys -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_addrs (ip4.saddr, tcp.sport) in { 10.0.0.1, 10001; 10.0.0.2, 10002 @@ -175,12 +174,12 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I DROP " -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_addrs \ --add 10.0.0.3,10003 --add '10.0.0.4, 10004' -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" echo "$chain_output" | grep -q '10.0.0.1, 10001' echo "$chain_output" | grep -q '10.0.0.2, 10002' @@ -188,23 +187,23 @@ echo "$chain_output" | grep -q '10.0.0.3, 10003' echo "$chain_output" | grep -q '10.0.0.4, 10004' # Unattached chain can be updated -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP ACCEPT set test_set (ip4.saddr) in { 10.0.0.1 } rule (ip4.saddr) in test_set ACCEPT " -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name test_set \ --add 10.0.0.2 -chain_output=$(${FROM_NS} bfcli chain get --name test_xdp) +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_xdp) echo "$chain_output" echo "$chain_output" | grep -q '10.0.0.1' echo "$chain_output" | grep -q '10.0.0.2' # Counters are preserved after update-set for both set and non-set rules -${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set blocked_ips (ip4.saddr) in { 10.0.0.1 } @@ -220,13 +219,13 @@ ${FROM_NS} bfcli chain set --from-str "chain test_xdp BF_HOOK_XDP{ifindex=${NS_I " (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --add ${HOST_IP_ADDR} (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain update-set \ +${FROM_NS} ${BFCLI} chain update-set \ --name test_xdp \ --set-name blocked_ips \ --add 10.0.0.2 @@ -235,4 +234,4 @@ counter=$(${FROM_NS} bpftool map dump pinned ${WORKDIR}/bpf/bpfilter/test_xdp/bf test "$counter" = "1" counter=$(${FROM_NS} bpftool map dump pinned ${WORKDIR}/bpf/bpfilter/test_xdp/bf_cmap | jq '.[1].value.count') test "$counter" = "1" -${FROM_NS} bfcli chain flush --name test_xdp +${FROM_NS} ${BFCLI} chain flush --name test_xdp diff --git a/tests/e2e/cli/hookopts.sh b/tests/e2e/cli/hookopts.sh index 6161a97e7..721a0abb0 100755 --- a/tests/e2e/cli/hookopts.sh +++ b/tests/e2e/cli/hookopts.sh @@ -3,7 +3,7 @@ . "$(dirname "$0")"/../e2e_test_util.sh # Disallow duplicated hook options -(! bfcli ruleset set --dry-run --from-str "chain ifindex BF_HOOK_XDP{ifindex=2,ifindex=3} ACCEPT") -(! bfcli ruleset set --dry-run --from-str "chain cgpath BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup,cgpath=/sys/fs/cgroup} ACCEPT") -(! bfcli ruleset set --dry-run --from-str "chain family BF_HOOK_NF_LOCAL_IN{family=inet4,family=inet6} ACCEPT") -(! bfcli ruleset set --dry-run --from-str "chain priorities BF_HOOK_NF_LOCAL_IN{priorities=1-2,priorities=3-4} ACCEPT") \ No newline at end of file +(! ${BFCLI} ruleset set --dry-run --from-str "chain ifindex BF_HOOK_XDP{ifindex=2,ifindex=3} ACCEPT") +(! ${BFCLI} ruleset set --dry-run --from-str "chain cgpath BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup,cgpath=/sys/fs/cgroup} ACCEPT") +(! ${BFCLI} ruleset set --dry-run --from-str "chain family BF_HOOK_NF_LOCAL_IN{family=inet4,family=inet6} ACCEPT") +(! ${BFCLI} ruleset set --dry-run --from-str "chain priorities BF_HOOK_NF_LOCAL_IN{priorities=1-2,priorities=3-4} ACCEPT") \ No newline at end of file diff --git a/tests/e2e/cli/nf_inet_dual_stack.sh b/tests/e2e/cli/nf_inet_dual_stack.sh index 4cb5106b9..c7658d610 100755 --- a/tests/e2e/cli/nf_inet_dual_stack.sh +++ b/tests/e2e/cli/nf_inet_dual_stack.sh @@ -3,13 +3,12 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter # Verify IPv4 connectivity before filtering ping -c 1 -W 0.1 ${NS_IP_ADDR} # Attach NF chain - this should create both inet4 and inet6 links -${FROM_NS} bfcli chain set --from-str "chain nf_dual_0 BF_HOOK_NF_LOCAL_IN{priorities=101-102} ACCEPT rule ip4.proto icmp counter DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain nf_dual_0 BF_HOOK_NF_LOCAL_IN{priorities=101-102} ACCEPT rule ip4.proto icmp counter DROP" (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) # Verify that both inet4 and inet6 BPF links were created (bf_link + bf_link_extra) @@ -21,7 +20,7 @@ if [ "${LINK_COUNT}" -ne 2 ]; then fi # Update the chain and verify both families remain attached -${FROM_NS} bfcli chain update --name nf_dual_0 --from-str "chain nf_dual_0 BF_HOOK_NF_LOCAL_IN ACCEPT rule ip4.proto icmp counter DROP" +${FROM_NS} ${BFCLI} chain update --name nf_dual_0 --from-str "chain nf_dual_0 BF_HOOK_NF_LOCAL_IN ACCEPT rule ip4.proto icmp counter DROP" # IPv4 should still be blocked after update (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) @@ -35,7 +34,7 @@ if [ "${LINK_COUNT_AFTER}" -ne 2 ]; then fi # Flush the chain and verify connectivity is restored -${FROM_NS} bfcli chain flush --name nf_dual_0 +${FROM_NS} ${BFCLI} chain flush --name nf_dual_0 ping -c 1 -W 0.1 ${NS_IP_ADDR} # Verify links are removed after flush diff --git a/tests/e2e/cli/options_error.sh b/tests/e2e/cli/options_error.sh index d43c2f17e..838f45b7f 100755 --- a/tests/e2e/cli/options_error.sh +++ b/tests/e2e/cli/options_error.sh @@ -2,22 +2,22 @@ . "$(dirname "$0")"/../e2e_test_util.sh -(! bfcli ruleset set --from-str "" --from-file "") -(! bfcli ruleset set) +(! ${BFCLI} ruleset set --from-str "" --from-file "") +(! ${BFCLI} ruleset set) -(! bfcli chain set --from-str "" --from-file "") -(! bfcli chain set) +(! ${BFCLI} chain set --from-str "" --from-file "") +(! ${BFCLI} chain set) -(! bfcli chain get) +(! ${BFCLI} chain get) -(! bfcli chain logs) +(! ${BFCLI} chain logs) -(! bfcli chain load --from-str "" --from-file "") -(! bfcli chain load) +(! ${BFCLI} chain load --from-str "" --from-file "") +(! ${BFCLI} chain load) -(! bfcli chain attach) +(! ${BFCLI} chain attach) -(! bfcli chain attach --from-str "" --from-file "") -(! bfcli chain attach) +(! ${BFCLI} chain attach --from-str "" --from-file "") +(! ${BFCLI} chain attach) -(! bfcli chain flush) \ No newline at end of file +(! ${BFCLI} chain flush) \ No newline at end of file diff --git a/tests/e2e/cli/ruleset.sh b/tests/e2e/cli/ruleset.sh index 60bf654a5..224f4a5ec 100755 --- a/tests/e2e/cli/ruleset.sh +++ b/tests/e2e/cli/ruleset.sh @@ -3,10 +3,9 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter -${FROM_NS} bfcli ruleset set --from-str "chain ruleset_set_xdp_0 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT chain ruleset_set_xdp_1 BF_HOOK_XDP DROP chain ruleset_set_tc_0 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=103-104} ACCEPT" -${FROM_NS} bfcli chain flush --name ruleset_set_xdp_0 -${FROM_NS} bfcli ruleset get -${FROM_NS} bfcli ruleset set --from-str "chain ruleset_set_xdp_0 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT chain ruleset_set_xdp_1 BF_HOOK_XDP DROP chain ruleset_set_tc_0 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=103-104} ACCEPT" -${FROM_NS} bfcli ruleset flush \ No newline at end of file +${FROM_NS} ${BFCLI} ruleset set --from-str "chain ruleset_set_xdp_0 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT chain ruleset_set_xdp_1 BF_HOOK_XDP DROP chain ruleset_set_tc_0 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=103-104} ACCEPT" +${FROM_NS} ${BFCLI} chain flush --name ruleset_set_xdp_0 +${FROM_NS} ${BFCLI} ruleset get +${FROM_NS} ${BFCLI} ruleset set --from-str "chain ruleset_set_xdp_0 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT chain ruleset_set_xdp_1 BF_HOOK_XDP DROP chain ruleset_set_tc_0 BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=103-104} ACCEPT" +${FROM_NS} ${BFCLI} ruleset flush \ No newline at end of file diff --git a/tests/e2e/daemon/already_running.sh b/tests/e2e/daemon/already_running.sh deleted file mode 100755 index 21dc4bb3b..000000000 --- a/tests/e2e/daemon/already_running.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox -start_bpfilter - -(! ${FROM_NS} ${WITH_TIMEOUT} ${BPFILTER}) \ No newline at end of file diff --git a/tests/e2e/daemon/host_to_netns.sh b/tests/e2e/daemon/host_to_netns.sh deleted file mode 100755 index 9b23da2b5..000000000 --- a/tests/e2e/daemon/host_to_netns.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox -start_bpfilter - -(! ${FROM_NS} bfcli ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${HOST_IFINDEX}} ACCEPT rule ip4.proto icmp log link counter DROP") -ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp counter DROP" -(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain get --name xdp | awk '/ip4.proto eq icmp/{getline; print $2}' | grep -q "^1$" && exit 0 || exit 1 -${FROM_NS} bfcli ruleset flush \ No newline at end of file diff --git a/tests/e2e/daemon/netns_to_host.sh b/tests/e2e/daemon/netns_to_host.sh deleted file mode 100755 index 579f33311..000000000 --- a/tests/e2e/daemon/netns_to_host.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox -start_bpfilter - -(! ${FROM_NS} bfcli ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${HOST_IFINDEX}} ACCEPT rule ip4.proto icmp log link,transport counter DROP") -${FROM_NS} ping -c 1 -W 0.1 ${HOST_IP_ADDR} -${FROM_NS} bfcli ruleset set --from-str "chain tc BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp log link,internet counter DROP" -(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain get --name tc | awk '/log link,internet/{getline; print $2}' | grep -q "^1$" -${FROM_NS} bfcli ruleset flush diff --git a/tests/e2e/daemon/pin_updated_chain.sh b/tests/e2e/daemon/pin_updated_chain.sh deleted file mode 100755 index 0ad56d644..000000000 --- a/tests/e2e/daemon/pin_updated_chain.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox - -PINNED_PROG="${WORKDIR}/bpf/bpfilter/test_chain/bf_prog" - -start_bpfilter - ${FROM_NS} bfcli chain set --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" - ${FROM_NS} ping -c 1 -W 0.1 ${NS_IP_ADDR} - ${FROM_NS} bfcli ruleset get | grep "^chain" | awk 'END{exit NR!=1}' - ${FROM_NS} test -e ${PINNED_PROG} - - ${FROM_NS} bfcli chain update --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule meta.l4_proto eq icmp DROP" - (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) - ${FROM_NS} bfcli ruleset get | grep "^chain" | awk 'END{exit NR!=1}' - ${FROM_NS} test -e ${PINNED_PROG} -stop_bpfilter --skip-cleanup - -start_bpfilter - ${FROM_NS} bfcli ruleset get | grep "^chain" | awk 'END{exit NR!=1}' - ${FROM_NS} test -e ${PINNED_PROG} -stop_bpfilter \ No newline at end of file diff --git a/tests/e2e/daemon/restore_attached.sh b/tests/e2e/daemon/restore_attached.sh deleted file mode 100755 index 66a2f53f4..000000000 --- a/tests/e2e/daemon/restore_attached.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox - -start_bpfilter - ${FROM_NS} bfcli chain set --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" - ping -c 1 -W 0.1 ${NS_IP_ADDR} -stop_bpfilter --skip-cleanup - -start_bpfilter - # Ensure it's restored as attached with the correct ifindex - chain_output=$(${FROM_NS} bfcli chain get --name test_chain) - echo "$chain_output" - echo "$chain_output" | grep -q "ifindex=${NS_IFINDEX}" - - # Attached chains with sets: set elements and filtering survive a restart - ${FROM_NS} bfcli chain set --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT - set myset (ip4.saddr) in { ${HOST_IP_ADDR}; 192.168.1.2 } - set empty_set (ip4.saddr) in {} - rule (ip4.saddr) in myset counter DROP - rule (ip4.saddr) in empty_set ACCEPT" - (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -stop_bpfilter --skip-cleanup - -start_bpfilter - chain_output=$(${FROM_NS} bfcli chain get --name test_chain) - echo "$chain_output" - echo "$chain_output" | grep -q "${HOST_IP_ADDR}" - echo "$chain_output" | grep -q "192.168.1.2" - echo "$chain_output" | grep -q "empty_set" - (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -stop_bpfilter diff --git a/tests/e2e/daemon/restore_non_attached.sh b/tests/e2e/daemon/restore_non_attached.sh deleted file mode 100755 index 4d2325aa3..000000000 --- a/tests/e2e/daemon/restore_non_attached.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox - -start_bpfilter - ${FROM_NS} bfcli chain set --from-str "chain test_chain BF_HOOK_XDP ACCEPT" -stop_bpfilter --skip-cleanup - -start_bpfilter - ${FROM_NS} bfcli chain attach --name test_chain --option ifindex=${NS_IFINDEX} - - # Non-attached chains with sets: set elements survive a restart, and the - # chain can be attached afterward - ${FROM_NS} bfcli chain set --from-str "chain test_chain BF_HOOK_XDP ACCEPT - set myset (ip4.saddr) in { ${HOST_IP_ADDR}; 192.168.1.2 } - set empty_set (ip4.saddr) in {} - rule (ip4.saddr) in myset counter DROP - rule (ip4.saddr) in empty_set ACCEPT" - - ping -c 1 -W 0.1 ${NS_IP_ADDR} -stop_bpfilter --skip-cleanup - -start_bpfilter - chain_output=$(${FROM_NS} bfcli chain get --name test_chain) - echo "$chain_output" - echo "$chain_output" | grep -q "${HOST_IP_ADDR}" - echo "$chain_output" | grep -q "192.168.1.2" - echo "$chain_output" | grep -q "empty_set" - - ${FROM_NS} bfcli chain attach --name test_chain --option ifindex=${NS_IFINDEX} - (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -stop_bpfilter diff --git a/tests/e2e/daemon/sock_exists.sh b/tests/e2e/daemon/sock_exists.sh deleted file mode 100755 index f7441c83d..000000000 --- a/tests/e2e/daemon/sock_exists.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash - -. "$(dirname "$0")"/../e2e_test_util.sh - -make_sandbox - -${FROM_NS} mkdir -p /run/bpfilter -${FROM_NS} touch /run/bpfilter/daemon.sock -${FROM_NS} ${WITH_TIMEOUT} ${BPFILTER} \ No newline at end of file diff --git a/tests/e2e/e2e_test_util.sh b/tests/e2e/e2e_test_util.sh index 335ae9b73..e7ed8e3fd 100755 --- a/tests/e2e/e2e_test_util.sh +++ b/tests/e2e/e2e_test_util.sh @@ -14,9 +14,6 @@ _OCTET3=$(( _TEST_HASH & 0xFF )) _SHORT_ID=$(( _TEST_HASH & 0xFFFF )) WORKDIR="/tmp/bpfilter.e2e.${_TEST_NAME}" -_UNIT_NAME="bpfilter-e2e-${_TEST_NAME}" -BF_OUTPUT_FILE=${WORKDIR}/bf.log -BPFILTER_PID= NETNS_NAME="bftest_${_TEST_NAME}" VETH_HOST="veth_h_${_SHORT_ID}" @@ -28,10 +25,8 @@ NS_IP_ADDR="10.${_OCTET2}.${_OCTET3}.2" HOST_IFINDEX= NS_IFINDEX= -# Tested binaries +# Tested binaries BFCLI=bfcli -_BPFILTER=$(command -v bpfilter) -BPFILTER= # bpfilter command to use in tests (includes the required options) RULESETS_DIR=. ################################################################################ @@ -68,7 +63,8 @@ make_sandbox() { mount -t bpf bpf ${WORKDIR}/bpf " - BPFILTER="${_BPFILTER} --verbose debug --bpffs-path ${WORKDIR}/bpf" + export BF_BPFFS_PATH=${WORKDIR}/bpf + BFCLI="bfcli --bpffs-path ${BF_BPFFS_PATH}" FROM_NS="nsenter --mount=${WORKDIR}/ns/mnt --net=/var/run/netns/${NETNS_NAME}" @@ -85,7 +81,7 @@ make_sandbox() { ip netns exec ${NETNS_NAME} ip link set ${VETH_NS} up ip netns exec ${NETNS_NAME} ip link set lo up - # Log environment details + # Log environment details HOST_IFINDEX=$(ip -o link show ${VETH_HOST} | awk '{print $1}' | cut -d: -f1) NS_IFINDEX=$(ip netns exec ${NETNS_NAME} ip -o link show ${VETH_NS} | awk '{print $1}' | cut -d: -f1) @@ -96,14 +92,13 @@ make_sandbox() { echo " ${NS_IFINDEX}: ${VETH_NS} @ ${NS_IP_ADDR}" echo " Tested binaries" echo " bfcli: ${BFCLI}" - echo " bpfilter: ${_BPFILTER}" echo " rulesets-dir: ${RULESETS_DIR}" } destroy_sandbox() { echo "Cleanup the sandbox" - # netns should be unmounted AND deleted + # netns should be unmounted AND deleted umount /var/run/netns/${NETNS_NAME} || true ip netns delete ${NETNS_NAME} || true @@ -112,58 +107,9 @@ destroy_sandbox() { umount ${WORKDIR}/ns || true rm -rf ${WORKDIR} || true - - IN_SANDBOX=0 -} - -start_bpfilter() { - echo "Start bpfilter" - - local timeout=10 - local start_time=$(date +%s) - local end_time=$((start_time + timeout)) - - ${FROM_NS} ${BPFILTER} > ${BF_OUTPUT_FILE} 2>&1 & - BPFILTER_PID=$! - - # Wait for the daemon to listen to the requests - while [ $(date +%s) -lt $end_time ]; do - if grep -q "waiting for requests" "${BF_OUTPUT_FILE}"; then - return 0 - fi - sleep 0.1 - done - - return 1 -} - -stop_bpfilter() { - local skip_cleanup=0 - - while [[ $# -gt 0 ]]; do - case "$1" in - --skip-cleanup) - skip_cleanup=1 - shift - ;; - *) - shift - ;; - esac - done - - echo "Stop bpfilter" - - bfcli ruleset flush || true - kill $BPFILTER_PID 2>/dev/null || true - wait $BPFILTER_PID || true - - echo "========== bpfilter output ==========" - cat "$BF_OUTPUT_FILE" || true } cleanup() { - stop_bpfilter destroy_sandbox } @@ -178,7 +124,5 @@ trap 'cleanup 1; exit 1' INT TERM # ################################################################################ -WITH_TIMEOUT="timeout --signal INT --preserve-status .5" - cleanup -mkdir -p ${WORKDIR} \ No newline at end of file +mkdir -p ${WORKDIR} diff --git a/tests/e2e/matchers/icmp_code.sh b/tests/e2e/matchers/icmp_code.sh index 8c1698ffc..2d9edec6e 100755 --- a/tests/e2e/matchers/icmp_code.sh +++ b/tests/e2e/matchers/icmp_code.sh @@ -2,28 +2,28 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 255 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0x17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0x17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 0xff counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq auf counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 257 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq -0x01 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq -0xff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq auf counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq 257 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq -0x01 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code eq -0xff counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 255 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0x17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0x17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 0xff counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not auf counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 257 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not -0x01 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not -0xff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not auf counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not 257 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not -0x01 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.code not -0xff counter DROP") diff --git a/tests/e2e/matchers/icmp_type.sh b/tests/e2e/matchers/icmp_type.sh index 05d8709d3..f3e61cd28 100755 --- a/tests/e2e/matchers/icmp_type.sh +++ b/tests/e2e/matchers/icmp_type.sh @@ -2,24 +2,24 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq echo-reply counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq router-advertisement counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 0x23 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 14 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq echo-reply counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq router-advertisement counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 0x23 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 14 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq echo-repl counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq r counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 0xf23 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq -14 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 45574614 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq echo-repl counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq r counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 0xf23 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq -14 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type eq 45574614 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not echo-reply counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not router-advertisement counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 0x23 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 14 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not echo-reply counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not router-advertisement counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 0x23 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 14 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not echo-repl counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not r counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 0xf23 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not -14 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 45574614 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not echo-repl counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not r counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 0xf23 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not -14 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmp.type not 45574614 counter DROP") diff --git a/tests/e2e/matchers/icmpv6_code.sh b/tests/e2e/matchers/icmpv6_code.sh index 028318430..4e58a7549 100755 --- a/tests/e2e/matchers/icmpv6_code.sh +++ b/tests/e2e/matchers/icmpv6_code.sh @@ -2,28 +2,28 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 255 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0x17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0x17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 0xff counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq auf counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 257 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq -0x01 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq -0xffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq auf counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq 257 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq -0x01 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code eq -0xffff counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 255 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0x17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0x17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 0xff counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not auf counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 257 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not -0x01 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not -0xffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not auf counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not 257 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not -0x01 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.code not -0xffff counter DROP") diff --git a/tests/e2e/matchers/icmpv6_type.sh b/tests/e2e/matchers/icmpv6_type.sh index 9d65bb3bb..5f7e44de2 100755 --- a/tests/e2e/matchers/icmpv6_type.sh +++ b/tests/e2e/matchers/icmpv6_type.sh @@ -2,24 +2,24 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq mld-listener-report counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq echo-request counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 0x23 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 14 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq mld-listener-report counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq echo-request counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 0x23 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 14 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq echo-repl counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq r counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 0xf23 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq -14 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 45574614 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq echo-repl counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq r counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 0xf23 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq -14 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type eq 45574614 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not mld-listener-report counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not echo-request counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 0x23 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 14 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not mld-listener-report counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not echo-request counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 0x23 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 14 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not echo-repl counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not r counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 0xf23 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not -14 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 45574614 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not echo-repl counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not r counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 0xf23 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not -14 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule icmpv6.type not 45574614 counter DROP") diff --git a/tests/e2e/matchers/ip4_daddr.sh b/tests/e2e/matchers/ip4_daddr.sh index 0666b8bb1..ac99429dc 100755 --- a/tests/e2e/matchers/ip4_daddr.sh +++ b/tests/e2e/matchers/ip4_daddr.sh @@ -2,18 +2,18 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 255.255.255.255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 255.255.255.255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1/24 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq 1.1.1.1/24 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr eq -1.1.1.1 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 1.1.1.1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 255.255.255.255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 1.1.1.1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 255.255.255.255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 1.1.1.1/24 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not 1.1.1.1/24 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.daddr not -1.1.1.1 counter DROP") diff --git a/tests/e2e/matchers/ip4_dnet.sh b/tests/e2e/matchers/ip4_dnet.sh index 72e14f89e..e92b811a3 100755 --- a/tests/e2e/matchers/ip4_dnet.sh +++ b/tests/e2e/matchers/ip4_dnet.sh @@ -2,34 +2,34 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 255.255.255.255/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 255.255.255.255/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 255.255.255.255/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 255.255.255.255/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 255.255.255.255/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 255.255.255.255/32 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1.1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/0x75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq -1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq -1.1.1.1/1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1.1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq 1.1.1.1/0x75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet eq -1.1.1.1/1 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 255.255.255.255/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 255.255.255.255/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 255.255.255.255/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 255.255.255.255/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 255.255.255.255/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 255.255.255.255/32 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1.1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/0x75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not -1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not -1.1.1.1/1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1.1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not 1.1.1.1/0x75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dnet not -1.1.1.1/1 counter DROP") diff --git a/tests/e2e/matchers/ip4_dscp.sh b/tests/e2e/matchers/ip4_dscp.sh index 1935273a9..f890eafd9 100755 --- a/tests/e2e/matchers/ip4_dscp.sh +++ b/tests/e2e/matchers/ip4_dscp.sh @@ -3,28 +3,28 @@ . "$(dirname "$0")"/../e2e_test_util.sh # Test valid decimal values -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 16 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 16 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 255 counter DROP" # Test valid hexadecimal values -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0x10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0x10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0xff counter DROP" # Test invalid values (should fail) -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq invalid counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0x100 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq invalid counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp eq 0x100 counter DROP") # Test with 'not' operator -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 16 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 255 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 0x10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 16 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 0x10 counter DROP" # Test invalid values with 'not' operator (should fail) -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not invalid counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.dscp not invalid counter DROP") diff --git a/tests/e2e/matchers/ip4_proto.sh b/tests/e2e/matchers/ip4_proto.sh index 57db11153..71c8f2c9a 100755 --- a/tests/e2e/matchers/ip4_proto.sh +++ b/tests/e2e/matchers/ip4_proto.sh @@ -2,26 +2,26 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq icmp counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq ICMPv6 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq icmp counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq ICMPv6 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq ipv4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq imcp counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 0x342 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq -18 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq ipv4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq imcp counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 0x342 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq -18 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto eq 256 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not icmp counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not ICMPv6 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not icmp counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not ICMPv6 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not ipv4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not imcp counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 0x342 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not -18 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not ipv4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not imcp counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 0x342 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not -18 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.proto not 256 counter DROP") diff --git a/tests/e2e/matchers/ip4_saddr.sh b/tests/e2e/matchers/ip4_saddr.sh index 3cf28c2e3..a2a16196d 100755 --- a/tests/e2e/matchers/ip4_saddr.sh +++ b/tests/e2e/matchers/ip4_saddr.sh @@ -2,18 +2,18 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 255.255.255.255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 255.255.255.255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1/24 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq 1.1.1.1/24 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr eq -1.1.1.1 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 1.1.1.1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 255.255.255.255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 1.1.1.1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 255.255.255.255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 1.1.1.1/24 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not 1.1.1.1/24 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.saddr not -1.1.1.1 counter DROP") diff --git a/tests/e2e/matchers/ip4_snet.sh b/tests/e2e/matchers/ip4_snet.sh index 5bbd6359a..7a0471c35 100755 --- a/tests/e2e/matchers/ip4_snet.sh +++ b/tests/e2e/matchers/ip4_snet.sh @@ -2,34 +2,34 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 255.255.255.255/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 255.255.255.255/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 255.255.255.255/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 255.255.255.255/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 255.255.255.255/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 255.255.255.255/32 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1.1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/0x75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq -1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq -1.1.1.1/1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1.1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq 1.1.1.1/0x75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet eq -1.1.1.1/1 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 255.255.255.255/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 255.255.255.255/17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 255.255.255.255/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 255.255.255.255/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 255.255.255.255/17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 255.255.255.255/32 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1.1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/0x75 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not -1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not -1.1.1.1/1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1.1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not 1.1.1.1/0x75 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not -1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip4.snet not -1.1.1.1/1 counter DROP") diff --git a/tests/e2e/matchers/ip6_daddr.sh b/tests/e2e/matchers/ip6_daddr.sh index 5ca078d78..641041fc1 100755 --- a/tests/e2e/matchers/ip6_daddr.sh +++ b/tests/e2e/matchers/ip6_daddr.sh @@ -2,54 +2,54 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:0:0:1:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:85a3::8a2e:370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq ::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq :: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:85a3:0:0:8a2e:370:: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq fe80::202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq ::1:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 0:0:0:0:0:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:0:0:1:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:85a3::8a2e:370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq ::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq :: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:85a3:0:0:8a2e:370:: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq fe80::202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq ::1:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 0:0:0:0:0:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85g3::8a2e:370:7334 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:12345::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8::192.168.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq :2001:db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001::db8:: counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8::1: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:0db8:85g3::8a2e:370:7334 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8:12345::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8::192.168.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq :2001:db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001::db8:: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr eq 2001:db8::1: counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:0:0:1:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:85a3::8a2e:370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not ::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not :: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:85a3:0:0:8a2e:370:: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not fe80::202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not ::1:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 0:0:0:0:0:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:0:0:1:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:85a3::8a2e:370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not ::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not :: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:85a3:0:0:8a2e:370:: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not fe80::202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not ::1:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 0:0:0:0:0:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:85g3::8a2e:370:7334 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:12345::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8::192.168.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not :2001:db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001::db8:: counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8::1: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:0db8:85g3::8a2e:370:7334 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8:12345::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8::192.168.