1 // SPDX-License-Identifier: GPL-2.0
2 // Copyright (c) 2018 Facebook
10 #include <arpa/inet.h>
11 #include <netinet/in.h>
12 #include <sys/types.h>
13 #include <sys/select.h>
14 #include <sys/socket.h>
16 #include <linux/filter.h>
19 #include <bpf/libbpf.h>
21 #include "cgroup_helpers.h"
22 #include "bpf_rlimit.h"
29 #define CG_PATH "/foo"
30 #define CONNECT4_PROG_PATH "./connect4_prog.o"
31 #define CONNECT6_PROG_PATH "./connect6_prog.o"
32 #define SENDMSG4_PROG_PATH "./sendmsg4_prog.o"
33 #define SENDMSG6_PROG_PATH "./sendmsg6_prog.o"
35 #define SERV4_IP "192.168.1.254"
36 #define SERV4_REWRITE_IP "127.0.0.1"
37 #define SRC4_IP "172.16.0.1"
38 #define SRC4_REWRITE_IP "127.0.0.4"
39 #define SERV4_PORT 4040
40 #define SERV4_REWRITE_PORT 4444
42 #define SERV6_IP "face:b00c:1234:5678::abcd"
43 #define SERV6_REWRITE_IP "::1"
44 #define SERV6_V4MAPPED_IP "::ffff:192.168.0.4"
46 #define SRC6_REWRITE_IP "::6"
47 #define SERV6_PORT 6060
48 #define SERV6_REWRITE_PORT 6666
50 #define INET_NTOP_BUF 40
52 struct sock_addr_test;
54 typedef int (*load_fn)(const struct sock_addr_test *test);
55 typedef int (*info_fn)(int, struct sockaddr *, socklen_t *);
57 char bpf_log_buf[BPF_LOG_BUF_SIZE];
59 struct sock_addr_test {
61 /* BPF prog properties */
63 enum bpf_attach_type expected_attach_type;
64 enum bpf_attach_type attach_type;
65 /* Socket properties */
68 /* IP:port pairs for BPF prog to override */
69 const char *requested_ip;
70 unsigned short requested_port;
71 const char *expected_ip;
72 unsigned short expected_port;
73 const char *expected_src_ip;
74 /* Expected test result */
84 static int bind4_prog_load(const struct sock_addr_test *test);
85 static int bind6_prog_load(const struct sock_addr_test *test);
86 static int connect4_prog_load(const struct sock_addr_test *test);
87 static int connect6_prog_load(const struct sock_addr_test *test);
88 static int sendmsg_deny_prog_load(const struct sock_addr_test *test);
89 static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test);
90 static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test);
91 static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test);
92 static int sendmsg6_rw_c_prog_load(const struct sock_addr_test *test);
93 static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test);
95 static struct sock_addr_test tests[] = {
98 "bind4: load prog with wrong expected attach type",
100 BPF_CGROUP_INET6_BIND,
101 BPF_CGROUP_INET4_BIND,
112 "bind4: attach prog with wrong attach type",
114 BPF_CGROUP_INET4_BIND,
115 BPF_CGROUP_INET6_BIND,
126 "bind4: rewrite IP & TCP port in",
128 BPF_CGROUP_INET4_BIND,
129 BPF_CGROUP_INET4_BIND,
140 "bind4: rewrite IP & UDP port in",
142 BPF_CGROUP_INET4_BIND,
143 BPF_CGROUP_INET4_BIND,
154 "bind6: load prog with wrong expected attach type",
156 BPF_CGROUP_INET4_BIND,
157 BPF_CGROUP_INET6_BIND,
168 "bind6: attach prog with wrong attach type",
170 BPF_CGROUP_INET6_BIND,
171 BPF_CGROUP_INET4_BIND,
182 "bind6: rewrite IP & TCP port in",
184 BPF_CGROUP_INET6_BIND,
185 BPF_CGROUP_INET6_BIND,
196 "bind6: rewrite IP & UDP port in",
198 BPF_CGROUP_INET6_BIND,
199 BPF_CGROUP_INET6_BIND,
212 "connect4: load prog with wrong expected attach type",
214 BPF_CGROUP_INET6_CONNECT,
215 BPF_CGROUP_INET4_CONNECT,
226 "connect4: attach prog with wrong attach type",
228 BPF_CGROUP_INET4_CONNECT,
229 BPF_CGROUP_INET6_CONNECT,
240 "connect4: rewrite IP & TCP port",
242 BPF_CGROUP_INET4_CONNECT,
