1 // SPDX-License-Identifier: GPL-2.0
2 // Copyright (c) 2018 Facebook
3 // Copyright (c) 2019 Cloudflare
4 // Copyright (c) 2020 Isovalent, Inc.
5 /*
6  * Test that the socket assign program is able to redirect traffic towards a
7  * socket, regardless of whether the port or address destination of the traffic
8  * matches the port.
9  */
10 
11 #define _GNU_SOURCE
12 #include <fcntl.h>
13 #include <signal.h>
14 #include <stdlib.h>
15 #include <unistd.h>
16 
17 #include "test_progs.h"
18 
19 #define BIND_PORT 1234
20 #define CONNECT_PORT 4321
21 #define TEST_DADDR (0xC0A80203)
22 #define NS_SELF "/proc/self/ns/net"
23 #define SERVER_MAP_PATH "/sys/fs/bpf/tc/globals/server_map"
24 
25 static const struct timeval timeo_sec = { .tv_sec = 3 };
26 static const size_t timeo_optlen = sizeof(timeo_sec);
27 static int stop, duration;
28 
29 static bool
30 configure_stack(void)
31 {
32 	char tc_cmd[BUFSIZ];
33 
34 	/* Move to a new networking namespace */
35 	if (CHECK_FAIL(unshare(CLONE_NEWNET)))
36 		return false;
37 
38 	/* Configure necessary links, routes */
39 	if (CHECK_FAIL(system("ip link set dev lo up")))
40 		return false;
41 	if (CHECK_FAIL(system("ip route add local default dev lo")))
42 		return false;
43 	if (CHECK_FAIL(system("ip -6 route add local default dev lo")))
44 		return false;
45 
46 	/* Load qdisc, BPF program */
47 	if (CHECK_FAIL(system("tc qdisc add dev lo clsact")))
48 		return false;
49 	sprintf(tc_cmd, "%s %s %s %s", "tc filter add dev lo ingress bpf",
50 		       "direct-action object-file ./test_sk_assign.o",
51 		       "section tc",
52 		       (env.verbosity < VERBOSE_VERY) ? " 2>/dev/null" : "verbose");
53 	if (CHECK(system(tc_cmd), "BPF load failed;",
54 		  "run with -vv for more info\n"))
55 		return false;
56 
57 	return true;
58 }
59 
60 static int
61 start_server(const struct sockaddr *addr, socklen_t len, int type)
62 {
63 	int fd;
64 
65 	fd = socket(addr->sa_family, type, 0);
66 	if (CHECK_FAIL(fd == -1))
67 		goto out;
68 	if (CHECK_FAIL(setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &timeo_sec,
69 				  timeo_optlen)))
70 		goto close_out;
71 	if (CHECK_FAIL(bind(fd, addr, len) == -1))
72 		goto close_out;
73 	if (type == SOCK_STREAM && CHECK_FAIL(listen(fd, 128) == -1))
74 		goto close_out;
75 
76 	goto out;
77 close_out:
78 	close(fd);
79 	fd = -1;
80 out:
81 	return fd;
82 }
83 
84 static int
85 connect_to_server(const struct sockaddr *addr, socklen_t len, int type)
86 {
87 	int fd = -1;
88 
89 	fd = socket(addr->sa_family, type, 0);
90 	if (CHECK_FAIL(fd == -1))
91 		goto out;
92 	if (CHECK_FAIL(setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &timeo_sec,
93 				  timeo_optlen)))
94 		goto close_out;
95 	if (CHECK_FAIL(connect(fd, addr, len)))
96 		goto close_out;
97 
98 	goto out;
99 close_out:
100 	close(fd);
101 	fd = -1;
102 out:
103 	return fd;
104 }
105 
106 static in_port_t
107 get_port(int fd)
108 {
109 	struct sockaddr_storage ss;
110 	socklen_t slen = sizeof(ss);
111 	in_port_t port = 0;
112 
113 	if (CHECK_FAIL(getsockname(fd, (struct sockaddr *)&ss, &slen)))
114 		return port;
115 
116 	switch (ss.ss_family) {
