Re: [PATCH bpf-next v6 5/6] bpf: Add selftests for raw syncookie helpers

From: Maxim Mikityanskiy <maximmi@nvidia.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>,
	bpf <bpf@vger.kernel.org>, "Alexei Starovoitov" <ast@kernel.org>,
	"Daniel Borkmann" <daniel@iogearbox.net>,
	"Andrii Nakryiko" <andrii@kernel.org>,
	Networking <netdev@vger.kernel.org>,
	"Tariq Toukan" <tariqt@nvidia.com>,
	"Martin KaFai Lau" <kafai@fb.com>,
	"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
	"John Fastabend" <john.fastabend@gmail.com>,
	"KP Singh" <kpsingh@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Petar Penkov" <ppenkov@google.com>,
	"Lorenz Bauer" <lmb@cloudflare.com>,
	"Eric Dumazet" <edumazet@google.com>,
	"Hideaki YOSHIFUJI" <yoshfuji@linux-ipv6.org>,
	"David Ahern" <dsahern@kernel.org>,
	"Shuah Khan" <shuah@kernel.org>,
	"Jesper Dangaard Brouer" <hawk@kernel.org>,
	"Nathan Chancellor" <nathan@kernel.org>,
	"Nick Desaulniers" <ndesaulniers@google.com>,
	"Joe Stringer" <joe@cilium.io>,
	"Florent Revest" <revest@chromium.org>,
	"open list:KERNEL SELFTEST FRAMEWORK"
	<linux-kselftest@vger.kernel.org>,
	"Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
	"Florian Westphal" <fw@strlen.de>,
	pabeni@redhat.com
Subject: Re: [PATCH bpf-next v6 5/6] bpf: Add selftests for raw syncookie helpers
Date: Wed, 27 Apr 2022 20:19:21 +0300	[thread overview]
Message-ID: <946b8928-56b6-b6ca-ec33-6ffe7af6a90c@nvidia.com> (raw)
In-Reply-To: <CAEf4BzZhjY+F9JYmT7k+m87UZ1qKuO8_Mjjq4CGgkr=z9BGDCg@mail.gmail.com>

On 2022-04-27 01:11, Andrii Nakryiko wrote:
> On Tue, Apr 26, 2022 at 11:29 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
>>
>> On 2022-04-26 09:26, Andrii Nakryiko wrote:
>>> On Mon, Apr 25, 2022 at 5:12 PM Alexei Starovoitov
>>> <alexei.starovoitov@gmail.com> wrote:
>>>>
>>>> On Fri, Apr 22, 2022 at 08:24:21PM +0300, Maxim Mikityanskiy wrote:
>>>>> +void test_xdp_synproxy(void)
>>>>> +{
>>>>> +     int server_fd = -1, client_fd = -1, accept_fd = -1;
>>>>> +     struct nstoken *ns = NULL;
>>>>> +     FILE *ctrl_file = NULL;
>>>>> +     char buf[1024];
>>>>> +     size_t size;
>>>>> +
>>>>> +     SYS("ip netns add synproxy");
>>>>> +
>>>>> +     SYS("ip link add tmp0 type veth peer name tmp1");
>>>>> +     SYS("ip link set tmp1 netns synproxy");
>>>>> +     SYS("ip link set tmp0 up");
>>>>> +     SYS("ip addr replace 198.18.0.1/24 dev tmp0");
>>>>> +
>>>>> +     // When checksum offload is enabled, the XDP program sees wrong
>>>>> +     // checksums and drops packets.
>>>>> +     SYS("ethtool -K tmp0 tx off");
>>>>
>>>> BPF CI image doesn't have ethtool installed.
>>>> It will take some time to get it updated. Until then we cannot land the patch set.
>>>> Can you think of a way to run this test without shelling to ethtool?
>>>
>>> Good news: we got updated CI image with ethtool, so that shouldn't be
>>> a problem anymore.
>>>
>>> Bad news: this selftest still fails, but in different place:
>>>
>>> test_synproxy:FAIL:iptables -t raw -I PREROUTING -i tmp1 -p tcp -m tcp
>>> --syn --dport 8080 -j CT --notrack unexpected error: 512 (errno 2)
>>
>> That's simply a matter of missing kernel config options:
>>
>> CONFIG_NETFILTER_SYNPROXY=y
>> CONFIG_NETFILTER_XT_TARGET_CT=y
>> CONFIG_NETFILTER_XT_MATCH_STATE=y
>> CONFIG_IP_NF_FILTER=y
>> CONFIG_IP_NF_TARGET_SYNPROXY=y
>> CONFIG_IP_NF_RAW=y
>>
>> Shall I create a pull request on github to add these options to
>> https://github.com/libbpf/libbpf/tree/master/travis-ci/vmtest/configs?
>>
> 
> Yes, please. But also for [0], that's the one that tests all the
> not-yet-applied patches
> 
>    [0] https://github.com/kernel-patches/vmtest/

Created pull requests:

https://github.com/kernel-patches/vmtest/pull/79
https://github.com/libbpf/libbpf/pull/490

>>> See [0].
>>>
>>>     [0] https://github.com/kernel-patches/bpf/runs/6169439612?check_suite_focus=true
>>