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not :2001:db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001::db8:: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.daddr not 2001:db8::1: counter DROP") diff --git a/tests/e2e/matchers/ip6_dnet.sh b/tests/e2e/matchers/ip6_dnet.sh index 9fc8b6077..55194313e 100755 --- a/tests/e2e/matchers/ip6_dnet.sh +++ b/tests/e2e/matchers/ip6_dnet.sh @@ -2,74 +2,74 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8:85a3::/48 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq fe80::/10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8:85a3:8d3::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db8:85a3:0000::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::8a2e:370:7334/96 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 0:0:0:0:0:0:0:0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8:85a3::/48 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq fe80::/10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8:85a3:8d3::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db8:85a3:0000::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::8a2e:370:7334/96 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 0:0:0:0:0:0:0:0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/129 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/-1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/999 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::ffff:192.168.0.0/96 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:xyz8::1/32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq gggg::1/128 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8:://32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/3g counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/xx counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq /64 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq /128/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq /2001:db8::/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/129 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/-1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/999 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq ::ffff:192.168.0.0/96 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:xyz8::1/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq gggg::1/128 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8:://32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/32/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/3g counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::/xx counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq /64 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq 2001:db8::1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq /128/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet eq /2001:db8::/32 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8:85a3::/48 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not fe80::/10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8:85a3:8d3::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db8:85a3:0000::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::8a2e:370:7334/96 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 0:0:0:0:0:0:0:0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8:85a3::/48 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not fe80::/10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8:85a3:8d3::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db8:85a3:0000::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::8a2e:370:7334/96 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 0:0:0:0:0:0:0:0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/129 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/-1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/999 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::ffff:192.168.0.0/96 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:xyz8::1/32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not gggg::1/128 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8:://32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/32/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/32/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/3g counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/xx counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not /64 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not /128/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not /2001:db8::/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/129 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/-1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/999 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not ::ffff:192.168.0.0/96 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:xyz8::1/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not gggg::1/128 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8:://32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/32/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/32/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/3g counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::/xx counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not /64 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not 2001:db8::1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not /128/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dnet not /2001:db8::/32 counter DROP") diff --git a/tests/e2e/matchers/ip6_dscp.sh b/tests/e2e/matchers/ip6_dscp.sh index 5207115da..ea064b5fe 100755 --- a/tests/e2e/matchers/ip6_dscp.sh +++ b/tests/e2e/matchers/ip6_dscp.sh @@ -3,35 +3,35 @@ . "$(dirname "$0")"/../e2e_test_util.sh # Test valid decimal values with 'eq' operator -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 46 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 46 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 255 counter DROP" # Test valid hexadecimal values with 'eq' operator -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0x2e counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0x2e counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0xff counter DROP" # Test invalid values with 'eq' operator (should fail) -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq abc counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq -0x01 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0x100 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq abc counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq -0x01 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp eq 0x100 counter DROP") # Test valid decimal values with 'not' operator -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 46 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 46 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 255 counter DROP" # Test valid hexadecimal values with 'not' operator -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0x2e counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0xff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0x2e counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0xff counter DROP" # Test invalid values with 'not' operator (should fail) -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not abc counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not -0x01 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0x100 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not abc counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not -0x01 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.dscp not 0x100 counter DROP") diff --git a/tests/e2e/matchers/ip6_nexthdr.sh b/tests/e2e/matchers/ip6_nexthdr.sh index 727635cbd..57ffeca47 100755 --- a/tests/e2e/matchers/ip6_nexthdr.sh +++ b/tests/e2e/matchers/ip6_nexthdr.sh @@ -2,26 +2,26 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq icmp counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq hop counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq HOP counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq icmp counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq hop counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq HOP counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq ipv4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq imcp counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 0x342 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq -18 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq ipv4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq imcp counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 0x342 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq -18 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr eq 256 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not icmp counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not hop counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not HOP counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not icmp counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not hop counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not HOP counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not ipv4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not imcp counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 0x342 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not -18 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not ipv4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not imcp counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 0x342 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not -18 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.nexthdr not 256 counter DROP") diff --git a/tests/e2e/matchers/ip6_saddr.sh b/tests/e2e/matchers/ip6_saddr.sh index 21691f281..4d492aa5b 100755 --- a/tests/e2e/matchers/ip6_saddr.sh +++ b/tests/e2e/matchers/ip6_saddr.sh @@ -2,54 +2,54 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:0:0:1:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:85a3::8a2e:370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq ::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq :: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:85a3:0:0:8a2e:370:: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq fe80::202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq ::1:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 0:0:0:0:0:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:0:0:1:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:85a3::8a2e:370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq ::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq :: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:85a3:0:0:8a2e:370:: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq fe80::202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq ::1:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 0:0:0:0:0:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85g3::8a2e:370:7334 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:12345::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8::192.168.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq :2001:db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001::db8:: counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8::1: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:0db8:85g3::8a2e:370:7334 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8:12345::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8::192.168.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq :2001:db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001::db8:: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr eq 2001:db8::1: counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:0:0:1:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:85a3::8a2e:370:7334 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not ::1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not :: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:85a3:0:0:8a2e:370:: counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not fe80::202:b3ff:fe1e:8329 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not ::1:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 0:0:0:0:0:0:0:1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:0:0:0:0:0:0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not fe80:0000:0000:0000:0202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:0:0:1:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:85a3::8a2e:370:7334 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not ::1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not :: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:85a3:0:0:8a2e:370:: counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not fe80::202:b3ff:fe1e:8329 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not ::1:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 0:0:0:0:0:0:0:1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:0:0:0:0:0:0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:0000:0000:0000:0000:0000:0001 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:85g3::8a2e:370:7334 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:12345::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8::192.168.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not :2001:db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001::db8:: counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8::1: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:0db8:85g3::8a2e:370:7334 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8:12345::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8::192.168.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not :2001:db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001::db8:: counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.saddr not 2001:db8::1: counter DROP") diff --git a/tests/e2e/matchers/ip6_snet.sh b/tests/e2e/matchers/ip6_snet.sh index eeceeb7f9..67ca16c2b 100755 --- a/tests/e2e/matchers/ip6_snet.sh +++ b/tests/e2e/matchers/ip6_snet.sh @@ -2,74 +2,74 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8:85a3::/48 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq fe80::/10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8:85a3:8d3::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db8:85a3:0000::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::8a2e:370:7334/96 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 0:0:0:0:0:0:0:0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8:85a3::/48 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq fe80::/10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8:85a3:8d3::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db8:85a3:0000::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::8a2e:370:7334/96 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 0:0:0:0:0:0:0:0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/129 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/-1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/999 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::ffff:192.168.0.0/96 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:xyz8::1/32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq gggg::1/128 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8:://32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/3g counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/xx counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq /64 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq /128/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq /2001:db8::/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/129 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/-1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/999 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq ::ffff:192.168.0.0/96 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:xyz8::1/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq gggg::1/128 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8:://32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/32/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/3g counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::/xx counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq /64 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq 2001:db8::1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq /128/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet eq /2001:db8::/32 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/32 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8:85a3::/48 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not fe80::/10 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8:85a3:8d3::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db8:85a3:0000::/64 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::1/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::8a2e:370:7334/96 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 0:0:0:0:0:0:0:0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::0/0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/32 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8:85a3::/48 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not fe80::/10 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8:85a3:8d3::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db8:85a3:0000::/64 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::1/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::8a2e:370:7334/96 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 0:0:0:0:0:0:0:0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::0/0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334/128 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not notanip counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 1.1.1.1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001::db8::1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/129 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/256 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/-1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/999 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::ffff:192.168.0.0/96 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:xyz8::1/32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not gggg::1/128 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8:://32 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/32/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/32/48 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/3g counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/xx counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not /64 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::1/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not /128/ counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not /2001:db8::/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not