2 # SPDX-License-Identifier: GPL-2.0
4 # End-to-end eBPF tunnel test suite
5 # The script tests BPF network tunnel implementation.
9 # root namespace | at_ns0 namespace
11 # ----------- | -----------
12 # | tnl dev | | | tnl dev | (overlay network)
13 # ----------- | -----------
14 # metadata-mode | native-mode
17 # ---------- | ----------
18 # | veth1 | --------- | veth0 | (underlay network)
19 # ---------- peer ----------
22 # Device Configuration
23 # --------------------
24 # Root namespace with metadata-mode tunnel + BPF
25 # Device names and addresses:
26 # veth1 IP: 172.16.1.200, IPv6: 00::22 (underlay)
27 # tunnel dev <type>11, ex: gre11, IPv4: 10.1.1.200 (overlay)
29 # Namespace at_ns0 with native tunnel
30 # Device names and addresses:
31 # veth0 IPv4: 172.16.1.100, IPv6: 00::11 (underlay)
32 # tunnel dev <type>00, ex: gre00, IPv4: 10.1.1.100 (overlay)
35 # End-to-end ping packet flow
36 # ---------------------------
37 # Most of the tests start by namespace creation, device configuration,
38 # then ping the underlay and overlay network. When doing 'ping 10.1.1.100'
39 # from root namespace, the following operations happen:
40 # 1) Route lookup shows 10.1.1.100/24 belongs to tnl dev, fwd to tnl dev.
41 # 2) Tnl device's egress BPF program is triggered and set the tunnel metadata,
42 # with remote_ip=172.16.1.200 and others.
43 # 3) Outer tunnel header is prepended and route the packet to veth1's egress
44 # 4) veth0's ingress queue receive the tunneled packet at namespace at_ns0
45 # 5) Tunnel protocol handler, ex: vxlan_rcv, decap the packet
46 # 6) Forward the packet to the overlay tnl dev
48 PING_ARG="-c 3 -w 10 -q"
52 NC='\033[0m' # No Color
57 ip link add veth0 type veth peer name veth1
58 ip link set veth0 netns at_ns0
59 ip netns exec at_ns0 ip addr add 172.16.1.100/24 dev veth0
60 ip netns exec at_ns0 ip link set dev veth0 up
61 ip link set dev veth1 up mtu 1500
62 ip addr add dev veth1 172.16.1.200/24
68 ip netns exec at_ns0 \
69 ip link add dev $DEV_NS type $TYPE seq key 2 \
70 local 172.16.1.100 remote 172.16.1.200
71 ip netns exec at_ns0 ip link set dev $DEV_NS up
72 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
75 ip link add dev $DEV type $TYPE key 2 external
76 ip link set dev $DEV up
77 ip addr add dev $DEV 10.1.1.200/24
80 add_ip6gretap_tunnel()
84 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
85 ip netns exec at_ns0 ip link set dev veth0 up
86 ip addr add dev veth1 ::22/96
87 ip link set dev veth1 up
90 ip netns exec at_ns0 \
91 ip link add dev $DEV_NS type $TYPE seq flowlabel 0xbcdef key 2 \
92 local ::11 remote ::22
94 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
95 ip netns exec at_ns0 ip addr add dev $DEV_NS fc80::100/96
96 ip netns exec at_ns0 ip link set dev $DEV_NS up
99 ip link add dev $DEV type $TYPE external
100 ip addr add dev $DEV 10.1.1.200/24
101 ip addr add dev $DEV fc80::200/24
102 ip link set dev $DEV up
108 if [ "$1" == "v1" ]; then
109 ip netns exec at_ns0 \
110 ip link add dev $DEV_NS type $TYPE seq key 2 \
111 local 172.16.1.100 remote 172.16.1.200 \
112 erspan_ver 1 erspan 123
114 ip netns exec at_ns0 \
115 ip link add dev $DEV_NS type $TYPE seq key 2 \
116 local 172.16.1.100 remote 172.16.1.200 \
117 erspan_ver 2 erspan_dir egress erspan_hwid 3
119 ip netns exec at_ns0 ip link set dev $DEV_NS up
120 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
123 ip link add dev $DEV type $TYPE external
124 ip link set dev $DEV up
125 ip addr add dev $DEV 10.1.1.200/24
128 add_ip6erspan_tunnel()
131 # assign ipv6 address
132 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
133 ip netns exec at_ns0 ip link set dev veth0 up
134 ip addr add dev veth1 ::22/96
135 ip link set dev veth1 up
138 if [ "$1" == "v1" ]; then
139 ip netns exec at_ns0 \
140 ip link add dev $DEV_NS type $TYPE seq key 2 \
141 local ::11 remote ::22 \
142 erspan_ver 1 erspan 123
144 ip netns exec at_ns0 \
145 ip link add dev $DEV_NS type $TYPE seq key 2 \
146 local ::11 remote ::22 \
147 erspan_ver 2 erspan_dir egress erspan_hwid 7
149 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
150 ip netns exec at_ns0 ip link set dev $DEV_NS up
153 ip link add dev $DEV type $TYPE external
154 ip addr add dev $DEV 10.1.1.200/24
155 ip link set dev $DEV up
160 # Set static ARP entry here because iptables set-mark works
161 # on L3 packet, as a result not applying to ARP packets,
162 # causing errors at get_tunnel_{key/opt}.