243 BPF_CGROUP_INET4_CONNECT,
254 "connect4: rewrite IP & UDP port",
256 BPF_CGROUP_INET4_CONNECT,
257 BPF_CGROUP_INET4_CONNECT,
268 "connect6: load prog with wrong expected attach type",
270 BPF_CGROUP_INET4_CONNECT,
271 BPF_CGROUP_INET6_CONNECT,
282 "connect6: attach prog with wrong attach type",
284 BPF_CGROUP_INET6_CONNECT,
285 BPF_CGROUP_INET4_CONNECT,
296 "connect6: rewrite IP & TCP port",
298 BPF_CGROUP_INET6_CONNECT,
299 BPF_CGROUP_INET6_CONNECT,
310 "connect6: rewrite IP & UDP port",
312 BPF_CGROUP_INET6_CONNECT,
313 BPF_CGROUP_INET6_CONNECT,
326 "sendmsg4: load prog with wrong expected attach type",
327 sendmsg4_rw_asm_prog_load,
328 BPF_CGROUP_UDP6_SENDMSG,
329 BPF_CGROUP_UDP4_SENDMSG,
340 "sendmsg4: attach prog with wrong attach type",
341 sendmsg4_rw_asm_prog_load,
342 BPF_CGROUP_UDP4_SENDMSG,
343 BPF_CGROUP_UDP6_SENDMSG,
354 "sendmsg4: rewrite IP & port (asm)",
355 sendmsg4_rw_asm_prog_load,
356 BPF_CGROUP_UDP4_SENDMSG,
357 BPF_CGROUP_UDP4_SENDMSG,
368 "sendmsg4: rewrite IP & port (C)",
369 sendmsg4_rw_c_prog_load,
370 BPF_CGROUP_UDP4_SENDMSG,
371 BPF_CGROUP_UDP4_SENDMSG,
382 "sendmsg4: deny call",
383 sendmsg_deny_prog_load,
384 BPF_CGROUP_UDP4_SENDMSG,
385 BPF_CGROUP_UDP4_SENDMSG,
396 "sendmsg6: load prog with wrong expected attach type",
397 sendmsg6_rw_asm_prog_load,
398 BPF_CGROUP_UDP4_SENDMSG,
399 BPF_CGROUP_UDP6_SENDMSG,
410 "sendmsg6: attach prog with wrong attach type",
411 sendmsg6_rw_asm_prog_load,
412 BPF_CGROUP_UDP6_SENDMSG,
413 BPF_CGROUP_UDP4_SENDMSG,
424 "sendmsg6: rewrite IP & port (asm)",
425 sendmsg6_rw_asm_prog_load,
426 BPF_CGROUP_UDP6_SENDMSG,
427 BPF_CGROUP_UDP6_SENDMSG,
438 "sendmsg6: rewrite IP & port (C)",
439 sendmsg6_rw_c_prog_load,
440 BPF_CGROUP_UDP6_SENDMSG,
441 BPF_CGROUP_UDP6_SENDMSG,
452 "sendmsg6: IPv4-mapped IPv6",
453 sendmsg6_rw_v4mapped_prog_load,
454 BPF_CGROUP_UDP6_SENDMSG,
455 BPF_CGROUP_UDP6_SENDMSG,
466 "sendmsg6: deny call",
467 sendmsg_deny_prog_load,
468 BPF_CGROUP_UDP6_SENDMSG,
469 BPF_CGROUP_UDP6_SENDMSG,
481 static int mk_sockaddr(int domain, const char *ip, unsigned short port,
482 struct sockaddr *addr, socklen_t addr_len)
484 struct sockaddr_in6 *addr6;
485 struct sockaddr_in *addr4;
487 if (domain != AF_INET && domain != AF_INET6) {
488 log_err("Unsupported address family");
492 memset(addr, 0, addr_len);
494 if (domain == AF_INET) {
495 if (addr_len < sizeof(struct sockaddr_in))
497 addr4 = (struct sockaddr_in *)addr;
498 addr4->sin_family = domain;
499 addr4->sin_port = htons(port);
500 if (inet_pton(domain, ip, (void *)&addr4->sin_addr) != 1) {
501 log_err("Invalid IPv4: %s", ip);
504 } else if (domain == AF_INET6) {
505 if (addr_len < sizeof(struct sockaddr_in6))
507 addr6 = (struct sockaddr_in6 *)addr;
508 addr6->sin6_family = domain;
509 addr6->sin6_port = htons(port);
510 if (inet_pton(domain, ip, (void *)&addr6->sin6_addr) != 1) {
511 log_err("Invalid IPv6: %s", ip);
519 static int load_insns(const struct sock_addr_test *test,
520 const struct bpf_insn *insns, size_t insns_cnt)
522 struct bpf_load_program_attr load_attr;
525 memset(&load_attr, 0, sizeof(struct bpf_load_program_attr));
526 load_attr.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
527 load_attr.expected_attach_type = test->expected_attach_type;
528 load_attr.insns = insns;
529 load_attr.insns_cnt = insns_cnt;
530 load_attr.license = "GPL";
532 ret = bpf_load_program_xattr(&load_attr, bpf_log_buf, BPF_LOG_BUF_SIZE);