notanip counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 1.1.1.1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001::db8::1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db8:85a3:0000:0000:8a2e:0370:7334:1234 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/129 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/-1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/999 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not ::ffff:192.168.0.0/96 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:0db81:85a3::8a2e:370:7334/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:xyz8::1/32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not gggg::1/128 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8:://32 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/32/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/32/48 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/3g counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::/xx counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not /64 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not 2001:db8::1/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not /128/ counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ip6.snet not /2001:db8::/32 counter DROP") diff --git a/tests/e2e/matchers/meta_dport.sh b/tests/e2e/matchers/meta_dport.sh index 6504d68c3..b28714e23 100755 --- a/tests/e2e/matchers/meta_dport.sh +++ b/tests/e2e/matchers/meta_dport.sh @@ -2,40 +2,40 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport eq not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport not not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0-65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 17-30 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0-65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 17-30 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 20-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 10-20-30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 10000000-1000000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0x20-0x30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0x30-0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range -1-4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range -1--4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range not-port counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range notport counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 20-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 10-20-30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 10000000-1000000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0x20-0x30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range 0x30-0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range -1-4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range -1--4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range not-port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.dport range notport counter DROP") diff --git a/tests/e2e/matchers/meta_flow_hash.sh b/tests/e2e/matchers/meta_flow_hash.sh index add8738d0..f37504410 100755 --- a/tests/e2e/matchers/meta_flow_hash.sh +++ b/tests/e2e/matchers/meta_flow_hash.sh @@ -2,51 +2,51 @@ . "$(dirname "$0")"/../e2e_test_util.sh -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_FORWARD ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_IN ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_OUT ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_POST_ROUTING ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_PRE_ROUTING ACCEPT rule meta.flow_hash eq 0 counter DROP") - -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 4294967295 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0x0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0xffffffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0xeff counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0xfffffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 1qw counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq qw counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0x counter DROP") - -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 4294967295 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0x0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0xffffffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0xeff counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0xfffffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 1qw counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not qw counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0x counter DROP") - -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0-4294967295 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 4294967294-4294967295 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 4294967295-4294967295 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x0-0x0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x0-0xffffffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0xfffffffe-0xffffffff counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0xffffffff-0xffffffff counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 1-0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x01-0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x-0x counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_FORWARD ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_IN ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_OUT ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_POST_ROUTING ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_PRE_ROUTING ACCEPT rule meta.flow_hash eq 0 counter DROP") + +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 4294967295 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0x0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0xffffffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0xeff counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0xfffffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 1qw counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq qw counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash eq 0x counter DROP") + +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 4294967295 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0x0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0xffffffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0xeff counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0xfffffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 1qw counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not qw counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash not 0x counter DROP") + +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0-4294967295 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 4294967294-4294967295 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 4294967295-4294967295 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x0-0x0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x0-0xffffffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0xfffffffe-0xffffffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0xffffffff-0xffffffff counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 1-0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x01-0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0x-0x counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_hash range 0 counter DROP") diff --git a/tests/e2e/matchers/meta_flow_probability.sh b/tests/e2e/matchers/meta_flow_probability.sh index b34af863a..999980525 100755 --- a/tests/e2e/matchers/meta_flow_probability.sh +++ b/tests/e2e/matchers/meta_flow_probability.sh @@ -6,33 +6,33 @@ set -o pipefail . "$(dirname "$0")"/../e2e_test_util.sh # Unsupported hooks: all NF hooks -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_FORWARD ACCEPT rule meta.flow_probability eq 50% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_IN ACCEPT rule meta.flow_probability eq 50% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_OUT ACCEPT rule meta.flow_probability eq 50% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_POST_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_PRE_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_FORWARD ACCEPT rule meta.flow_probability eq 50% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_IN ACCEPT rule meta.flow_probability eq 50% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_OUT ACCEPT rule meta.flow_probability eq 50% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_POST_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_NF_PRE_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP") # Supported hooks: XDP, TC, and CGROUP_SKB -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_probability eq 50% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" # Floating-point percentages -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 33.33% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0.1% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 99.99% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 50.0% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0.00% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100.00% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 33.33% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0.1% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 99.99% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 50.0% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0.00% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100.00% counter DROP" # Invalid probability values -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq -10% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 1000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 1000% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100.01% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq teapot counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq -10% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 1000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 1000% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100.01% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq teapot counter DROP") diff --git a/tests/e2e/matchers/meta_iface.sh b/tests/e2e/matchers/meta_iface.sh index 05c24ec7e..2b9711fe9 100755 --- a/tests/e2e/matchers/meta_iface.sh +++ b/tests/e2e/matchers/meta_iface.sh @@ -2,17 +2,17 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq lo counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 1 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 01 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 4294967294 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq lo counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 1 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 01 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 4294967294 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 0x10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 42949672941 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -2147483646 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -100 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq noiface counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq iface_name_is_too_long counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 0x10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 42949672941 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -2147483646 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq -100 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq noiface counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.iface eq iface_name_is_too_long counter DROP") diff --git a/tests/e2e/matchers/meta_l3_proto.sh b/tests/e2e/matchers/meta_l3_proto.sh index 486609cb2..7ea15110f 100755 --- a/tests/e2e/matchers/meta_l3_proto.sh +++ b/tests/e2e/matchers/meta_l3_proto.sh @@ -2,16 +2,16 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq ipv4 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq IPv6 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0x17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0xffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq ipv4 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq IPv6 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0x17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0xffff counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq ipv65 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq thisiswaytolongforaprotocolname counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq -154252 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq ipv65 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq thisiswaytolongforaprotocolname counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l3_proto eq -154252 counter DROP") diff --git a/tests/e2e/matchers/meta_l4_proto.sh b/tests/e2e/matchers/meta_l4_proto.sh index cd924753b..1dd6ab4a1 100755 --- a/tests/e2e/matchers/meta_l4_proto.sh +++ b/tests/e2e/matchers/meta_l4_proto.sh @@ -2,26 +2,26 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq icmp counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq ICMPv6 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq icmp counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq ICMPv6 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq ipv4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq imcp counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 0x342 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq -18 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq ipv4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq imcp counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 0x342 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq -18 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto eq 256 counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not icmp counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not ICMPv6 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 17 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 255 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not icmp counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not ICMPv6 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 17 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 255 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not ipv4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not imcp counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 0x342 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not -18 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 256 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not ipv4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not imcp counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 0x342 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not -18 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.l4_proto not 256 counter DROP") diff --git a/tests/e2e/matchers/meta_mark.sh b/tests/e2e/matchers/meta_mark.sh index 574df5adf..42a57a9a7 100755 --- a/tests/e2e/matchers/meta_mark.sh +++ b/tests/e2e/matchers/meta_mark.sh @@ -2,14 +2,14 @@ . "$(dirname "$0")"/../e2e_test_util.sh -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.mark eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.mark eq 0 counter DROP") -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 15 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0x00 counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0xffffffff counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 15 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0x00 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0xffffffff counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq -1 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0xffffffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 1qw counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq qw counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq -1 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 0xffffffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq 1qw counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.mark eq qw counter DROP") diff --git a/tests/e2e/matchers/meta_probability.sh b/tests/e2e/matchers/meta_probability.sh index 39e74b195..46e5eafdc 100755 --- a/tests/e2e/matchers/meta_probability.sh +++ b/tests/e2e/matchers/meta_probability.sh @@ -2,15 +2,15 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0% counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 100% counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 33.33% counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0.1% counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 99.99% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 50% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 100% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 33.33% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0.1% counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 99.99% counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq -10% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 1000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 1000% counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq teapot counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq -10% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 1000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq 1000% counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.probability eq teapot counter DROP") diff --git a/tests/e2e/matchers/meta_sport.sh b/tests/e2e/matchers/meta_sport.sh index 8c66891c4..06fe4649c 100755 --- a/tests/e2e/matchers/meta_sport.sh +++ b/tests/e2e/matchers/meta_sport.sh @@ -2,40 +2,40 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport eq not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport not not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0-65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 17-30 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0-65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 17-30 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 20-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 10-20-30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 10000000-1000000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0x20-0x30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0x30-0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range -1-4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range -1--4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range not-port counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range notport counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 20-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 10-20-30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 