bpf:test: extend encrypt_host.h suite and add decrypt_host.h#44339
bpf:test: extend encrypt_host.h suite and add decrypt_host.h#44339julianwiedmann merged 4 commits intomainfrom
Conversation
a2de837 to
be7fe83
Compare
d2b2d11 to
e3f820a
Compare
|
/test |
julianwiedmann
left a comment
There was a problem hiding this comment.
bpf:test: fix ETH_HLEN naming in wireguard_helpers_tests.c
✔️ (see nit pick)
bpf:test:wireguard: file renaming according to TC hook
✔️
bpf:test:wireguard: remove redundant from-netdev checks
:processing:
bpf:test:wireguard: fix node lookup with ipcache lookup
✔️
bpf:test:wireguard: add to-netdev test plain IPv4/6 pod-to-pod packet
bpf:test:wireguard: add to-netdev test plain IPv4/6 node-to-node packet
see comment
bpf:test:wireguard: add ingress strict mode tests for IPv6
✔️
✔️ agree with your reasoning! :) |
e3f820a to
3a8eba6
Compare
|
@julianwiedmann I just updated this following your suggestions and trying to expand the test suite even further. |
|
/test |
julianwiedmann
left a comment
There was a problem hiding this comment.
@julianwiedmann I just updated this following your suggestions and trying to expand the test suite even further. Updated commits, commits messages, and PR description accordingly. Could split it in multiple PRs if you want, or pull in other reviewers if too much 🙏🏼
Thank you! Looks great overall, except that bpf:tests:encrypt_host: extend suite with Overlay coverage rubs me slightly wrong ... but I can't place exactly why right now. Would it be possible to extract that patch into a separate PR for an additional look, and merge the rest? Or are there too many conflicts with patches 4/5 ?
While defining the macro ETH_HLEN back then, I lost an "H" in the name. Given we don't need to specifically set it to 0 (we're testing wireguard helpers called from other files, such as bpf_host), let's get rid of this, and use sizeof(struct ethhdr) for computing L4 offset in tests. Before this degrades and breaks the tests, let's fix it. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
This commit adds IPv6 coverage to the encrypt_host test suite, by basically replicating the existing IPv4 tests for IPv6. Differently, ENCRYPTION_STRICT_MODE_EGRESS does not expect to drop IPv6 packets, therefore we only check for CTX_ACT_OK. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
* ipsec_encryption_on_egress.c: removed, not testing anything new wrt to encrypt_host.h suite, therefore deleted. * ipsec_redirect_generic.h, ipsec_redirect_native.c, ipsec_redirect_tunnel.c: renamed to encryption_helpers_ipsec.h, encryption_helpers_ipsec_native.c, encryption_helpers_ipsec_tunnel.c. * moved redirect iface and flags check in encrypt_host.h suite, and leaving the encryption_helpers_ipsec suite only for mere helper tests, no more hook tests (netdev_send_packet or netdev_receive_packet). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
* wireguard_helpers_tests.c: renamed to encryption_helpers_wireguard.c
and left intact.
* wireguard_from_netdev.c: deleted in favor of new decrypt_host.h suite.
The positive test case is kept, while the negative ones are removed
as already tested in encryption_helpers_wireguard.c
* tc_wireguard_from_overlay.c: renamed to decrypt_overlay_wireguard.c and
left intact.
* decrypt_host.h: new test suite for incoming encrypted pkts, with both
wireguard and ipsec tests.
* scapy pkt defs: added new ones for ipsec and renamed the ones for
wireguard, while removing also the unused ones.
* encryption_helpers_ipsec.c/h: added new tests for the mere do_decrypt
helpers, while leaving all the hook-level tests in the decrypt_host.h suite.
Added tests for `ctx_is_{en,de}crypt()` helpers for ipsec as well.
Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
3a8eba6 to
dee2581
Compare
|
Overlay removed, follow-up created #45084. |
|
/test |
Please refer to commit descriptions.
bpf:tests:decrypt_host: create test suite for network encrypted pkts: this is to create the complementary test suitedecrypt_host, which is in charge of testing incoming network encrypted packets. While doing that, do some renaming to align files.move and cleanup encryption tests to encrypt_host suite: this is to move hook-related changes inencrypt_hostsuite, while leaving all helpers in own files. While doing that, do some renaming to align files.bpf:tests:encrypt_host: extend suite with IPv6 coverage: this is to expand theencrypt_hosttest suite with also IPv6 tests. Strict Mode does not support IPv6, we therefore don't expect drops.bpf:tests:wireguard: use sizeof(struct ethhdr) for L4 offset: this is a small cleanup to prevent misbehaviors.