533 if (ret < 0 && test->expected_result != LOAD_REJECT) {
534 log_err(">>> Loading program error.\n"
535 ">>> Verifier output:\n%s\n-------\n", bpf_log_buf);
541 /* [1] These testing programs try to read different context fields, including
542 * narrow loads of different sizes from user_ip4 and user_ip6, and write to
543 * those allowed to be overridden.
545 * [2] BPF_LD_IMM64 & BPF_JMP_REG are used below whenever there is a need to
546 * compare a register with unsigned 32bit integer. BPF_JMP_IMM can't be used
547 * in such cases since it accepts only _signed_ 32bit integer as IMM
548 * argument. Also note that BPF_LD_IMM64 contains 2 instructions what matters
549 * to count jumps properly.
552 static int bind4_prog_load(const struct sock_addr_test *test)
556 uint16_t u4_addr16[2];
559 struct sockaddr_in addr4_rw;
561 if (inet_pton(AF_INET, SERV4_IP, (void *)&ip4) != 1) {
562 log_err("Invalid IPv4: %s", SERV4_IP);
566 if (mk_sockaddr(AF_INET, SERV4_REWRITE_IP, SERV4_REWRITE_PORT,
567 (struct sockaddr *)&addr4_rw, sizeof(addr4_rw)) == -1)
571 struct bpf_insn insns[] = {
572 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
574 /* if (sk.family == AF_INET && */
575 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
576 offsetof(struct bpf_sock_addr, family)),
577 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET, 24),
579 /* (sk.type == SOCK_DGRAM || sk.type == SOCK_STREAM) && */
580 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
581 offsetof(struct bpf_sock_addr, type)),
582 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, SOCK_DGRAM, 1),
584 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, SOCK_STREAM, 20),
586 /* 1st_byte_of_user_ip4 == expected && */
587 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_6,
588 offsetof(struct bpf_sock_addr, user_ip4)),
589 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip4.u4_addr8[0], 18),
591 /* 2nd_byte_of_user_ip4 == expected && */
592 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_6,
593 offsetof(struct bpf_sock_addr, user_ip4) + 1),
594 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip4.u4_addr8[1], 16),
596 /* 3rd_byte_of_user_ip4 == expected && */
597 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_6,
598 offsetof(struct bpf_sock_addr, user_ip4) + 2),
599 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip4.u4_addr8[2], 14),
601 /* 4th_byte_of_user_ip4 == expected && */
602 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_6,
603 offsetof(struct bpf_sock_addr, user_ip4) + 3),
604 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip4.u4_addr8[3], 12),
606 /* 1st_half_of_user_ip4 == expected && */
607 BPF_LDX_MEM(BPF_H, BPF_REG_7, BPF_REG_6,
608 offsetof(struct bpf_sock_addr, user_ip4)),
609 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip4.u4_addr16[0], 10),
611 /* 2nd_half_of_user_ip4 == expected && */
612 BPF_LDX_MEM(BPF_H, BPF_REG_7, BPF_REG_6,
613 offsetof(struct bpf_sock_addr, user_ip4) + 2),
614 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip4.u4_addr16[1], 8),
616 /* whole_user_ip4 == expected) { */
617 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
618 offsetof(struct bpf_sock_addr, user_ip4)),
619 BPF_LD_IMM64(BPF_REG_8, ip4.u4_addr32), /* See [2]. */
620 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_8, 4),
622 /* user_ip4 = addr4_rw.sin_addr */
623 BPF_MOV32_IMM(BPF_REG_7, addr4_rw.sin_addr.s_addr),
624 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