117 	case AF_INET:
118 		port = ((struct sockaddr_in *)&ss)->sin_port;
119 		break;
120 	case AF_INET6:
121 		port = ((struct sockaddr_in6 *)&ss)->sin6_port;
122 		break;
123 	default:
124 		CHECK(1, "Invalid address family", "%d\n", ss.ss_family);
125 	}
126 	return port;
127 }
128 
129 static ssize_t
130 rcv_msg(int srv_client, int type)
131 {
132 	struct sockaddr_storage ss;
133 	char buf[BUFSIZ];
134 	socklen_t slen;
135 
136 	if (type == SOCK_STREAM)
137 		return read(srv_client, &buf, sizeof(buf));
138 	else
139 		return recvfrom(srv_client, &buf, sizeof(buf), 0,
140 				(struct sockaddr *)&ss, &slen);
141 }
142 
143 static int
144 run_test(int server_fd, const struct sockaddr *addr, socklen_t len, int type)
145 {
146 	int client = -1, srv_client = -1;
147 	char buf[] = "testing";
148 	in_port_t port;
149 	int ret = 1;
150 
151 	client = connect_to_server(addr, len, type);
152 	if (client == -1) {
153 		perror("Cannot connect to server");
154 		goto out;
155 	}
156 
157 	if (type == SOCK_STREAM) {
158 		srv_client = accept(server_fd, NULL, NULL);
159 		if (CHECK_FAIL(srv_client == -1)) {
160 			perror("Can't accept connection");
161 			goto out;
162 		}
163 	} else {
164 		srv_client = server_fd;
165 	}
166 	if (CHECK_FAIL(write(client, buf, sizeof(buf)) != sizeof(buf))) {
167 		perror("Can't write on client");
168 		goto out;
169 	}
170 	if (CHECK_FAIL(rcv_msg(srv_client, type) != sizeof(buf))) {
171 		perror("Can't read on server");
172 		goto out;
173 	}
174 
175 	port = get_port(srv_client);
176 	if (CHECK_FAIL(!port))
177 		goto out;
178 	/* SOCK_STREAM is connected via accept(), so the server's local address
179 	 * will be the CONNECT_PORT rather than the BIND port that corresponds
180 	 * to the listen socket. SOCK_DGRAM on the other hand is connectionless
181 	 * so we can't really do the same check there; the server doesn't ever
182 	 * create a socket with CONNECT_PORT.
183 	 */
184 	if (type == SOCK_STREAM &&
185 	    CHECK(port != htons(CONNECT_PORT), "Expected", "port %u but got %u",
186 		  CONNECT_PORT, ntohs(port)))
187 		goto out;
188 	else if (type == SOCK_DGRAM &&
189 		 CHECK(port != htons(BIND_PORT), "Expected",
190 		       "port %u but got %u", BIND_PORT, ntohs(port)))
191 		goto out;
192 
193 	ret = 0;
194 out:
195 	close(client);
196 	if (srv_client != server_fd)
197 		close(srv_client);
198 	if (ret)
199 		WRITE_ONCE(stop, 1);
200 	return ret;
201 }
202 
203 static void
204 prepare_addr(struct sockaddr *addr, int family, __u16 port, bool rewrite_addr)
205 {
206 	struct sockaddr_in *addr4;
207 	struct sockaddr_in6 *addr6;
208 
209 	switch (family) {
210 	case AF_INET:
211 		addr4 = (struct sockaddr_in *)addr;
212 		memset(addr4, 0, sizeof(*addr4));
213 		addr4->sin_family = family;
214 		addr4->sin_port = htons(port);
215 		if (rewrite_addr)
216 			addr4->sin_addr.s_addr = htonl(TEST_DADDR);
217 		else
218 			addr4->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
219 		break;
220 	case AF_INET6:
221 		addr6 = (struct sockaddr_in6 *)addr;
222 		memset(addr6, 0, sizeof(*addr6));
223 		addr6->sin6_family = family;