10000000-1000000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0x20-0x30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range 0x30-0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range -1-4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range -1--4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range not-port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule meta.sport range notport counter DROP") diff --git a/tests/e2e/matchers/named_set.sh b/tests/e2e/matchers/named_set.sh index 977d82fb3..b36f3e5bd 100755 --- a/tests/e2e/matchers/named_set.sh +++ b/tests/e2e/matchers/named_set.sh @@ -2,7 +2,7 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr) in { 192.168.1.1; 192.168.1.2 @@ -12,7 +12,7 @@ bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT counter ACCEPT " -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr, ip4.proto) in { 192.168.1.1, tcp; 192.168.1.2, udp @@ -23,14 +23,14 @@ bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT ACCEPT " -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr) eq { 192.168.1.1 }") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr, meta.ifindex) in { 192.168.1.1 }") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr, ip4.proto) in { 192.168.1.1 }") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr) eq { 192.168.1.1 }") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr, meta.ifindex) in { 192.168.1.1 }") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr, ip4.proto) in { 192.168.1.1 }") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr) in { 192.168.1.1 } rule (ip4.daddr) in myset ") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT set myset (ip4.saddr) in { 192.168.1.1 } rule (ip4.daddr) in my_set ") diff --git a/tests/e2e/matchers/set.sh b/tests/e2e/matchers/set.sh index 04aedbdfc..b91b6b5ae 100755 --- a/tests/e2e/matchers/set.sh +++ b/tests/e2e/matchers/set.sh @@ -2,80 +2,78 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41; 192.168.1.1,42} counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1 ,41; 192.168.1.1,42} counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1, 41; 192.168.1.1,42} counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41;192.168.1.1,42} counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41; 192.168.1.1,42} counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1 ,41; 192.168.1.1,42} counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1, 41; 192.168.1.1,42} counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41;192.168.1.1,42} counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in { 192.168.1.1 , 41; 192.168.1.1,42 } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.saddr) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.saddr) in { ::1; ::2 } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.snet) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.snet) in { ::1/100; ::2/89 } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in { 192.168.1.1 , 41 ; 192.168.1.1 , 42 ; } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, ip4.daddr) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, ip4.daddr) in { 192.168.1.1, 192.168.1.2; 192.168.1.3, 192.168.1.4 } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.proto, ip6.nexthdr) in {6, 40; 40, 6} counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.saddr, ip6.daddr) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.proto, ip6.nexthdr) in {6, 40; 40, 6} counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.saddr, ip6.daddr) in { ::1, ::2; ::3, ::4 } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmp.code, icmp.type) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmp.code, icmp.type) in { 3, echo-reply; 2, echo-request } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmpv6.code, icmpv6.type) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmpv6.code, icmpv6.type) in { 3, echo-reply; 2, echo-request } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmpv6.code, icmpv6.type ) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmpv6.code, icmpv6.type ) in { 3, echo-reply; 2, echo-request } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmpv6.code , icmpv6.type ) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (icmpv6.code , icmpv6.type ) in { 3, echo-reply; 2, echo-request } counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ( icmpv6.code, icmpv6.type ) in { +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule ( icmpv6.code, icmpv6.type ) in { 3, echo-reply; 2, echo-request } counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.snet, ip4.dnet) in { +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.snet, ip4.dnet) in { 192.168.1.1/24, 192.167.1.1/24; 10.211.55.2/24, 192.168.1.1/24 } counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.snet, ip6.dnet) in { +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip6.snet, ip6.dnet) in { ::1/32, ::2/64; ::3/96, ::4/128 } counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, ) in {192.168.1.1,41; 192.168.1.1,42} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41 192.168.1.1,42} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.141; 192.168.1.1,42} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr;icmp.code) in {192.168.1.1,41; 192.168.1.1,42} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.,41; 192.168.1.1,42} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,cafe; 192.168.1.1,42} counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41,192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, ) in {192.168.1.1,41; 192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41 192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.141; 192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr;icmp.code) in {192.168.1.1,41; 192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.,41; 192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,cafe; 192.168.1.1,42} counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule (ip4.saddr, icmp.code) in {192.168.1.1,41,192.168.1.1,42} counter DROP") make_sandbox -start_bpfilter - ${FROM_NS} bfcli chain set --from-str "chain test BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT + ${FROM_NS} ${BFCLI} chain set --from-str "chain test BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule (ip4.saddr) in { 192.168.1.1 } DROP rule (ip4.saddr) in {} ACCEPT" # Verify only 1 set map was pinned (empty set should not create a map) MAP_COUNT=$(${FROM_NS} find ${WORKDIR}/bpf/bpfilter/test/ -name 'bf_set_*' | wc -l) [ "${MAP_COUNT}" -eq 1 ] || { echo "ERROR: Expected 1 set map, found ${MAP_COUNT}"; exit 1; } -stop_bpfilter diff --git a/tests/e2e/matchers/set_empty_index.sh b/tests/e2e/matchers/set_empty_index.sh index f6174ae3b..818e4749d 100755 --- a/tests/e2e/matchers/set_empty_index.sh +++ b/tests/e2e/matchers/set_empty_index.sh @@ -12,7 +12,6 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter # empty_first: chain->sets[0], empty (skipped during map creation) # active_second: chain->sets[1], non-empty @@ -20,12 +19,10 @@ start_bpfilter # If handle->sets doesn't preserve index correspondence, the fixup for # set_index=1 will be out of bounds (handle->sets only has 1 entry at # index 0). -${FROM_NS} bfcli chain set --from-str "chain test BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT +${FROM_NS} ${BFCLI} chain set --from-str "chain test BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT set empty_first (ip4.saddr) in {} set active_second (ip4.saddr) in { ${HOST_IP_ADDR} } rule (ip4.saddr) in active_second counter DROP" # Verify filtering: HOST_IP_ADDR should match active_second and be dropped. (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) - -stop_bpfilter diff --git a/tests/e2e/matchers/tcp_dport.sh b/tests/e2e/matchers/tcp_dport.sh index d782f1252..bb1284f3b 100755 --- a/tests/e2e/matchers/tcp_dport.sh +++ b/tests/e2e/matchers/tcp_dport.sh @@ -2,40 +2,40 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport eq not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport not not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0-65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 17-30 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0-65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 17-30 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 20-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 10-20-30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 10000000-1000000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0x20-0x30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0x30-0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range -1-4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range -1--4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range not-port counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range notport counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 20-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 10-20-30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 10000000-1000000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0x20-0x30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range 0x30-0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range -1-4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range -1--4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range not-port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.dport range notport counter DROP") diff --git a/tests/e2e/matchers/tcp_flags.sh b/tests/e2e/matchers/tcp_flags.sh index 2e7eb4bfe..1994545a8 100755 --- a/tests/e2e/matchers/tcp_flags.sh +++ b/tests/e2e/matchers/tcp_flags.sh @@ -2,46 +2,46 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg,ece counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg,ece,cwr counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq syn,fin counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq cwr,fin,ack counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq invalid counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg,ece,cwr,invalid counter DROP") - -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not syn counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not rst counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not psh counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg,ece counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg,ece,cwr counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not invalid counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg,ece,cwr,invalid counter DROP") - -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack,urg counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack,urg,ece counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack,urg,ece,cwr counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any syn,fin counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any cwr,fin,ack counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any invalid counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,invalid counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,,syn counter DROP") - -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all syn counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn,rst counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn,rst,psh counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,fin,syn counter DROP" - -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn,rst,psh,ack,urg,ece,cwr,invalid counter DROP") +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg,ece counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg,ece,cwr counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq syn,fin counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq cwr,fin,ack counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq invalid counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags eq fin,syn,rst,psh,ack,urg,ece,cwr,invalid counter DROP") + +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not syn counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not rst counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not psh counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg,ece counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg,ece,cwr counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not invalid counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags not fin,syn,rst,psh,ack,urg,ece,cwr,invalid counter DROP") + +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack,urg counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack,urg,ece counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,syn,rst,psh,ack,urg,ece,cwr counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any syn,fin counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any cwr,fin,ack counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any invalid counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,invalid counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,,syn counter DROP") + +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all syn counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn,rst counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn,rst,psh counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags any fin,fin,syn counter DROP" + +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.flags all fin,syn,rst,psh,ack,urg,ece,cwr,invalid counter DROP") diff --git a/tests/e2e/matchers/tcp_sport.sh b/tests/e2e/matchers/tcp_sport.sh index e25675eac..1f11160c1 100755 --- a/tests/e2e/matchers/tcp_sport.sh +++ b/tests/e2e/matchers/tcp_sport.sh @@ -2,40 +2,40 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport eq not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport not not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0-65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 17-30 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0-65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 17-30 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 20-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 10-20-30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 10000000-1000000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0x20-0x30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0x30-0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range -1-4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range -1--4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range not-port counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range notport counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 20-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 10-20-30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 10000000-1000000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0x20-0x30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range 0x30-0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range -1-4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range -1--4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range not-port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule tcp.sport range notport counter DROP") diff --git a/tests/e2e/matchers/udp_dport.sh b/tests/e2e/matchers/udp_dport.sh index 352d2f410..f88a1bae0 100755 --- a/tests/e2e/matchers/udp_dport.sh +++ b/tests/e2e/matchers/udp_dport.sh @@ -2,40 +2,40 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport eq not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport not not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0-65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 17-30 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0-65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 17-30 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 20-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 10-20-30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 10000000-1000000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0x20-0x30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0x30-0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range -1-4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range -1--4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range not-port counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range notport counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 20-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 10-20-30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 10000000-1000000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0x20-0x30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range 0x30-0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range -1-4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range -1--4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range not-port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.dport range notport counter DROP") diff --git a/tests/e2e/matchers/udp_sport.sh b/tests/e2e/matchers/udp_sport.sh index 6873568b5..dad61af68 100755 --- a/tests/e2e/matchers/udp_sport.sh +++ b/tests/e2e/matchers/udp_sport.sh @@ -2,40 +2,40 @@ . "$(dirname "$0")"/../e2e_test_util.sh -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport eq not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 40 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 40 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 65535 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not -40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 0x40 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not -0x00 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 75000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 0xffffff counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not not_a_port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not -40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 0x40 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not -0x00 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 75000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not 0xffffff counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport not not_a_port counter DROP") -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0-0 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0-65535 counter DROP" -bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 17-30 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0-0 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0-65535 counter DROP" +${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 17-30 counter DROP" -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 20-10 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 10-20-30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 10000000-1000000 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0x20-0x30 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0x30-0x20 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range -1-4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range -1--4 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range not-port counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range notport counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 20-10 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 10-20-30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 10000000-1000000 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0x20-0x30 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range 0x30-0x20 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range -1-4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range -1--4 counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range not-port counter DROP") +(! ${BFCLI} ruleset set --dry-run --from-str "chain xdp BF_HOOK_XDP ACCEPT rule udp.sport range notport counter DROP") diff --git a/tests/e2e/namespace/host_to_netns.sh b/tests/e2e/namespace/host_to_netns.sh new file mode 100755 index 000000000..3a34d72f1 --- /dev/null +++ b/tests/e2e/namespace/host_to_netns.