625 offsetof(struct bpf_sock_addr, user_ip4)),
627 /* user_port = addr4_rw.sin_port */
628 BPF_MOV32_IMM(BPF_REG_7, addr4_rw.sin_port),
629 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
630 offsetof(struct bpf_sock_addr, user_port)),
634 BPF_MOV64_IMM(BPF_REG_0, 1),
638 return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
641 static int bind6_prog_load(const struct sock_addr_test *test)
643 struct sockaddr_in6 addr6_rw;
646 if (inet_pton(AF_INET6, SERV6_IP, (void *)&ip6) != 1) {
647 log_err("Invalid IPv6: %s", SERV6_IP);
651 if (mk_sockaddr(AF_INET6, SERV6_REWRITE_IP, SERV6_REWRITE_PORT,
652 (struct sockaddr *)&addr6_rw, sizeof(addr6_rw)) == -1)
656 struct bpf_insn insns[] = {
657 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
659 /* if (sk.family == AF_INET6 && */
660 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
661 offsetof(struct bpf_sock_addr, family)),
662 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET6, 18),
664 /* 5th_byte_of_user_ip6 == expected && */
665 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_6,
666 offsetof(struct bpf_sock_addr, user_ip6[1])),
667 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip6.s6_addr[4], 16),
669 /* 3rd_half_of_user_ip6 == expected && */
670 BPF_LDX_MEM(BPF_H, BPF_REG_7, BPF_REG_6,
671 offsetof(struct bpf_sock_addr, user_ip6[1])),
672 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ip6.s6_addr16[2], 14),
674 /* last_word_of_user_ip6 == expected) { */
675 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
676 offsetof(struct bpf_sock_addr, user_ip6[3])),
677 BPF_LD_IMM64(BPF_REG_8, ip6.s6_addr32[3]), /* See [2]. */
678 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_8, 10),
681 #define STORE_IPV6_WORD(N) \
682 BPF_MOV32_IMM(BPF_REG_7, addr6_rw.sin6_addr.s6_addr32[N]), \
683 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7, \
684 offsetof(struct bpf_sock_addr, user_ip6[N]))
686 /* user_ip6 = addr6_rw.sin6_addr */
692 /* user_port = addr6_rw.sin6_port */
693 BPF_MOV32_IMM(BPF_REG_7, addr6_rw.sin6_port),
694 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
695 offsetof(struct bpf_sock_addr, user_port)),
700 BPF_MOV64_IMM(BPF_REG_0, 1),
704 return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
707 static int load_path(const struct sock_addr_test *test, const char *path)
709 struct bpf_prog_load_attr attr;
710 struct bpf_object *obj;
713 memset(&attr, 0, sizeof(struct bpf_prog_load_attr));
715 attr.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
716 attr.expected_attach_type = test->expected_attach_type;
718 if (bpf_prog_load_xattr(&attr, &obj, &prog_fd)) {
719 if (test->expected_result != LOAD_REJECT)
720 log_err(">>> Loading program (%s) error.\n", path);
727 static int connect4_prog_load(const struct sock_addr_test *test)
729 return load_path(test, CONNECT4_PROG_PATH);
732 static int connect6_prog_load(const struct sock_addr_test *test)
734 return load_path(test, CONNECT6_PROG_PATH);
737 static int sendmsg_deny_prog_load(const struct sock_addr_test *test)
739 struct bpf_insn insns[] = {
741 BPF_MOV64_IMM(BPF_REG_0, 0),
744 return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
747 static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test)
749 struct sockaddr_in dst4_rw_addr;
750 struct in_addr src4_rw_ip;
752 if (inet_pton(AF_INET, SRC4_REWRITE_IP, (void *)&src4_rw_ip) != 1) {
753 log_err("Invalid IPv4: %s", SRC4_REWRITE_IP);