165 ip netns exec at_ns0 \
166 ip link add dev $DEV_NS type $TYPE \
167 id 2 dstport 4789 gbp remote 172.16.1.200
168 ip netns exec at_ns0 \
169 ip link set dev $DEV_NS address 52:54:00:d9:01:00 up
170 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
171 ip netns exec at_ns0 arp -s 10.1.1.200 52:54:00:d9:02:00
172 ip netns exec at_ns0 iptables -A OUTPUT -j MARK --set-mark 0x800FF
175 ip link add dev $DEV type $TYPE external gbp dstport 4789
176 ip link set dev $DEV address 52:54:00:d9:02:00 up
177 ip addr add dev $DEV 10.1.1.200/24
178 arp -s 10.1.1.100 52:54:00:d9:01:00
181 add_ip6vxlan_tunnel()
183 #ip netns exec at_ns0 ip -4 addr del 172.16.1.100 dev veth0
184 ip netns exec at_ns0 ip -6 addr add ::11/96 dev veth0
185 ip netns exec at_ns0 ip link set dev veth0 up
186 #ip -4 addr del 172.16.1.200 dev veth1
187 ip -6 addr add dev veth1 ::22/96
188 ip link set dev veth1 up
191 ip netns exec at_ns0 \
192 ip link add dev $DEV_NS type $TYPE id 22 dstport 4789 \
193 local ::11 remote ::22
194 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
195 ip netns exec at_ns0 ip link set dev $DEV_NS up
198 ip link add dev $DEV type $TYPE external dstport 4789
199 ip addr add dev $DEV 10.1.1.200/24
200 ip link set dev $DEV up
206 ip netns exec at_ns0 \
207 ip link add dev $DEV_NS type $TYPE \
208 id 2 dstport 6081 remote 172.16.1.200
209 ip netns exec at_ns0 ip link set dev $DEV_NS up
210 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
213 ip link add dev $DEV type $TYPE dstport 6081 external
214 ip link set dev $DEV up
215 ip addr add dev $DEV 10.1.1.200/24
218 add_ip6geneve_tunnel()
220 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
221 ip netns exec at_ns0 ip link set dev veth0 up
222 ip addr add dev veth1 ::22/96
223 ip link set dev veth1 up
226 ip netns exec at_ns0 \
227 ip link add dev $DEV_NS type $TYPE id 22 \
228 remote ::22 # geneve has no local option
229 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
230 ip netns exec at_ns0 ip link set dev $DEV_NS up
233 ip link add dev $DEV type $TYPE external
234 ip addr add dev $DEV 10.1.1.200/24
235 ip link set dev $DEV up
241 ip netns exec at_ns0 \
242 ip link add dev $DEV_NS type $TYPE \
243 local 172.16.1.100 remote 172.16.1.200
244 ip netns exec at_ns0 ip link set dev $DEV_NS up
245 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
248 ip link add dev $DEV type $TYPE external
249 ip link set dev $DEV up
250 ip addr add dev $DEV 10.1.1.200/24
253 add_ipip6tnl_tunnel()
255 ip netns exec at_ns0 ip addr add ::11/96 dev veth0
256 ip netns exec at_ns0 ip link set dev veth0 up
257 ip addr add dev veth1 ::22/96
258 ip link set dev veth1 up
261 ip netns exec at_ns0 \
262 ip link add dev $DEV_NS type $TYPE \
263 local ::11 remote ::22
264 ip netns exec at_ns0 ip addr add dev $DEV_NS 10.1.1.100/24
265 ip netns exec at_ns0 ip link set dev $DEV_NS up
268 ip link add dev $DEV type $TYPE external
269 ip addr add dev $DEV 10.1.1.200/24
270 ip link set dev $DEV up
283 attach_bpf $DEV gre_set_tunnel gre_get_tunnel
284 ping $PING_ARG 10.1.1.100
286 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
290 if [ $ret -ne 0 ]; then
291 echo -e ${RED}"FAIL: $TYPE"${NC}
294 echo -e ${GREEN}"PASS: $TYPE"${NC}
306 # reuse the ip6gretap function
308 attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel
311 # overlay: ipv4 over ipv6
312 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
313 ping $PING_ARG 10.1.1.100
315 # overlay: ipv6 over ipv6
316 ip netns exec at_ns0 ping6 $PING_ARG fc80::200
320 if [ $ret -ne 0 ]; then