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +. "$(dirname "$0")"/../e2e_test_util.sh + +make_sandbox + +(! ${FROM_NS} ${BFCLI} ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${HOST_IFINDEX}} ACCEPT rule ip4.proto icmp log link counter DROP") +ping -c 1 -W 0.1 ${NS_IP_ADDR} +${FROM_NS} ${BFCLI} ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp counter DROP" +(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) +${FROM_NS} ${BFCLI} chain get --name xdp | awk '/ip4.proto eq icmp/{getline; print $2}' | grep -q "^1$" && exit 0 || exit 1 +${FROM_NS} ${BFCLI} ruleset flush \ No newline at end of file diff --git a/tests/e2e/namespace/netns_to_host.sh b/tests/e2e/namespace/netns_to_host.sh new file mode 100755 index 000000000..afcb2a0a4 --- /dev/null +++ b/tests/e2e/namespace/netns_to_host.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +. "$(dirname "$0")"/../e2e_test_util.sh + +make_sandbox + +(! ${FROM_NS} ${BFCLI} ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${HOST_IFINDEX}} ACCEPT rule ip4.proto icmp log link,transport counter DROP") +${FROM_NS} ping -c 1 -W 0.1 ${HOST_IP_ADDR} +${FROM_NS} ${BFCLI} ruleset set --from-str "chain tc BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp log link,internet counter DROP" +(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) +${FROM_NS} ${BFCLI} chain get --name tc | awk '/log link,internet/{getline; print $2}' | grep -q "^1$" +${FROM_NS} ${BFCLI} ruleset flush diff --git a/tests/e2e/persistence/pin_updated_chain.sh b/tests/e2e/persistence/pin_updated_chain.sh new file mode 100755 index 000000000..aae94cff3 --- /dev/null +++ b/tests/e2e/persistence/pin_updated_chain.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +. "$(dirname "$0")"/../e2e_test_util.sh + +make_sandbox + +PINNED_PROG="${WORKDIR}/bpf/bpfilter/test_chain/bf_prog" + +# Create attached chain, verify filtering and pinned program +${FROM_NS} ${BFCLI} chain set --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" +ping -c 1 -W 0.1 ${NS_IP_ADDR} +${FROM_NS} ${BFCLI} ruleset get | grep "^chain" | awk 'END{exit NR!=1}' +${FROM_NS} test -e ${PINNED_PROG} + +# Update chain, verify pinned program persists +${FROM_NS} ${BFCLI} chain update --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule meta.l4_proto eq icmp DROP" +(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) +${FROM_NS} ${BFCLI} ruleset get | grep "^chain" | awk 'END{exit NR!=1}' +${FROM_NS} test -e ${PINNED_PROG} + +# Chain is still discoverable from bpffs after update +${FROM_NS} ${BFCLI} ruleset get | grep "^chain" | awk 'END{exit NR!=1}' +${FROM_NS} test -e ${PINNED_PROG} + +${FROM_NS} ${BFCLI} chain flush --name test_chain diff --git a/tests/e2e/persistence/restore_attached.sh b/tests/e2e/persistence/restore_attached.sh new file mode 100755 index 000000000..f8c125320 --- /dev/null +++ b/tests/e2e/persistence/restore_attached.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +. "$(dirname "$0")"/../e2e_test_util.sh + +make_sandbox + +# Create and attach chain, verify filtering works +${FROM_NS} ${BFCLI} chain set --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT" +ping -c 1 -W 0.1 ${NS_IP_ADDR} + +# Chain is discoverable from bpffs with correct ifindex +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_chain) +echo "$chain_output" +echo "$chain_output" | grep -q "ifindex=${NS_IFINDEX}" + +# Attached chain with sets: set elements and filtering persist +${FROM_NS} ${BFCLI} chain set --from-str "chain test_chain BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT + set myset (ip4.saddr) in { ${HOST_IP_ADDR}; 192.168.1.2 } + set empty_set (ip4.saddr) in {} + rule (ip4.saddr) in myset counter DROP + rule (ip4.saddr) in empty_set ACCEPT" +(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) + +# Chain with sets is discoverable from bpffs +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_chain) +echo "$chain_output" +echo "$chain_output" | grep -q "${HOST_IP_ADDR}" +echo "$chain_output" | grep -q "192.168.1.2" +echo "$chain_output" | grep -q "empty_set" +(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) + +${FROM_NS} ${BFCLI} chain flush --name test_chain diff --git a/tests/e2e/persistence/restore_non_attached.sh b/tests/e2e/persistence/restore_non_attached.sh new file mode 100755 index 000000000..5cfd02538 --- /dev/null +++ b/tests/e2e/persistence/restore_non_attached.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +. "$(dirname "$0")"/../e2e_test_util.sh + +make_sandbox + +# Create non-attached chain, verify discovery and attachment +${FROM_NS} ${BFCLI} chain set --from-str "chain test_chain BF_HOOK_XDP ACCEPT" +${FROM_NS} ${BFCLI} chain attach --name test_chain --option ifindex=${NS_IFINDEX} + +# Non-attached chain with sets: set elements persist, chain can be attached +${FROM_NS} ${BFCLI} chain set --from-str "chain test_chain BF_HOOK_XDP ACCEPT + set myset (ip4.saddr) in { ${HOST_IP_ADDR}; 192.168.1.2 } + set empty_set (ip4.saddr) in {} + rule (ip4.saddr) in myset counter DROP + rule (ip4.saddr) in empty_set ACCEPT" +ping -c 1 -W 0.1 ${NS_IP_ADDR} + +# Chain with sets is discoverable from bpffs +chain_output=$(${FROM_NS} ${BFCLI} chain get --name test_chain) +echo "$chain_output" +echo "$chain_output" | grep -q "${HOST_IP_ADDR}" +echo "$chain_output" | grep -q "192.168.1.2" +echo "$chain_output" | grep -q "empty_set" + +# Attach and verify filtering works +${FROM_NS} ${BFCLI} chain attach --name test_chain --option ifindex=${NS_IFINDEX} +(! ping -c 1 -W 0.1 ${NS_IP_ADDR}) + +${FROM_NS} ${BFCLI} chain flush --name test_chain diff --git a/tests/e2e/rules/action_order.sh b/tests/e2e/rules/action_order.sh index fe9224820..e810e6a9c 100755 --- a/tests/e2e/rules/action_order.sh +++ b/tests/e2e/rules/action_order.sh @@ -3,12 +3,11 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter -(! ${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter counter DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter log link log link DROP") -${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp DROP" -${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link DROP" -${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter DROP" -${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link counter DROP" -${FROM_NS} bfcli chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter log link DROP" \ No newline at end of file +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter counter DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter log link log link DROP") +${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link counter DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain order BF_HOOK_XDP ACCEPT rule ip4.proto icmp counter log link DROP" \ No newline at end of file diff --git a/tests/e2e/rules/icmp_tc.sh b/tests/e2e/rules/icmp_tc.sh index 9614c6130..d8edcc9b8 100755 --- a/tests/e2e/rules/icmp_tc.sh +++ b/tests/e2e/rules/icmp_tc.sh @@ -3,10 +3,9 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter ${FROM_NS} ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli ruleset set --from-str "chain xdp BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule icmp.type eq echo-request icmp.code eq 0 counter DROP" +${FROM_NS} ${BFCLI} ruleset set --from-str "chain xdp BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule icmp.type eq echo-request icmp.code eq 0 counter DROP" (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain get --name xdp | awk '/icmp.code eq 0/{getline; print $2}' | grep -q "^1$" && exit 0 || exit 1 -${FROM_NS} bfcli ruleset flush \ No newline at end of file +${FROM_NS} ${BFCLI} chain get --name xdp | awk '/icmp.code eq 0/{getline; print $2}' | grep -q "^1$" && exit 0 || exit 1 +${FROM_NS} ${BFCLI} ruleset flush \ No newline at end of file diff --git a/tests/e2e/rules/icmp_xdp.sh b/tests/e2e/rules/icmp_xdp.sh index fd17b1b71..32c8692bd 100755 --- a/tests/e2e/rules/icmp_xdp.sh +++ b/tests/e2e/rules/icmp_xdp.sh @@ -3,10 +3,9 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter ${FROM_NS} ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule icmp.type eq echo-request icmp.code eq 0 log transport,internet counter DROP" +${FROM_NS} ${BFCLI} ruleset set --from-str "chain xdp BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule icmp.type eq echo-request icmp.code eq 0 log transport,internet counter DROP" (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain get --name xdp | awk '/log internet,transport/{getline; print $2}' | grep -q "^1$" && exit 0 || exit 1 -${FROM_NS} bfcli ruleset flush \ No newline at end of file +${FROM_NS} ${BFCLI} chain get --name xdp | awk '/log internet,transport/{getline; print $2}' | grep -q "^1$" && exit 0 || exit 1 +${FROM_NS} ${BFCLI} ruleset flush \ No newline at end of file diff --git a/tests/e2e/rules/log.sh b/tests/e2e/rules/log.sh index 00f0adc2e..0fb9bec9b 100755 --- a/tests/e2e/rules/log.sh +++ b/tests/e2e/rules/log.sh @@ -3,11 +3,10 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter -(! ${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log counter DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log ip counter DROP") -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link counter DROP" -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link,internet counter DROP" -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link,transport counter DROP" -${FROM_NS} bfcli chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log internet,link counter DROP" \ No newline at end of file +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log counter DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log ip counter DROP") +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link counter DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link,internet counter DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log link,transport counter DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain chain_load_xdp_3 BF_HOOK_XDP ACCEPT rule ip4.proto icmp log internet,link counter DROP" \ No newline at end of file diff --git a/tests/e2e/rules/mark.sh b/tests/e2e/rules/mark.sh index 3b36e03c9..d5ad3571d 100755 --- a/tests/e2e/rules/mark.sh +++ b/tests/e2e/rules/mark.sh @@ -3,14 +3,13 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter -(! ${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_XDP ACCEPT rule ip4.proto icmp mark 0x16 DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_NF_LOCAL_IN ACCEPT rule ip4.proto icmp mark 0x16 DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 0x14aw DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark -3 DROP") -(! ${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 0xffffffffff DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_XDP ACCEPT rule ip4.proto icmp mark 0x16 DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_NF_LOCAL_IN ACCEPT rule ip4.proto icmp mark 0x16 DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 0x14aw DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark -3 DROP") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 0xffffffffff DROP") -${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 14 DROP" -${FROM_NS} bfcli chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 0x14 DROP" \ No newline at end of file +${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 14 DROP" +${FROM_NS} ${BFCLI} chain set --from-str "chain xdp_mark BF_HOOK_TC_INGRESS ACCEPT rule ip4.proto icmp mark 0x14 DROP" \ No newline at end of file diff --git a/tests/e2e/rules/redirect.sh b/tests/e2e/rules/redirect.sh index c353b300f..959d04d1e 100755 --- a/tests/e2e/rules/redirect.sh +++ b/tests/e2e/rules/redirect.sh @@ -3,23 +3,22 @@ . "$(dirname "$0")"/../e2e_test_util.sh get_counter() { - ${FROM_NS} bfcli chain get --name "$1" | awk '/counters [0-9]+ packets/{print $2}' + ${FROM_NS} ${BFCLI} chain get --name "$1" | awk '/counters [0-9]+ packets/{print $2}' } make_sandbox -start_bpfilter # Invalid: REDIRECT not supported for NF/cgroup_skb hooks, and XDP only supports 'out' -(! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=100-200} ACCEPT rule ip4.proto icmp REDIRECT 1 out") -(! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup} ACCEPT rule ip4.proto icmp REDIRECT 1 out") -(! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 in") -(! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT nonexistent_iface in") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain c BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=100-200} ACCEPT rule ip4.proto icmp REDIRECT 1 out") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain c BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup} ACCEPT rule ip4.proto icmp REDIRECT 1 out") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain c BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 in") +(! ${FROM_NS} ${BFCLI} chain set --from-str "chain c BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT nonexistent_iface in") # Valid: TC both directions, XDP 'out', with ifindex or interface name -${FROM_NS} bfcli chain set --from-str "chain c1 BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 in" -${FROM_NS} bfcli chain set --from-str "chain c2 BF_HOOK_TC_EGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT lo out" -${FROM_NS} bfcli chain set --from-str "chain c3 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 out" -${FROM_NS} bfcli ruleset flush +${FROM_NS} ${BFCLI} chain set --from-str "chain c1 BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 in" +${FROM_NS} ${BFCLI} chain set --from-str "chain c2 BF_HOOK_TC_EGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT lo out" +${FROM_NS} ${BFCLI} chain set --from-str "chain c3 BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 out" +${FROM_NS} ${BFCLI} ruleset flush # Create veth pair: packets egressing redir0 arrive at redir1's ingress ${FROM_NS} ip link add redir0 type veth peer name redir1 @@ -29,27 +28,27 @@ REDIR0_IFINDEX=$(${FROM_NS} ip -o link show redir0 | awk '{print $1}' | cut -d: REDIR1_IFINDEX=$(${FROM_NS} ip -o link show redir1 | awk '{print $1}' | cut -d: -f1) # XDP redirect: packets on veth_ns redirected out redir0, counted at redir1 -${FROM_NS} bfcli chain set --from-str "chain cnt BF_HOOK_XDP{ifindex=${REDIR1_IFINDEX}} ACCEPT rule ip4.proto icmp counter ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain redir BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT ${REDIR0_IFINDEX} out" +${FROM_NS} ${BFCLI} chain set --from-str "chain cnt BF_HOOK_XDP{ifindex=${REDIR1_IFINDEX}} ACCEPT rule ip4.proto icmp counter ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain redir BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT ${REDIR0_IFINDEX} out" test "$(get_counter cnt)" = "0" ping -c 1 -W 1 ${NS_IP_ADDR} || true test "$(get_counter cnt)" = "1" -${FROM_NS} bfcli ruleset flush +${FROM_NS} ${BFCLI} ruleset flush # TC ingress redirect: packets redirected to redir0's ingress -${FROM_NS} bfcli chain set --from-str "chain cnt BF_HOOK_TC_INGRESS{ifindex=${REDIR0_IFINDEX}} ACCEPT rule ip4.proto icmp counter ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain redir BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT ${REDIR0_IFINDEX} in" +${FROM_NS} ${BFCLI} chain set --from-str "chain cnt BF_HOOK_TC_INGRESS{ifindex=${REDIR0_IFINDEX}} ACCEPT rule ip4.proto icmp counter ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain redir BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT ${REDIR0_IFINDEX} in" test "$(get_counter cnt)" = "0" ping -c 1 -W 1 ${NS_IP_ADDR} || true test "$(get_counter cnt)" = "1" -${FROM_NS} bfcli ruleset flush +${FROM_NS} ${BFCLI} ruleset flush # TC egress redirect with interface name: packets redirected out redir0, counted at redir1 -${FROM_NS} bfcli chain set --from-str "chain cnt BF_HOOK_TC_INGRESS{ifindex=${REDIR1_IFINDEX}} ACCEPT rule ip4.proto icmp counter ACCEPT" -${FROM_NS} bfcli chain set --from-str "chain redir BF_HOOK_TC_EGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT redir0 out" +${FROM_NS} ${BFCLI} chain set --from-str "chain cnt BF_HOOK_TC_INGRESS{ifindex=${REDIR1_IFINDEX}} ACCEPT rule ip4.proto icmp counter ACCEPT" +${FROM_NS} ${BFCLI} chain set --from-str "chain redir BF_HOOK_TC_EGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT redir0 out" test "$(get_counter cnt)" = "0" ping -c 1 -W 1 ${NS_IP_ADDR} || true test "$(get_counter cnt)" = "1" -${FROM_NS} bfcli ruleset flush +${FROM_NS} ${BFCLI} ruleset flush ${FROM_NS} ip link del redir0 diff --git a/tests/e2e/rulesets/rulesets.sh b/tests/e2e/rulesets/rulesets.sh index c929c727e..4186a157e 100755 --- a/tests/e2e/rulesets/rulesets.sh +++ b/tests/e2e/rulesets/rulesets.sh @@ -3,8 +3,7 @@ . "$(dirname "$0")"/../e2e_test_util.sh make_sandbox -start_bpfilter for file in "$(dirname -- "$0";)"/*.bf; do - ${FROM_NS} bfcli chain set --from-file ${file} + ${FROM_NS} ${BFCLI} chain set --from-file ${file} done \ No newline at end of file diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt index 04573d183..9c4d0d376 100644 --- a/tests/fuzz/CMakeLists.txt +++ b/tests/fuzz/CMakeLists.txt @@ -7,8 +7,10 @@ set(CMAKE_CXX_COMPILER clang++) file(GLOB_RECURSE libbpfilter_fuzz_srcs ${CMAKE_SOURCE_DIR}/src/libbpfilter/*.h ${CMAKE_SOURCE_DIR}/src/libbpfilter/*.c ) +# BPF stub sources are compiled via ElfStubs, not as regular C files. +list(FILTER libbpfilter_fuzz_srcs EXCLUDE REGEX ".*/bpf/.