757 if (mk_sockaddr(AF_INET, SERV4_REWRITE_IP, SERV4_REWRITE_PORT,
758 (struct sockaddr *)&dst4_rw_addr,
759 sizeof(dst4_rw_addr)) == -1)
762 struct bpf_insn insns[] = {
763 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
765 /* if (sk.family == AF_INET && */
766 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
767 offsetof(struct bpf_sock_addr, family)),
768 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET, 8),
770 /* sk.type == SOCK_DGRAM) { */
771 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
772 offsetof(struct bpf_sock_addr, type)),
773 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, SOCK_DGRAM, 6),
775 /* msg_src_ip4 = src4_rw_ip */
776 BPF_MOV32_IMM(BPF_REG_7, src4_rw_ip.s_addr),
777 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
778 offsetof(struct bpf_sock_addr, msg_src_ip4)),
780 /* user_ip4 = dst4_rw_addr.sin_addr */
781 BPF_MOV32_IMM(BPF_REG_7, dst4_rw_addr.sin_addr.s_addr),
782 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
783 offsetof(struct bpf_sock_addr, user_ip4)),
785 /* user_port = dst4_rw_addr.sin_port */
786 BPF_MOV32_IMM(BPF_REG_7, dst4_rw_addr.sin_port),
787 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
788 offsetof(struct bpf_sock_addr, user_port)),
792 BPF_MOV64_IMM(BPF_REG_0, 1),
796 return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
799 static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test)
801 return load_path(test, SENDMSG4_PROG_PATH);
804 static int sendmsg6_rw_dst_asm_prog_load(const struct sock_addr_test *test,
805 const char *rw_dst_ip)
807 struct sockaddr_in6 dst6_rw_addr;
808 struct in6_addr src6_rw_ip;
810 if (inet_pton(AF_INET6, SRC6_REWRITE_IP, (void *)&src6_rw_ip) != 1) {
811 log_err("Invalid IPv6: %s", SRC6_REWRITE_IP);
815 if (mk_sockaddr(AF_INET6, rw_dst_ip, SERV6_REWRITE_PORT,
816 (struct sockaddr *)&dst6_rw_addr,
817 sizeof(dst6_rw_addr)) == -1)
820 struct bpf_insn insns[] = {
821 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
823 /* if (sk.family == AF_INET6) { */
824 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
825 offsetof(struct bpf_sock_addr, family)),
826 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET6, 18),
828 #define STORE_IPV6_WORD_N(DST, SRC, N) \
829 BPF_MOV32_IMM(BPF_REG_7, SRC[N]), \
830 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7, \
831 offsetof(struct bpf_sock_addr, DST[N]))
833 #define STORE_IPV6(DST, SRC) \
834 STORE_IPV6_WORD_N(DST, SRC, 0), \
835 STORE_IPV6_WORD_N(DST, SRC, 1), \
836 STORE_IPV6_WORD_N(DST, SRC, 2), \
837 STORE_IPV6_WORD_N(DST, SRC, 3)
839 STORE_IPV6(msg_src_ip6, src6_rw_ip.s6_addr32),
840 STORE_IPV6(user_ip6, dst6_rw_addr.sin6_addr.s6_addr32),
842 /* user_port = dst6_rw_addr.sin6_port */
843 BPF_MOV32_IMM(BPF_REG_7, dst6_rw_addr.sin6_port),
844 BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
845 offsetof(struct bpf_sock_addr, user_port)),
850 BPF_MOV64_IMM(BPF_REG_0, 1),
854 return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
857 static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test)
859 return sendmsg6_rw_dst_asm_prog_load(test, SERV6_REWRITE_IP);
862 static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test)
864 return sendmsg6_rw_dst_asm_prog_load(test, SERV6_V4MAPPED_IP);
867 static int sendmsg6_rw_c_prog_load(const struct sock_addr_test *test)
869 return load_path(test, SENDMSG6_PROG_PATH);
872 static int cmp_addr(const struct sockaddr_storage *addr1,