321 echo -e ${RED}"FAIL: $TYPE"${NC}
324 echo -e ${GREEN}"PASS: $TYPE"${NC}
337 attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel
340 # overlay: ipv4 over ipv6
341 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
342 ping $PING_ARG 10.1.1.100
344 # overlay: ipv6 over ipv6
345 ip netns exec at_ns0 ping6 $PING_ARG fc80::200
349 if [ $ret -ne 0 ]; then
350 echo -e ${RED}"FAIL: $TYPE"${NC}
353 echo -e ${GREEN}"PASS: $TYPE"${NC}
366 attach_bpf $DEV erspan_set_tunnel erspan_get_tunnel
367 ping $PING_ARG 10.1.1.100
369 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
373 if [ $ret -ne 0 ]; then
374 echo -e ${RED}"FAIL: $TYPE"${NC}
377 echo -e ${GREEN}"PASS: $TYPE"${NC}
389 add_ip6erspan_tunnel $1
390 attach_bpf $DEV ip4ip6erspan_set_tunnel ip4ip6erspan_get_tunnel
392 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
396 if [ $ret -ne 0 ]; then
397 echo -e ${RED}"FAIL: $TYPE"${NC}
400 echo -e ${GREEN}"PASS: $TYPE"${NC}
413 attach_bpf $DEV vxlan_set_tunnel vxlan_get_tunnel
414 ping $PING_ARG 10.1.1.100
416 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
420 if [ $ret -ne 0 ]; then
421 echo -e ${RED}"FAIL: $TYPE"${NC}
424 echo -e ${GREEN}"PASS: $TYPE"${NC}
437 ip link set dev veth1 mtu 1500
438 attach_bpf $DEV ip6vxlan_set_tunnel ip6vxlan_get_tunnel
442 ping $PING_ARG 10.1.1.100
444 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
448 if [ $ret -ne 0 ]; then
449 echo -e ${RED}"FAIL: ip6$TYPE"${NC}
452 echo -e ${GREEN}"PASS: ip6$TYPE"${NC}
465 attach_bpf $DEV geneve_set_tunnel geneve_get_tunnel
466 ping $PING_ARG 10.1.1.100
468 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
472 if [ $ret -ne 0 ]; then
473 echo -e ${RED}"FAIL: $TYPE"${NC}
476 echo -e ${GREEN}"PASS: $TYPE"${NC}
489 attach_bpf $DEV ip6geneve_set_tunnel ip6geneve_get_tunnel
490 ping $PING_ARG 10.1.1.100
492 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
496 if [ $ret -ne 0 ]; then
497 echo -e ${RED}"FAIL: ip6$TYPE"${NC}
500 echo -e ${GREEN}"PASS: ip6$TYPE"${NC}
513 ip link set dev veth1 mtu 1500
514 attach_bpf $DEV ipip_set_tunnel ipip_get_tunnel
515 ping $PING_ARG 10.1.1.100
517 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
521 if [ $ret -ne 0 ]; then
522 echo -e ${RED}"FAIL: $TYPE"${NC}
525 echo -e ${GREEN}"PASS: $TYPE"${NC}
538 ip link set dev veth1 mtu 1500
539 attach_bpf $DEV ipip6_set_tunnel ipip6_get_tunnel
543 ping $PING_ARG 10.1.1.100
545 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
549 if [ $ret -ne 0 ]; then
550 echo -e ${RED}"FAIL: $TYPE"${NC}
553 echo -e ${GREEN}"PASS: $TYPE"${NC}
558 auth=0x$(printf '1%.0s' {1..40})
559 enc=0x$(printf '2%.0s' {1..32})
564 ip netns exec at_ns0 \
565 ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
566 spi $spi_in_to_out reqid 1 mode tunnel \
567 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
568 ip netns exec at_ns0 \
569 ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \
570 tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \
573 ip netns exec at_ns0 \
574 ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
575 spi $spi_out_to_in reqid 2 mode tunnel \
576 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
577 ip netns exec at_ns0 \
578 ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \
579 tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \
582 ip netns exec at_ns0 \
583 ip addr add dev veth0 10.1.1.100/32
584 ip netns exec at_ns0 \
585 ip route add 10.1.1.200 dev veth0 via 172.16.1.200 \
590 ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
591 spi $spi_in_to_out reqid 1 mode tunnel \