*\\.bpf\\.c$") -add_executable(fuzz_parser +add_executable(fuzz_parser EXCLUDE_FROM_ALL ${CMAKE_CURRENT_SOURCE_DIR}/fuzz_parser.c ${CMAKE_SOURCE_DIR}/src/bfcli/helper.c ${CMAKE_SOURCE_DIR}/src/bfcli/ruleset.c @@ -16,6 +18,7 @@ add_executable(fuzz_parser ${CMAKE_BINARY_DIR}/src/bfcli/generated/lexer.c ${libbpfilter_fuzz_srcs} ${CMAKE_SOURCE_DIR}/src/external/mpack.c + ${CMAKE_SOURCE_DIR}/src/external/disasm.c ) target_compile_options(fuzz_parser @@ -39,6 +42,7 @@ target_include_directories(fuzz_parser ${CMAKE_SOURCE_DIR}/src/libbpfilter ${CMAKE_SOURCE_DIR}/src/libbpfilter/include ${CMAKE_BINARY_DIR}/src/libbpfilter/include + ${CMAKE_BINARY_DIR}/src/libbpfilter/elfstubs/src ${CMAKE_BINARY_DIR}/src/bfcli/include ) @@ -52,7 +56,7 @@ target_link_libraries(fuzz_parser bpf ) -add_dependencies(fuzz_parser bfcli_parser bfcli_lexer) +add_dependencies(fuzz_parser bfcli_parser bfcli_lexer libbpfilter) file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/corpus) file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/findings) diff --git a/tests/harness/mock.h b/tests/harness/mock.h index 3fc375bb3..56377a7aa 100644 --- a/tests/harness/mock.h +++ b/tests/harness/mock.h @@ -52,7 +52,7 @@ * @endcode * * This module also defines convenience function to simulate a runtime - * environment such as creating a temporary file to serialize the daemon into. + * environment such as creating a temporary file to serialize the context into. MOCKING IS ONLY TO MOCK, not to trigger different code path during testing diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt index 3bb77535f..9ee48c805 100644 --- a/tests/unit/CMakeLists.txt +++ b/tests/unit/CMakeLists.txt @@ -86,10 +86,7 @@ bf_add_c_test(unit libbpfilter/io.c) bf_add_c_test(unit libbpfilter/list.c) bf_add_c_test(unit libbpfilter/logger.c) bf_add_c_test(unit libbpfilter/matcher.c) -bf_add_c_test(unit libbpfilter/ns.c) bf_add_c_test(unit libbpfilter/pack.c) -bf_add_c_test(unit libbpfilter/request.c) -bf_add_c_test(unit libbpfilter/response.c) bf_add_c_test(unit libbpfilter/rule.c) bf_add_c_test(unit libbpfilter/set.c) bf_add_c_test(unit libbpfilter/verdict.c) diff --git a/tests/unit/libbpfilter/cli.c b/tests/unit/libbpfilter/cli.c index 3bcabea2b..325a85761 100644 --- a/tests/unit/libbpfilter/cli.c +++ b/tests/unit/libbpfilter/cli.c @@ -14,21 +14,6 @@ #include "fake.h" #include "test.h" -static void ruleset_get(void **state) -{ - (void)state; - - _clean_bf_list_ bf_list chains = - bf_list_default(bf_chain_free, bf_chain_pack); - _clean_bf_list_ bf_list hookopts = - bf_list_default(bf_hookopts_free, bf_hookopts_pack); - _clean_bf_list_ bf_list counters = - bf_list_default((bf_list_ops_free)bf_list_free, NULL); - - // Can't connect to daemon during unit tests - assert_err(bf_ruleset_get(&chains, &hookopts, &counters)); -} - static void ruleset_set(void **state) { (void)state; @@ -41,43 +26,6 @@ static void ruleset_set(void **state) // Mismatched list sizes should fail assert_ok(bf_list_add_tail(&chains, bft_chain_dummy(false))); assert_int_equal(bf_ruleset_set(&chains, &hookopts), -EINVAL); - - // Can't connect to daemon during unit tests - assert_ok(bf_list_add_tail(&hookopts, NULL)); - assert_err(bf_ruleset_set(&chains, &hookopts)); -} - -static void ruleset_flush(void **state) -{ - (void)state; - - // Can't connect to daemon during unit tests - assert_err(bf_ruleset_flush()); -} - -static void chain_set(void **state) -{ - (void)state; - - _free_bf_chain_ struct bf_chain *chain = bft_chain_dummy(false); - - assert_non_null(chain); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_set(chain, NULL)); -} - -static void chain_get(void **state) -{ - (void)state; - - _free_bf_chain_ struct bf_chain *chain = NULL; - _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; - _clean_bf_list_ bf_list counters = - bf_list_default(bf_counter_free, bf_counter_pack); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_get("test_chain", &chain, &hookopts, &counters)); } static void chain_prog_fd(void **state) @@ -86,9 +34,6 @@ static void chain_prog_fd(void **state) // NULL name should fail assert_int_equal(bf_chain_prog_fd(NULL), -EINVAL); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_prog_fd("test_chain")); } static void chain_logs_fd(void **state) @@ -97,65 +42,14 @@ static void chain_logs_fd(void **state) // NULL name should fail assert_int_equal(bf_chain_logs_fd(NULL), -EINVAL); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_logs_fd("test_chain")); -} - -static void chain_load(void **state) -{ - (void)state; - - _free_bf_chain_ struct bf_chain *chain = bft_chain_dummy(false); - - assert_non_null(chain); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_load(chain)); -} - -static void chain_attach(void **state) -{ - (void)state; - - _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; - - assert_ok(bf_hookopts_new(&hookopts)); - assert_non_null(hookopts); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_attach("test_chain", hookopts)); -} - -static void chain_update(void **state) -{ - (void)state; - - _free_bf_chain_ struct bf_chain *chain = bft_chain_dummy(false); - - assert_non_null(chain); - - // Can't connect to daemon during unit tests - assert_err(bf_chain_update(chain)); -} - -static void chain_flush(void **state) -{ - (void)state; - - // Can't connect to daemon during unit tests - assert_err(bf_chain_flush("test_chain")); } int main(void) { const struct CMUnitTest tests[] = { - cmocka_unit_test(ruleset_get), cmocka_unit_test(ruleset_set), - cmocka_unit_test(ruleset_flush), cmocka_unit_test(chain_set), - cmocka_unit_test(chain_get), cmocka_unit_test(chain_prog_fd), - cmocka_unit_test(chain_logs_fd), cmocka_unit_test(chain_load), - cmocka_unit_test(chain_attach), cmocka_unit_test(chain_update), - cmocka_unit_test(chain_flush), + cmocka_unit_test(ruleset_set), + cmocka_unit_test(chain_prog_fd), + cmocka_unit_test(chain_logs_fd), }; return cmocka_run_group_tests(tests, NULL, NULL); diff --git a/tests/unit/libbpfilter/io.c b/tests/unit/libbpfilter/io.c index ff5e9a756..67cc1a173 100644 --- a/tests/unit/libbpfilter/io.c +++ b/tests/unit/libbpfilter/io.c @@ -8,147 +8,9 @@ #include #include #include -#include -#include -#include -#include - -#include "fake.h" #include "test.h" -#define BFT_RANDOM_PAYLOAD_SIZE 4096 - -static void connect_to_daemon(void **state) -{ - (void)state; - - // Can't connect to daemon during unit tests, so it should fail - assert_err(bf_connect_to_daemon()); -} - -static void send_and_recv_small(void **state) -{ - const char *input = "Even the darkest night will end"; - const char *output = "and the sun will rise"; - - struct bft_sockets *sockets = *(struct bft_sockets **)state; - pid_t pid; - - assert_non_null(input); - assert_non_null(output); - assert_int_gte(pid = fork(), 0); - - if (pid != 0) { - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - - assert_ok(bf_recv_request(sockets->server_fd, &request)); - assert_string_equal(bf_request_data(request), input); - - assert_ok( - bf_response_new_success(&response, output, strlen(output) + 1)); - assert_ok(bf_send_response(sockets->server_fd, response)); - - waitpid(pid, NULL, 0); - } else { - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - - assert_ok(bf_request_new(&request, BF_REQ_CHAIN_GET, input, - strlen(input) + 1)); - assert_ok(bf_send(sockets->client_fd, request, &response, NULL)); - - assert_string_equal(bf_response_data(response), output); - - exit(0); - } -} - -static void send_and_recv_big(void **state) -{ - _cleanup_free_ const char *input = - bft_get_randomly_filled_buffer(BFT_RANDOM_PAYLOAD_SIZE); - _cleanup_free_ const char *output = - bft_get_randomly_filled_buffer(BFT_RANDOM_PAYLOAD_SIZE); - - struct bft_sockets *sockets = *(struct bft_sockets **)state; - pid_t pid; - - assert_non_null(input); - assert_non_null(output); - assert_int_gte(pid = fork(), 0); - - if (pid != 0) { - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - - assert_ok(bf_recv_request(sockets->server_fd, &request)); - assert_string_equal(bf_request_data(request), input); - - assert_ok( - bf_response_new_success(&response, output, strlen(output) + 1)); - assert_ok(bf_send_response(sockets->server_fd, response)); - - waitpid(pid, NULL, 0); - } else { - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - - assert_ok(bf_request_new(&request, BF_REQ_CHAIN_GET, input, - strlen(input) + 1)); - assert_ok(bf_send(sockets->client_fd, request, &response, NULL)); - - assert_string_equal(bf_response_data(response), output); - - exit(0); - } -} - -static void send_and_recv_fd(void **state) -{ - _cleanup_free_ const char *input = - bft_get_randomly_filled_buffer(BFT_RANDOM_PAYLOAD_SIZE); - _cleanup_free_ const char *output = - bft_get_randomly_filled_buffer(BFT_RANDOM_PAYLOAD_SIZE); - struct bft_sockets *sockets = *(struct bft_sockets **)state; - _cleanup_close_ int sent_fd = -1; - _cleanup_close_ int recv_fd = -1; - pid_t pid; - - assert_non_null(input); - assert_non_null(output); - assert_int_gte(sent_fd = open("/dev/random", O_RDONLY), 0); - assert_int_gte(pid = fork(), 0); - - if (pid != 0) { - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - - assert_ok(bf_recv_request(sockets->server_fd, &request)); - assert_string_equal(bf_request_data(request), input); - - assert_ok(bf_send_fd(sockets->server_fd, sent_fd)); - assert_ok( - bf_response_new_success(&response, output, strlen(output) + 1)); - assert_ok(bf_send_response(sockets->server_fd, response)); - - waitpid(pid, NULL, 0); - } else { - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_response_ struct bf_response *response = NULL; - - assert_ok(bf_request_new(&request, BF_REQ_CHAIN_GET, input, - strlen(input) + 1)); - assert_ok(bf_send(sockets->client_fd, request, &response, &recv_fd)); - - assert_string_equal(bf_response_data(response), output); - assert_fd_equal(sent_fd, recv_fd); - - exit(0); - } -} - static void manage_dir(void **state) { _cleanup_close_ int fake_file_fd = -1; @@ -207,16 +69,6 @@ static void lock_file(void **state) int main(void) { const struct CMUnitTest tests[] = { - cmocka_unit_test(connect_to_daemon), - cmocka_unit_test_setup_teardown(send_and_recv_small, - btf_setup_create_sockets, - bft_teardown_close_sockets), - cmocka_unit_test_setup_teardown(send_and_recv_big, - btf_setup_create_sockets, - bft_teardown_close_sockets), - cmocka_unit_test_setup_teardown(send_and_recv_fd, - btf_setup_create_sockets, - bft_teardown_close_sockets), cmocka_unit_test_setup_teardown(manage_dir, btf_setup_create_tmpdir, bft_teardown_close_tmpdir), cmocka_unit_test_setup_teardown(lock_file, btf_setup_create_tmpdir, diff --git a/tests/unit/libbpfilter/ns.c b/tests/unit/libbpfilter/ns.c deleted file mode 100644 index 4b0ababce..000000000 --- a/tests/unit/libbpfilter/ns.c +++ /dev/null @@ -1,107 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#include -#include -#include -#include -#include - -#include - -#include "bpfilter/io.h" -#include "fake.h" -#include "mock.h" -#include "test.h" - -static void init_and_clean(void **state) -{ - _clean_bf_ns_ struct bf_ns ns = bf_ns_default(); - - (void)state; - - bf_ns_clean(&ns); - ns = bf_ns_default(); - - assert_ok(bf_ns_init(&ns, getpid())); - bf_ns_clean(&ns); - - assert_ok(bf_ns_init(&ns, getpid())); -} - -static void change_ns_same(void **state) -{ - _clean_bf_ns_ struct bf_ns ns = bf_ns_default(); - - (void)state; - - // Mock setns to avoid permission errors - _clean_bft_mock_ bft_mock mock = bft_mock_get(setns); - (void)mock; - - assert_ok(bf_ns_init(&ns, getpid())); - // Setting to same namespace should succeed (no actual setns calls needed - // when inodes match) - assert_ok(bf_ns_set(&ns, &ns)); -} - -static void change_ns_different(void **state) -{ - _clean_bf_ns_ struct bf_ns ns = bf_ns_default(); - struct bf_ns oldns = bf_ns_default(); - - (void)state; - - // Mock setns to avoid permission errors - _clean_bft_mock_ bft_mock mock = bft_mock_get(setns); - (void)mock; - - assert_ok(bf_ns_init(&ns, getpid())); - - // Set oldns to different inodes to force setns calls - oldns.net.inode = 0; - oldns.mnt.inode = 0; - - assert_ok(bf_ns_set(&ns, &oldns)); -} - -static void change_ns_no_oldns(void **state) -{ - _clean_bf_ns_ struct bf_ns ns = bf_ns_default(); - - (void)state; - - // Mock setns to avoid permission errors - _clean_bft_mock_ bft_mock mock = bft_mock_get(setns); - (void)mock; - - assert_ok(bf_ns_init(&ns, getpid())); - - // NULL oldns should force setns calls for both namespaces - assert_ok(bf_ns_set(&ns, NULL)); -} - -static void init_invalid_pid(void **state) -{ - _clean_bf_ns_ struct bf_ns ns = bf_ns_default(); - - (void)state; - - // Invalid PID should fail - assert_err(bf_ns_init(&ns, -1)); -} - -int main(void) -{ - const struct CMUnitTest tests[] = { - cmocka_unit_test(init_and_clean), - cmocka_unit_test(change_ns_same), - cmocka_unit_test(change_ns_different), - cmocka_unit_test(change_ns_no_oldns), - cmocka_unit_test(init_invalid_pid), - }; - - return cmocka_run_group_tests(tests, NULL, NULL); -} diff --git a/tests/unit/libbpfilter/request.c b/tests/unit/libbpfilter/request.c deleted file mode 100644 index 60e408118..000000000 --- a/tests/unit/libbpfilter/request.c +++ /dev/null @@ -1,255 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#include "bpfilter/request.h" - -#include -#include - -#include -#include - -#include "fake.h" -#include "test.h" - -static void new_request(void **state) -{ - _free_bf_request_ struct bf_request *request = NULL; - const char *data = "test data"; - size_t data_len = strlen(data) + 1; - - (void)state; - - // Create request with no data - assert_ok(bf_request_new(&request, BF_REQ_CHAIN_GET, NULL, 0)); - assert_non_null(request); - assert_int_equal(bf_request_cmd(request), BF_REQ_CHAIN_GET); - assert_int_equal(bf_request_data_len(request), 0); - - bf_request_free(&request); - assert_null(request); - - // Create request with data - assert_ok(bf_request_new(&request, BF_REQ_RULESET_SET, data, data_len)); - assert_non_null(request); - assert_int_equal(bf_request_cmd(request), BF_REQ_RULESET_SET); - assert_int_equal(bf_request_data_len(request), data_len); - assert_string_equal(bf_request_data(request), data); -} - -static void new_from_dynbuf(void **state) -{ - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_request_ struct bf_request *src = NULL; - _clean_bf_dynbuf_ struct bf_dynbuf dynbuf = bf_dynbuf_default(); - const char *data = "dynbuf test data"; - size_t data_len = strlen(data) + 1; - - (void)state; - - // Create a source request to copy into dynbuf - assert_ok(bf_request_new(&src, BF_REQ_CHAIN_SET, data, data_len)); - - // Write request to dynbuf - assert_ok(bf_dynbuf_write(&dynbuf, src, bf_request_size(src))); - - // Create request from dynbuf - assert_ok(bf_request_new_from_dynbuf(&request, &dynbuf)); - assert_non_null(request); - assert_int_equal(bf_request_cmd(request), BF_REQ_CHAIN_SET); - assert_int_equal(bf_request_data_len(request), data_len); - assert_string_equal(bf_request_data(request), data); - - // dynbuf should now be empty after taking ownership - assert_null(dynbuf.data); -} - -static void new_from_dynbuf_invalid(void **state) -{ - _free_bf_request_ struct bf_request *request = NULL; - _clean_bf_dynbuf_ struct bf_dynbuf dynbuf = bf_dynbuf_default(); - char small_data[4] = {0}; - - (void)state; - - // Too small dynbuf (less than sizeof(bf_request)) - assert_ok(bf_dynbuf_write(&dynbuf, small_data, sizeof(small_data))); - assert_err(bf_request_new_from_dynbuf(&request, &dynbuf)); -} - -static void new_from_pack(void **state) -{ - _free_bf_request_ struct bf_request *request = NULL; - _free_bf_wpack_ bf_wpack_t *pack = NULL; - const char *data = "packed data"; - - (void)state; - - // Create and populate a pack - assert_ok(bf_wpack_new(&pack)); - bf_wpack_kv_str(pack, "message", data); - - assert_true(bf_wpack_is_valid(pack)); - assert_ok(bf_request_new_from_pack(&request, BF_REQ_CUSTOM, pack)); - assert_non_null(request); - assert_int_equal(bf_request_cmd(request), BF_REQ_CUSTOM); - assert_int_gt(bf_request_data_len(request), 0); -} - -static void copy(void **state) -{ - _free_bf_request_ struct bf_request *src = NULL; - _free_bf_request_ struct bf_request *dest = NULL; - const char *data = "copy test data"; - size_t data_len = strlen(data) + 1; - - (void)state; - - // Copy request with data - assert_ok(bf_request_new(&src, BF_REQ_CHAIN_LOAD, data, data_len)); - assert_ok(bf_request_copy(&dest, src)); - - assert_non_null(dest); - assert_int_equal(bf_request_cmd(dest), bf_request_cmd(src)); - assert_int_equal(bf_request_data_len(dest), bf_request_data_len(src)); - assert_int_equal(bf_request_size(dest), bf_request_size(src)); - assert_string_equal(bf_request_data(dest), bf_request_data(src)); - - // Ensure it's a deep copy (different memory) - assert_ptr_not_equal(dest, src); - assert_ptr_not_equal(bf_request_data(dest), bf_request_data(src)); -} - -static void accessors(void **state) -{ - _free_bf_request_ struct bf_request *request = NULL; - const char *data = "accessor test"; - size_t data_len = strlen(data) + 1; - size_t expected_size; - - (void)state; - - assert_ok(bf_request_new(&request, BF_REQ_CHAIN_GET, data, data_len)); - - // Test bf_request_cmd - assert_int_equal(bf_request_cmd(request), BF_REQ_CHAIN_GET); - - // Test bf_request_data - assert_non_null(bf_request_data(request)); - assert_string_equal(bf_request_data(request), data); - - // Test bf_request_data_len - assert_int_equal(bf_request_data_len(request), data_len); - - // Test bf_request_size (should be struct size + data_len) - expected_size = bf_request_size(request); - assert_int_gt(expected_size, data_len); - - // Test bf_request_ns (initially NULL) - assert_null(bf_request_ns(request)); - - // Test bf_request_fd (initially 0) - assert_int_equal(bf_request_fd(request), 0); -} - -static void setters(void **state) -{ - _free_bf_request_ struct bf_request *request = NULL; - struct bf_ns *fake_ns = (struct bf_ns *)0xDEADBEEF; - - (void)state; - - assert_ok(bf_request_new(&request, BF_REQ_CHAIN_GET, NULL, 0)); - - // Test bf_request_set_ns - bf_request_set_ns(request, fake_ns); - assert_ptr_equal(bf_request_ns(request), fake_ns); - - // Test bf_request_set_fd - bf_request_set_fd(request, 42); - assert_int_equal(bf_request_fd(request), 42); -} - -static void size_calculation(void **state) -{ - _free_bf_request_ struct bf_request *request1 = NULL; - _free_bf_request_ struct bf_request *request2 = NULL; - const char *small_data = "x"; - const char *large_data = "this is a much larger piece of data for testing"; - - (void)state; - - assert_ok(bf_request_new(&request1, BF_REQ_CHAIN_GET, small_data, - strlen(small_data) + 1)); - assert_ok(bf_request_new(&request2, BF_REQ_CHAIN_GET, large_data, - strlen(large_data) + 1)); - - // Larger data should result in larger size - assert_int_gt(bf_request_size(request2), bf_request_size(request1)); - - // Size difference should match data length difference - size_t size_diff = bf_request_size(request2) - bf_request_size(request1); - size_t data_diff = - bf_request_data_len(request2) - bf_request_data_len(request1); - assert_int_equal(size_diff, data_diff); -} - -static void cmd_to_str(void **state) -{ - (void)state; - - // Test all command strings - assert_non_null(bf_request_cmd_to_str(BF_REQ_RULESET_FLUSH)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_RULESET_GET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_RULESET_SET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_SET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_GET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_LOAD)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_ATTACH)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_UPDATE)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_PROG_FD)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_LOGS_FD)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_FLUSH)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CHAIN_UPDATE_SET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_COUNTERS_SET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_COUNTERS_GET)); - assert_non_null(bf_request_cmd_to_str(BF_REQ_CUSTOM)); - - // Verify specific strings - assert_string_equal(bf_request_cmd_to_str(BF_REQ_CHAIN_GET), - "BF_REQ_CHAIN_GET"); - assert_string_equal(bf_request_cmd_to_str(BF_REQ_CHAIN_UPDATE_SET), - "BF_REQ_CHAIN_UPDATE_SET"); - assert_string_equal(bf_request_cmd_to_str(BF_REQ_CUSTOM), "BF_REQ_CUSTOM"); -} - -static void free_null(void **state) -{ - struct bf_request *request = NULL; - - (void)state; - - // Freeing NULL pointer should not crash - bf_request_free(&request); - assert_null(request); -} - -int main(void) -{ - const struct CMUnitTest tests[] = { - cmocka_unit_test(new_request), - cmocka_unit_test(new_from_dynbuf), - cmocka_unit_test(new_from_dynbuf_invalid), - cmocka_unit_test(new_from_pack), - cmocka_unit_test(copy), - cmocka_unit_test(accessors), - cmocka_unit_test(setters), - cmocka_unit_test(size_calculation), - cmocka_unit_test(cmd_to_str), - cmocka_unit_test(free_null), - }; - - return cmocka_run_group_tests(tests, NULL, NULL); -} diff --git a/tests/unit/libbpfilter/response.c b/tests/unit/libbpfilter/response.c deleted file mode 100644 index 29d86a0fe..000000000 --- a/tests/unit/libbpfilter/response.c +++ /dev/null @@ -1,251 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. - */ - -#include "bpfilter/response.h" - -#include -#include - -#include -#include - -#include "fake.h" -#include "test.h" - -static void new_raw(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - - (void)state; - - assert_ok(bf_response_new_raw(&response, 0)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), 0); - - bf_response_free(&response); - assert_null(response); - - assert_ok(bf_response_new_raw(&response, 1024)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), 0); -} - -static void new_success(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - const char *data = "test data"; - size_t data_len = strlen(data) + 1; - - (void)state; - - // Success with no data - assert_ok(bf_response_new_success(&response, NULL, 0)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), 0); - assert_int_equal(bf_response_data_len(response), 0); - - bf_response_free(&response); - assert_null(response); - - // Success with data - assert_ok(bf_response_new_success(&response, data, data_len)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), 0); - assert_int_equal(bf_response_data_len(response), data_len); - assert_string_equal(bf_response_data(response), data); -} - -static void new_from_dynbuf(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - _free_bf_response_ struct bf_response *src = NULL; - _clean_bf_dynbuf_ struct bf_dynbuf dynbuf = bf_dynbuf_default(); - const char *data = "test data from dynbuf"; - size_t data_len = strlen(data) + 1; - - (void)state; - - // Create a source response to copy into dynbuf - assert_ok(bf_response_new_success(&src, data, data_len)); - - // Write response to dynbuf - assert_ok(bf_dynbuf_write(&dynbuf, src, bf_response_size(src))); - - // Create response from dynbuf - assert_ok(bf_response_new_from_dynbuf(&response, &dynbuf)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), 0); - assert_int_equal(bf_response_data_len(response), data_len); - assert_string_equal(bf_response_data(response), data); - - // dynbuf should now be empty after taking ownership - assert_null(dynbuf.data); -} - -static void new_from_dynbuf_invalid(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - _clean_bf_dynbuf_ struct bf_dynbuf dynbuf = bf_dynbuf_default(); - char small_data[4] = {0}; - - (void)state; - - // Too small dynbuf (less than sizeof(bf_response)) - assert_ok(bf_dynbuf_write(&dynbuf, small_data, sizeof(small_data))); - assert_err(bf_response_new_from_dynbuf(&response, &dynbuf)); -} - -static void new_from_pack(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - _free_bf_wpack_ bf_wpack_t *pack = NULL; - const char *data = "packed data"; - - (void)state; - - // Create and populate a pack - assert_ok(bf_wpack_new(&pack)); - bf_wpack_kv_str(pack, "message", data); - - assert_true(bf_wpack_is_valid(pack)); - assert_ok(bf_response_new_from_pack(&response, pack)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), 0); - assert_int_gt(bf_response_data_len(response), 0); -} - -static void new_failure(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - - (void)state; - - assert_ok(bf_response_new_failure(&response, -EINVAL)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), -EINVAL); - assert_int_equal(bf_response_data_len(response), 0); - - bf_response_free(&response); - assert_null(response); - - assert_ok(bf_response_new_failure(&response, -ENOMEM)); - assert_non_null(response); - assert_int_equal(bf_response_status(response), -ENOMEM); -} - -static void copy(void **state) -{ - _free_bf_response_ struct bf_response *src = NULL; - _free_bf_response_ struct bf_response *dest = NULL; - const char *data = "copy test data"; - size_t data_len = strlen(data) + 1; - - (void)state; - - // Copy success response - assert_ok(bf_response_new_success(&src, data, data_len)); - assert_ok(bf_response_copy(&dest, src)); - - assert_non_null(dest); - assert_int_equal(bf_response_status(dest), bf_response_status(src)); - assert_int_equal(bf_response_data_len(dest), bf_response_data_len(src)); - assert_int_equal(bf_response_size(dest), bf_response_size(src)); - assert_string_equal(bf_response_data(dest), bf_response_data(src)); - - // Ensure it's a deep copy (different memory) - assert_ptr_not_equal(dest, src); - assert_ptr_not_equal(bf_response_data(dest), bf_response_data(src)); - - bf_response_free(&src); - bf_response_free(&dest); - - // Copy failure response - assert_ok(bf_response_new_failure(&src, -EPERM)); - assert_ok(bf_response_copy(&dest, src)); - - assert_non_null(dest); - assert_int_equal(bf_response_status(dest), -EPERM); - assert_int_equal(bf_response_data_len(dest), 0); -} - -static void accessors(void **state) -{ - _free_bf_response_ struct bf_response *response = NULL; - const char *data = "accessor test"; - size_t data_len = strlen(data) + 1; - size_t expected_size; - - (void)state; - - assert_ok(bf_response_new_success(&response, data, data_len)); - - // Test bf_response_status - assert_int_equal(bf_response_status(response), 0); - - // Test bf_response_data - assert_non_null(bf_response_data(response)); - assert_string_equal(bf_response_data(response), data); - - // Test bf_response_data_len - assert_int_equal(bf_response_data_len(response), data_len); - - // Test bf_response_size (should be struct size + data_len) - expected_size = bf_response_size(response); - assert_int_gt(expected_size, data_len); -} - -static void size_calculation(void **state) -{ - _free_bf_response_ struct bf_response *response1 = NULL; - _free_bf_response_ struct bf_response *response2 = NULL; - const char *small_data = "x"; - const char *large_data = "this is a much larger piece of data for testing"; - - (void)state; - - assert_ok(bf_response_new_success(&response1, small_data, - strlen(small_data) + 1)); - assert_ok(bf_response_new_success(&response2, large_data, - strlen(large_data) + 1)); - - // Larger data should result in larger size - assert_int_gt(bf_response_size(response2), bf_response_size(response1)); - - // Size difference should match data length difference - size_t size_diff = - bf_response_size(response2) - bf_response_size(response1); - size_t data_diff = - bf_response_data_len(response2) - bf_response_data_len(response1); - assert_int_equal(size_diff, data_diff); -} - -static void free_null(void **state) -{ - struct bf_response *response = NULL; - - (void)state; - - // Freeing NULL pointer should not crash - bf_response_free(&response); - assert_null(response); -} - -int main(void) -{ - const struct CMUnitTest tests[] = { - cmocka_unit_test(new_raw), - cmocka_unit_test(new_success), - cmocka_unit_test(new_from_dynbuf), - cmocka_unit_test(new_from_dynbuf_invalid), - cmocka_unit_test(new_from_pack), - cmocka_unit_test(new_failure), - cmocka_unit_test(copy), - cmocka_unit_test(accessors), - cmocka_unit_test(size_calculation), - cmocka_unit_test(free_null), - }; - - return cmocka_run_group_tests(tests, NULL, NULL); -} diff --git a/tools/benchmarks/CMakeLists.txt b/tools/benchmarks/CMakeLists.txt index 608926142..c01c32e3f 100644 --- a/tools/benchmarks/CMakeLists.txt +++ b/tools/benchmarks/CMakeLists.txt @@ -44,10 +44,9 @@ add_custom_target(benchmark ${CMAKE_SOURCE_DIR}/tools/asroot $ --cli $ - --daemon $ --srcdir ${CMAKE_SOURCE_DIR} --outfile ${CMAKE_BINARY_DIR}/benchmarks/{gitrev}.json - DEPENDS benchmark_bin bfcli bpfilter + DEPENDS benchmark_bin bfcli WORKING_DIRECTORY ${CMAKE_BINARY_DIR} USES_TERMINAL COMMENT "Running benchmarks" diff --git a/tools/benchmarks/benchmark.cpp b/tools/benchmarks/benchmark.cpp index 001ac1ff3..be40edf81 100644 --- a/tools/benchmarks/benchmark.cpp +++ b/tools/benchmarks/benchmark.cpp @@ -33,14 +33,12 @@ #include #include // NOLINT #include -#include // NOLINT: otherwise kill() is not found #include #include #include #include #include #include -#include #include #include #include @@ -97,15 +95,12 @@ Config config = {}; namespace { -constexpr int waitForDaemonTimeoutS = 5; -constexpr int waitForDaemonSleepMs = 10; constexpr int maxCommitHashLen = 7; enum { OPT_KEY_ADHOC, OPT_KEY_ADHOC_REPEAT, - OPT_KEY_NO_DAEMON, }; const ::std::string help = "\v\ @@ -113,22 +108,17 @@ const ::std::string help = "\v\ benchmarks will be skipped, and only the adhoc benchmark will be run. --adhoc \ benchmarks won't create any output file."; -constexpr std::array options {{ +constexpr std::array options {{ {.name="cli", .key='c', .arg="CLI", .flags=0, .doc="Path to the bfcli binary. Defaults to 'bfcli' in $PATH.", .group=0}, - {.name="daemon", .key='d', .arg="DAEMON", .flags=0, - .doc="Path to the bpfilter binary. Defaults to 'bpfilter' in $PATH.", .group=0}, {.name="srcdir", .key='s', .arg="SOURCES_DIR", .flags=0, - .doc="Path to the bpfilter sources folder used to build the CLI and the daemon. Defaults to the current directory.", + .doc="Path to the bpfilter sources folder. Defaults to the current directory.", .group=0}, {.name="outfile", .key='o', .arg="OUTPUT_FILE", .flags=0, .doc="Path to the JSON file to write the results to. Defaults to 'results.json'.", .group=0}, {.name="filter", .key='f', .arg="FILTER", .flags=0, .doc="Only run benchmarks matching the given FILTER (substring match).", .group=0}, - {.name="no-daemon", .key=OPT_KEY_NO_DAEMON, .arg=nullptr, .flags=OPTION_ARG_OPTIONAL, - .doc="If set, the benchmark will assume a daemon is already running and won't start one.", - .group=0}, {.name="list", .key='l', .arg=nullptr, .doc="List all available benchmarks and exit.", .group=0}, {.name=nullptr}, }}; @@ -143,15 +133,9 @@ int optsParser(int key, char *arg, struct ::argp_state *state) auto *config = static_cast(state->input); switch (key) { - case OPT_KEY_NO_DAEMON: - config->runDaemon = false; - break; case 'c': config->bfcli = ::std::filesystem::absolute(arg); break; - case 'd': - config->bpfilter = ::std::string(arg); - break; case 's': config->srcdir = ::std::string(arg); @@ -360,12 +344,6 @@ int setup(std::span args) return -ENOENT; } - config.bpfilter = which(config.bpfilter); - if (config.bpfilter.empty()) { - err("bpfilter binary '{}' not found", config.bpfilter); - return -ENOENT; - } - config.outfile = ::std::filesystem::absolute(config.outfile); config.srcdir = ::std::filesystem::weakly_canonical(config.srcdir); if (!std::filesystem::exists(config.srcdir)) { @@ -394,10 +372,8 @@ int setup(std::span args) ::benchmark::AddCustomContext("gitrev", config.gitrev); ::benchmark::AddCustomContext("gitdate", ::std::to_string(config.gitdate)); ::benchmark::AddCustomContext("bfcli", config.bfcli); - ::benchmark::AddCustomContext("bpfilter", config.bpfilter); ::benchmark::AddCustomContext("srcdir", config.srcdir); ::benchmark::AddCustomContext("outfile", config.outfile); - ::benchmark::AddCustomContext("runDaemon", config.runDaemon ? "yes" : "no"); ::benchmark::FLAGS_benchmark_out = config.outfile; ::benchmark::FLAGS_benchmark_out_format = "json"; @@ -556,173 +532,6 @@ int Fd::close() return 0; } -Daemon::Options &Daemon::Options::transient() -{ - options_.emplace_back("--transient"); - return *this; -} - -Daemon::Options &Daemon::Options::bufferLen(::std::size_t len) -{ - options_.emplace_back("--buffer-len"); - options_.emplace_back(::std::to_string(len)); - return *this; -} - -Daemon::Options &Daemon::Options::verbose(const ::std::string &component) -{ - options_.emplace_back("--verbose"); - options_.emplace_back(component); - return *this; -} - -::std::vector<::std::string> Daemon::Options::get() const -{ - return options_; -} - -Daemon::Daemon(::std::string path, Options options): - path_ {::std::move(path)}, - options_ {::std::move(options)} -{ - if (start() < 0) - abort("failed to start bpfilter"); -} - -Daemon::Daemon(Daemon &&other) noexcept(false) -{ - if (pid_) - abort("calling ::bf::Daemon(::bf::Daemon &&) on an active daemon!"); - - other.pid_.swap(pid_); - stdoutFd_ = ::std::move(other.stdoutFd_); - stderrFd_ = ::std::move(other.stderrFd_); -} - -Daemon &Daemon::operator=(Daemon &&other) noexcept(false) -{ - if (pid_) - abort( - "calling ::bf::Daemon::operator=(::fd::Daemon &&) on an active daemon!"); - - other.pid_.swap(pid_); - stdoutFd_ = ::std::move(other.stdoutFd_); - stderrFd_ = ::std::move(other.stderrFd_); - - return *this; -} - -Daemon::~Daemon() noexcept(false) -{ - if (stop() < 0) - abort("failed to stop bpfilter"); -} - -int Daemon::start() -{ - Fd stdoutFd, stderrFd; - int pid, r; - - if (pid_) - abort("calling ::bf::Daemon::start() on an active daemon!"); - - pid = exec(path_, options_.get(), stdoutFd, stderrFd); - if (pid < 0) { - err("failed to start the daemon: {}", errStr(pid)); - return pid; - } - - if ((r = setFdNonBlock(stdoutFd)) < 0) { - err("failed to set non-blocking flag to the daemon's stdout FD: {}", - errStr(r)); - return r; - } - - if ((r = setFdNonBlock(stderrFd)) < 0) { - err("failed to set non-blocking flag to the daemon's stderr FD: {}", - errStr(r)); - return r; - } - - const TimePoint begin = time::now(); - - while (true) { - int status; - - r = waitpid(pid, &status, WNOHANG); - if (r == -1) { - err("failed to wait on the deamon's PID {}: {}", pid, - errStr(errno)); - return -errno; - } - if (r != 0) { - auto errLogs = readFd(stderrFd); - err("daemon seems to be dead! Err logs:\n{}", - errLogs ? *errLogs : ""); - return -ENOENT; - } - - auto data = readFd(stderrFd); - if (data && - data->find("waiting for requests...") != ::std::string::npos) - break; - - if (std::chrono::duration_cast(time::now() - begin).count() > - waitForDaemonTimeoutS) { - // Let's try to stop it just in case - kill(pid, SIGINT); - err("daemon is not showing up after {} seconds, aborting", - waitForDaemonTimeoutS); - return -EIO; - } - - // Wait a bit for the daemon to be ready - ::std::this_thread::sleep_for( - std::chrono::milliseconds(waitForDaemonSleepMs)); - } - - pid_ = ::std::optional(pid); - stdoutFd_ = std::move(stdoutFd); - stderrFd_ = std::move(stderrFd); - - return 0; -} - -int Daemon::stop() -{ - if (!pid_) - return 0; - - int r = kill(*pid_, SIGINT); - if (r < 0) { - err("failed to send SIGINT signal to the daemon: {}", errStr(errno)); - return -errno; - } - - int status; - r = waitpid(*pid_, &status, 0); - if (r < 0) { - err("can't wait on the daemon: {}", errStr(errno)); - return -errno; - } - - return 0; -} - -std::string Daemon::stdout() -{ - auto maybe = readFd(stdoutFd_); - - return maybe ? *maybe : ""; -} - -std::string Daemon::stderr() -{ - auto maybe = readFd(stderrFd_); - - return maybe ? *maybe : ""; -} - Program::Program(std::string name): name_ {::std::move(name)} { diff --git a/tools/benchmarks/benchmark.hpp b/tools/benchmarks/benchmark.hpp index f9bdc7307..9055907db 100644 --- a/tools/benchmarks/benchmark.hpp +++ b/tools/benchmarks/benchmark.hpp @@ -84,7 +84,6 @@ struct Config { public: ::std::string bfcli = "bfcli"; - ::std::string bpfilter = "bpfilter"; ::std::string srcdir = "."; ::std::string outfile = "results.json"; ::std::string gitrev = ""; @@ -92,7 +91,6 @@ struct Config int adhocRepeat = 1; const ::std::string adhocBenchName = "bf_adhoc"; int64_t gitdate = 0; - bool runDaemon = true; Config() noexcept = default; }; @@ -141,43 +139,6 @@ class Fd int fd_ = -1; }; -class Daemon -{ -public: - class Options - { - public: - Options &transient(); - Options &bufferLen(::std::size_t len); - Options &verbose(const ::std::string &component); - [[nodiscard]] ::std::vector<::std::string> get() const; - - private: - ::std::vector<::std::string> options_; - }; - - Daemon(::std::string path = "bpfilter", Options options = Options()); - Daemon(Daemon &other) = delete; - Daemon(Daemon &&other) noexcept(false); - ~Daemon() noexcept(false); - - Daemon &operator=(Daemon &other) = delete; - Daemon &operator=(Daemon &&other) noexcept(false); - - std::string stdout(); - std::string stderr(); - -private: - ::std::string path_; - Options options_; - std::optional pid_; - Fd stdoutFd_; - Fd stderrFd_; - - [[nodiscard]] int start(); - int stop(); -}; - class Program { public: diff --git a/tools/benchmarks/main.cpp b/tools/benchmarks/main.cpp index a799827b4..152e37a57 100644 --- a/tools/benchmarks/main.cpp +++ b/tools/benchmarks/main.cpp @@ -20,6 +20,7 @@ extern "C" { #include +#include #include #include #include @@ -597,24 +598,22 @@ int main(int argc, char *argv[]) ::bf::restorePermissions(::bf::config.outfile); - ::std::optional daemon; - if (::bf::config.runDaemon) { - daemon = bf::Daemon( - ::bf::config.bpfilter, - bf::Daemon::Options().transient()); + int r = bf_ctx_setup(false, "/sys/fs/bpf", 0); + if (r < 0) { + err("failed to initialise bpfilter context: {}", std::strerror(-r)); + return r; } try { ::benchmark::RunSpecifiedBenchmarks(); } catch (const ::std::exception &e) { - if (daemon) { - std::cout << daemon->stderr(); - } err("failed to run benchmark: {}", e.what()); + bf_ctx_teardown(); return -1; } ::benchmark::Shutdown(); + bf_ctx_teardown(); return 0; } diff --git a/tools/cmake/ElfStubs.cmake b/tools/cmake/ElfStubs.cmake index 595f3f1de..1d58e6cdb 100644 --- a/tools/cmake/ElfStubs.cmake +++ b/tools/cmake/ElfStubs.cmake @@ -55,7 +55,7 @@ function(bf_target_add_elfstubs TARGET) -target bpf -g -I ${CMAKE_SOURCE_DIR}/src/libbpfilter/include - -I ${CMAKE_SOURCE_DIR}/src/bpfilter + -I ${CMAKE_SOURCE_DIR}/src/libbpfilter -I ${CMAKE_SOURCE_DIR}/src/external/include -c ${_LOCAL_DIR}/${_stub}.bpf.c -o ${ELFSTUBS_ELF_DIR}/${_stub}.o