873 const struct sockaddr_storage *addr2, int cmp_port)
875 const struct sockaddr_in *four1, *four2;
876 const struct sockaddr_in6 *six1, *six2;
878 if (addr1->ss_family != addr2->ss_family)
881 if (addr1->ss_family == AF_INET) {
882 four1 = (const struct sockaddr_in *)addr1;
883 four2 = (const struct sockaddr_in *)addr2;
884 return !((four1->sin_port == four2->sin_port || !cmp_port) &&
885 four1->sin_addr.s_addr == four2->sin_addr.s_addr);
886 } else if (addr1->ss_family == AF_INET6) {
887 six1 = (const struct sockaddr_in6 *)addr1;
888 six2 = (const struct sockaddr_in6 *)addr2;
889 return !((six1->sin6_port == six2->sin6_port || !cmp_port) &&
890 !memcmp(&six1->sin6_addr, &six2->sin6_addr,
891 sizeof(struct in6_addr)));
897 static int cmp_sock_addr(info_fn fn, int sock1,
898 const struct sockaddr_storage *addr2, int cmp_port)
900 struct sockaddr_storage addr1;
901 socklen_t len1 = sizeof(addr1);
903 memset(&addr1, 0, len1);
904 if (fn(sock1, (struct sockaddr *)&addr1, (socklen_t *)&len1) != 0)
907 return cmp_addr(&addr1, addr2, cmp_port);
910 static int cmp_local_ip(int sock1, const struct sockaddr_storage *addr2)
912 return cmp_sock_addr(getsockname, sock1, addr2, /*cmp_port*/ 0);
915 static int cmp_local_addr(int sock1, const struct sockaddr_storage *addr2)
917 return cmp_sock_addr(getsockname, sock1, addr2, /*cmp_port*/ 1);
920 static int cmp_peer_addr(int sock1, const struct sockaddr_storage *addr2)
922 return cmp_sock_addr(getpeername, sock1, addr2, /*cmp_port*/ 1);
925 static int start_server(int type, const struct sockaddr_storage *addr,
930 fd = socket(addr->ss_family, type, 0);
932 log_err("Failed to create server socket");
936 if (bind(fd, (const struct sockaddr *)addr, addr_len) == -1) {
937 log_err("Failed to bind server socket");
941 if (type == SOCK_STREAM) {
942 if (listen(fd, 128) == -1) {
943 log_err("Failed to listen on server socket");
956 static int connect_to_server(int type, const struct sockaddr_storage *addr,
962 domain = addr->ss_family;
964 if (domain != AF_INET && domain != AF_INET6) {
965 log_err("Unsupported address family");
969 fd = socket(domain, type, 0);
971 log_err("Failed to create client socket");
975 if (connect(fd, (const struct sockaddr *)addr, addr_len) == -1) {
976 log_err("Fail to connect to server");
988 int init_pktinfo(int domain, struct cmsghdr *cmsg)
990 struct in6_pktinfo *pktinfo6;
991 struct in_pktinfo *pktinfo4;
993 if (domain == AF_INET) {
994 cmsg->cmsg_level = SOL_IP;
995 cmsg->cmsg_type = IP_PKTINFO;
996 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
997 pktinfo4 = (struct in_pktinfo *)CMSG_DATA(cmsg);
998 memset(pktinfo4, 0, sizeof(struct in_pktinfo));
999 if (inet_pton(domain, SRC4_IP,
1000 (void *)&pktinfo4->ipi_spec_dst) != 1)
1002 } else if (domain == AF_INET6) {
1003 cmsg->cmsg_level = SOL_IPV6;
1004 cmsg->cmsg_type = IPV6_PKTINFO;
1005 cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
1006 pktinfo6 = (struct in6_pktinfo *)CMSG_DATA(cmsg);
1007 memset(pktinfo6, 0, sizeof(struct in6_pktinfo));
1008 if (inet_pton(domain, SRC6_IP,
1009 (void *)&pktinfo6->ipi6_addr) != 1)
1018 static int sendmsg_to_server(int type, const struct sockaddr_storage *addr,
1019 socklen_t addr_len, int set_cmsg, int flags,
1023 char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1024 struct cmsghdr align;
1027 char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
1028 struct cmsghdr align;
1036 domain = addr->ss_family;