224 		addr6->sin6_port = htons(port);
225 		addr6->sin6_addr = in6addr_loopback;
226 		if (rewrite_addr)
227 			addr6->sin6_addr.s6_addr32[3] = htonl(TEST_DADDR);
228 		break;
229 	default:
230 		fprintf(stderr, "Invalid family %d", family);
231 	}
232 }
233 
234 struct test_sk_cfg {
235 	const char *name;
236 	int family;
237 	struct sockaddr *addr;
238 	socklen_t len;
239 	int type;
240 	bool rewrite_addr;
241 };
242 
243 #define TEST(NAME, FAMILY, TYPE, REWRITE)				\
244 {									\
245 	.name = NAME,							\
246 	.family = FAMILY,						\
247 	.addr = (FAMILY == AF_INET) ? (struct sockaddr *)&addr4		\
248 				    : (struct sockaddr *)&addr6,	\
249 	.len = (FAMILY == AF_INET) ? sizeof(addr4) : sizeof(addr6),	\
250 	.type = TYPE,							\
251 	.rewrite_addr = REWRITE,					\
252 }
253 
254 void test_sk_assign(void)
255 {
256 	struct sockaddr_in addr4;
257 	struct sockaddr_in6 addr6;
258 	struct test_sk_cfg tests[] = {
259 		TEST("ipv4 tcp port redir", AF_INET, SOCK_STREAM, false),
260 		TEST("ipv4 tcp addr redir", AF_INET, SOCK_STREAM, true),
261 		TEST("ipv6 tcp port redir", AF_INET6, SOCK_STREAM, false),
262 		TEST("ipv6 tcp addr redir", AF_INET6, SOCK_STREAM, true),
263 		TEST("ipv4 udp port redir", AF_INET, SOCK_DGRAM, false),
264 		TEST("ipv4 udp addr redir", AF_INET, SOCK_DGRAM, true),
265 		TEST("ipv6 udp port redir", AF_INET6, SOCK_DGRAM, false),
266 		TEST("ipv6 udp addr redir", AF_INET6, SOCK_DGRAM, true),
267 	};
268 	__s64 server = -1;
269 	int server_map;
270 	int self_net;
271 	int i;
272 
273 	self_net = open(NS_SELF, O_RDONLY);
274 	if (CHECK_FAIL(self_net < 0)) {
275 		perror("Unable to open "NS_SELF);
276 		return;
277 	}
278 
279 	if (!configure_stack()) {
280 		perror("configure_stack");
281 		goto cleanup;
282 	}
283 
284 	server_map = bpf_obj_get(SERVER_MAP_PATH);
285 	if (CHECK_FAIL(server_map < 0)) {
286 		perror("Unable to open " SERVER_MAP_PATH);
287 		goto cleanup;
288 	}
289 
290 	for (i = 0; i < ARRAY_SIZE(tests) && !READ_ONCE(stop); i++) {
291 		struct test_sk_cfg *test = &tests[i];
292 		const struct sockaddr *addr;
293 		const int zero = 0;
294 		int err;
295 
296 		if (!test__start_subtest(test->name))
297 			continue;
298 		prepare_addr(test->addr, test->family, BIND_PORT, false);
299 		addr = (const struct sockaddr *)test->addr;
300 		server = start_server(addr, test->len, test->type);
301 		if (server == -1)
302 			goto close;
303 
304 		err = bpf_map_update_elem(server_map, &zero, &server, BPF_ANY);
305 		if (CHECK_FAIL(err)) {
306 			perror("Unable to update server_map");
307 			goto close;
308 		}
309 
310 		/* connect to unbound ports */
311 		prepare_addr(test->addr, test->family, CONNECT_PORT,
312 			     test->rewrite_addr);
313 		if (run_test(server, addr, test->len, test->type))
314 			goto close;
315 
316 		close(server);
317 		server = -1;
318 	}
319 
320 close:
321 	close(server);
322 	close(server_map);
323 cleanup:
324 	if (CHECK_FAIL(unlink(SERVER_MAP_PATH)))
325 		perror("Unable to unlink " SERVER_MAP_PATH);
326 	if (CHECK_FAIL(setns(self_net, CLONE_NEWNET)))
327 		perror("Failed to setns("NS_SELF")");
328 	close(self_net);
329 }
330