592 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
593 ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \
594 tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \
597 ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
598 spi $spi_out_to_in reqid 2 mode tunnel \
599 auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
600 ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \
601 tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \
604 ip addr add dev veth1 10.1.1.200/32
605 ip route add 10.1.1.100 dev veth1 via 172.16.1.100 src 10.1.1.200
611 > /sys/kernel/debug/tracing/trace
613 tc qdisc add dev veth1 clsact
614 tc filter add dev veth1 proto ip ingress bpf da obj test_tunnel_kern.o \
616 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200
618 grep "reqid 1" /sys/kernel/debug/tracing/trace
620 grep "spi 0x1" /sys/kernel/debug/tracing/trace
622 grep "remote ip 0xac100164" /sys/kernel/debug/tracing/trace
626 if [ $ret -ne 0 ]; then
627 echo -e ${RED}"FAIL: xfrm tunnel"${NC}
630 echo -e ${GREEN}"PASS: xfrm tunnel"${NC}
638 tc qdisc add dev $DEV clsact
639 tc filter add dev $DEV egress bpf da obj test_tunnel_kern.o sec $SET
640 tc filter add dev $DEV ingress bpf da obj test_tunnel_kern.o sec $GET
645 ip netns delete at_ns0 2> /dev/null
646 ip link del veth1 2> /dev/null
647 ip link del ipip11 2> /dev/null
648 ip link del ipip6tnl11 2> /dev/null
649 ip link del gretap11 2> /dev/null
650 ip link del ip6gre11 2> /dev/null
651 ip link del ip6gretap11 2> /dev/null
652 ip link del vxlan11 2> /dev/null
653 ip link del ip6vxlan11 2> /dev/null
654 ip link del geneve11 2> /dev/null
655 ip link del ip6geneve11 2> /dev/null
656 ip link del erspan11 2> /dev/null
657 ip link del ip6erspan11 2> /dev/null
658 ip xfrm policy delete dir out src 10.1.1.200/32 dst 10.1.1.100/32 2> /dev/null
659 ip xfrm policy delete dir in src 10.1.1.100/32 dst 10.1.1.200/32 2> /dev/null
660 ip xfrm state delete src 172.16.1.100 dst 172.16.1.200 proto esp spi 0x1 2> /dev/null
661 ip xfrm state delete src 172.16.1.200 dst 172.16.1.100 proto esp spi 0x2 2> /dev/null
666 echo "CATCH SIGKILL or SIGINT, cleanup and exit"
673 ip link help 2>&1 | grep -q "\s$1\s"
675 echo "SKIP $1: iproute2 not support"
683 echo 'file ip_gre.c +p' > /sys/kernel/debug/dynamic_debug/control
684 echo 'file ip6_gre.c +p' > /sys/kernel/debug/dynamic_debug/control
685 echo 'file vxlan.c +p' > /sys/kernel/debug/dynamic_debug/control
686 echo 'file geneve.c +p' > /sys/kernel/debug/dynamic_debug/control
687 echo 'file ipip.c +p' > /sys/kernel/debug/dynamic_debug/control
692 if [ $ret -eq 0 ]; then
701 echo "Testing GRE tunnel..."
703 errors=$(( $errors + $? ))
705 echo "Testing IP6GRE tunnel..."
707 errors=$(( $errors + $? ))
709 echo "Testing IP6GRETAP tunnel..."
711 errors=$(( $errors + $? ))
713 echo "Testing ERSPAN tunnel..."
715 errors=$(( $errors + $? ))
717 echo "Testing IP6ERSPAN tunnel..."
719 errors=$(( $errors + $? ))
721 echo "Testing VXLAN tunnel..."
723 errors=$(( $errors + $? ))
725 echo "Testing IP6VXLAN tunnel..."
727 errors=$(( $errors + $? ))
729 echo "Testing GENEVE tunnel..."
731 errors=$(( $errors + $? ))
733 echo "Testing IP6GENEVE tunnel..."
735 errors=$(( $errors + $? ))
737 echo "Testing IPIP tunnel..."
739 errors=$(( $errors + $? ))
741 echo "Testing IPIP6 tunnel..."
743 errors=$(( $errors + $? ))
745 echo "Testing IPSec tunnel..."
747 errors=$(( $errors + $? ))
753 trap cleanup_exit 2 9
758 if [ $? -ne 0 ]; then
759 echo -e "$(basename $0): ${RED}FAIL${NC}"
762 echo -e "$(basename $0): ${GREEN}PASS${NC}"