1038 if (domain != AF_INET && domain != AF_INET6) {
1039 log_err("Unsupported address family");
1043 fd = socket(domain, type, 0);
1045 log_err("Failed to create client socket");
1049 memset(&iov, 0, sizeof(iov));
1050 iov.iov_base = &data;
1051 iov.iov_len = sizeof(data);
1053 memset(&hdr, 0, sizeof(hdr));
1054 hdr.msg_name = (void *)addr;
1055 hdr.msg_namelen = addr_len;
1060 if (domain == AF_INET) {
1061 hdr.msg_control = &control4;
1062 hdr.msg_controllen = sizeof(control4.buf);
1063 } else if (domain == AF_INET6) {
1064 hdr.msg_control = &control6;
1065 hdr.msg_controllen = sizeof(control6.buf);
1067 if (init_pktinfo(domain, CMSG_FIRSTHDR(&hdr))) {
1068 log_err("Fail to init pktinfo");
1073 if (sendmsg(fd, &hdr, flags) != sizeof(data)) {
1074 log_err("Fail to send message to server");
1075 *syscall_err = errno;
1087 static int fastconnect_to_server(const struct sockaddr_storage *addr,
1092 return sendmsg_to_server(SOCK_STREAM, addr, addr_len, /*set_cmsg*/0,
1093 MSG_FASTOPEN, &sendmsg_err);
1096 static int recvmsg_from_client(int sockfd, struct sockaddr_storage *src_addr)
1105 FD_SET(sockfd, &rfds);
1110 if (select(sockfd + 1, &rfds, NULL, NULL, &tv) <= 0 ||
1111 !FD_ISSET(sockfd, &rfds))
1114 memset(&iov, 0, sizeof(iov));
1115 iov.iov_base = data;
1116 iov.iov_len = sizeof(data);
1118 memset(&hdr, 0, sizeof(hdr));
1119 hdr.msg_name = src_addr;
1120 hdr.msg_namelen = sizeof(struct sockaddr_storage);
1124 return recvmsg(sockfd, &hdr, 0);
1127 static int init_addrs(const struct sock_addr_test *test,
1128 struct sockaddr_storage *requested_addr,
1129 struct sockaddr_storage *expected_addr,
1130 struct sockaddr_storage *expected_src_addr)
1132 socklen_t addr_len = sizeof(struct sockaddr_storage);
1134 if (mk_sockaddr(test->domain, test->expected_ip, test->expected_port,
1135 (struct sockaddr *)expected_addr, addr_len) == -1)
1138 if (mk_sockaddr(test->domain, test->requested_ip, test->requested_port,
1139 (struct sockaddr *)requested_addr, addr_len) == -1)
1142 if (test->expected_src_ip &&
1143 mk_sockaddr(test->domain, test->expected_src_ip, 0,
1144 (struct sockaddr *)expected_src_addr, addr_len) == -1)
1152 static int run_bind_test_case(const struct sock_addr_test *test)
1154 socklen_t addr_len = sizeof(struct sockaddr_storage);
1155 struct sockaddr_storage requested_addr;
1156 struct sockaddr_storage expected_addr;
1161 if (init_addrs(test, &requested_addr, &expected_addr, NULL))
1164 servfd = start_server(test->type, &requested_addr, addr_len);
1168 if (cmp_local_addr(servfd, &expected_addr))
1171 /* Try to connect to server just in case */
1172 clientfd = connect_to_server(test->type, &expected_addr, addr_len);
1185 static int run_connect_test_case(const struct sock_addr_test *test)
1187 socklen_t addr_len = sizeof(struct sockaddr_storage);
1188 struct sockaddr_storage expected_src_addr;
1189 struct sockaddr_storage requested_addr;
1190 struct sockaddr_storage expected_addr;
1195 if (init_addrs(test, &requested_addr, &expected_addr,
1196 &expected_src_addr))
1199 /* Prepare server to connect to */
1200 servfd = start_server(test->type, &expected_addr, addr_len);
1204 clientfd = connect_to_server(test->type, &requested_addr, addr_len);
1208 /* Make sure src and dst addrs were overridden properly */
1209 if (cmp_peer_addr(clientfd, &expected_addr))
1212 if (cmp_local_ip(clientfd, &expected_src_addr))
1215 if (test->type == SOCK_STREAM) {
1216 /* Test TCP Fast Open scenario */
1217 clientfd = fastconnect_to_server(&requested_addr, addr_len);
1221 /* Make sure src and dst addrs were overridden properly */
1222 if (cmp_peer_addr(clientfd, &expected_addr))
1225 if (cmp_local_ip(clientfd, &expected_src_addr))
1238 static int run_sendmsg_test_case(const struct sock_addr_test *test)
1240 socklen_t addr_len = sizeof(struct sockaddr_storage);
1241 struct sockaddr_storage expected_src_addr;
1242 struct sockaddr_storage requested_addr;
1243 struct sockaddr_storage expected_addr;
1244 struct sockaddr_storage real_src_addr;
1250 if (test->type != SOCK_DGRAM)
1253 if (init_addrs(test, &requested_addr, &expected_addr,
1254 &expected_src_addr))
1257 /* Prepare server to sendmsg to */
1258 servfd = start_server(test->type, &expected_addr, addr_len);
1262 for (set_cmsg = 0; set_cmsg <= 1; ++set_cmsg) {
1266 clientfd = sendmsg_to_server(test->type, &requested_addr,
1267 addr_len, set_cmsg, /*flags*/0,
1271 else if (clientfd == -1)
1274 /* Try to receive message on server instead of using
1275 * getpeername(2) on client socket, to check that client's
1276 * destination address was rewritten properly, since
1277 * getpeername(2) doesn't work with unconnected datagram
1280 * Get source address from recvmsg(2) as well to make sure
1281 * source was rewritten properly: getsockname(2) can't be used
1282 * since socket is unconnected and source defined for one
1283 * specific packet may differ from the one used by default and
1284 * returned by getsockname(2).
1286 if (recvmsg_from_client(servfd, &real_src_addr) == -1)
1289 if (cmp_addr(&real_src_addr, &expected_src_addr, /*cmp_port*/0))
1302 static int run_test_case(int cgfd, const struct sock_addr_test *test)
1307 printf("Test case: %s .. ", test->descr);
1309 progfd = test->loadfn(test);
1310 if (test->expected_result == LOAD_REJECT && progfd < 0)
1312 else if (test->expected_result == LOAD_REJECT || progfd < 0)
1315 err = bpf_prog_attach(progfd, cgfd, test->attach_type,
1316 BPF_F_ALLOW_OVERRIDE);
1317 if (test->expected_result == ATTACH_REJECT && err) {
1318 err = 0; /* error was expected, reset it */
1320 } else if (test->expected_result == ATTACH_REJECT || err) {
1324 switch (test->attach_type) {
1325 case BPF_CGROUP_INET4_BIND:
1326 case BPF_CGROUP_INET6_BIND:
1327 err = run_bind_test_case(test);
1329 case BPF_CGROUP_INET4_CONNECT:
1330 case BPF_CGROUP_INET6_CONNECT:
1331 err = run_connect_test_case(test);
1333 case BPF_CGROUP_UDP4_SENDMSG:
1334 case BPF_CGROUP_UDP6_SENDMSG:
1335 err = run_sendmsg_test_case(test);
1341 if (test->expected_result == SYSCALL_EPERM && err == EPERM) {
1342 err = 0; /* error was expected, reset it */
1346 if (test->expected_result == SYSCALL_ENOTSUPP && err == ENOTSUPP) {
1347 err = 0; /* error was expected, reset it */
1351 if (err || test->expected_result != SUCCESS)
1358 /* Detaching w/o checking return code: best effort attempt. */
1360 bpf_prog_detach(cgfd, test->attach_type);
1362 printf("[%s]\n", err ? "FAIL" : "PASS");
1366 static int run_tests(int cgfd)
1372 for (i = 0; i < ARRAY_SIZE(tests); ++i) {
1373 if (run_test_case(cgfd, &tests[i]))
1378 printf("Summary: %d PASSED, %d FAILED\n", passes, fails);
1379 return fails ? -1 : 0;
1382 int main(int argc, char **argv)
1389 "%s has to be run via %s.sh. Skip direct run.\n",
1394 if (setup_cgroup_environment())
1397 cgfd = create_and_get_cgroup(CG_PATH);
1401 if (join_cgroup(CG_PATH))
1404 if (run_tests(cgfd))
1412 cleanup_cgroup_environment();