This patchset adds more bpf_*_ct_lookup() selftests. The goal is to test
interaction with netfilter subsystem as well as reading from `struct
nf_conn`. The first is important when migrating legacy systems towards
bpf. The latter is important in general to take full advantage of
connection tracking.
I'll follow this patchset up with support for writing to `struct nf_conn`.
Past discussion:
- v2: https://lore.kernel.org/bpf/[email protected]/
- v1: https://lore.kernel.org/bpf/[email protected]/
Changes since v2:
- Add bpf-ci kconfig changes
Changes since v1:
- Reword commit message / cover letter to not mention connmark writing
Daniel Xu (3):
selftests/bpf: Add existing connection bpf_*_ct_lookup() test
selftests/bpf: Add connmark read test
selftests/bpf: Update CI kconfig
tools/testing/selftests/bpf/config | 2 +
.../testing/selftests/bpf/prog_tests/bpf_nf.c | 60 +++++++++++++++++++
.../testing/selftests/bpf/progs/test_bpf_nf.c | 21 +++++++
3 files changed, 83 insertions(+)
--
2.37.1
The previous selftest changes require two kconfig changes in bpf-ci.
Signed-off-by: Daniel Xu <[email protected]>
---
tools/testing/selftests/bpf/config | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
index fabf0c014349..3fc46f9cfb22 100644
--- a/tools/testing/selftests/bpf/config
+++ b/tools/testing/selftests/bpf/config
@@ -50,9 +50,11 @@ CONFIG_NET_SCHED=y
CONFIG_NETDEVSIM=m
CONFIG_NETFILTER=y
CONFIG_NETFILTER_SYNPROXY=y
+CONFIG_NETFILTER_XT_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_TARGET_CT=y
CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_DEFRAG_IPV6=y
CONFIG_RC_CORE=y
--
2.37.1
On Thu, 11 Aug 2022 at 01:16, Daniel Xu <[email protected]> wrote:
>
> This patchset adds more bpf_*_ct_lookup() selftests. The goal is to test
> interaction with netfilter subsystem as well as reading from `struct
> nf_conn`. The first is important when migrating legacy systems towards
> bpf. The latter is important in general to take full advantage of
> connection tracking.
>
Thank you for contributing these tests. Feel free to add:
Acked-by: Kumar Kartikeya Dwivedi <[email protected]>
People often look at selftests for usage examples these days, so it's
great to have coverage + examples for more use cases.
> I'll follow this patchset up with support for writing to `struct nf_conn`.
>
Please also cc netfilter-devel, netdev, Pablo, and Florian when you send it.
I think we can directly enable stores to ct->mark, since that is what
ctnetlink is doing too, so adding another helper for this would be
unnecessary overhead.
> Past discussion:
> - v2: https://lore.kernel.org/bpf/[email protected]/
> - v1: https://lore.kernel.org/bpf/[email protected]/
>
> Changes since v2:
> - Add bpf-ci kconfig changes
>
> Changes since v1:
> - Reword commit message / cover letter to not mention connmark writing
>
>
> Daniel Xu (3):
> selftests/bpf: Add existing connection bpf_*_ct_lookup() test
> selftests/bpf: Add connmark read test
> selftests/bpf: Update CI kconfig
>
> tools/testing/selftests/bpf/config | 2 +
> .../testing/selftests/bpf/prog_tests/bpf_nf.c | 60 +++++++++++++++++++
> .../testing/selftests/bpf/progs/test_bpf_nf.c | 21 +++++++
> 3 files changed, 83 insertions(+)
>
> --
> 2.37.1
>
Hi Kumar,
On Wed, Aug 10, 2022, at 6:25 PM, Kumar Kartikeya Dwivedi wrote:
> On Thu, 11 Aug 2022 at 01:16, Daniel Xu <[email protected]> wrote:
>>
>> This patchset adds more bpf_*_ct_lookup() selftests. The goal is to test
>> interaction with netfilter subsystem as well as reading from `struct
>> nf_conn`. The first is important when migrating legacy systems towards
>> bpf. The latter is important in general to take full advantage of
>> connection tracking.
>>
>
> Thank you for contributing these tests. Feel free to add:
> Acked-by: Kumar Kartikeya Dwivedi <[email protected]>
>
> People often look at selftests for usage examples these days, so it's
> great to have coverage + examples for more use cases.
I also want this interaction to still work when I start using it later :).
>
>> I'll follow this patchset up with support for writing to `struct nf_conn`.
>>
>
> Please also cc netfilter-devel, netdev, Pablo, and Florian when you send it.
>
Ack.
> I think we can directly enable stores to ct->mark, since that is what
> ctnetlink is doing too, so adding another helper for this would be
> unnecessary overhead.
Ack.
[...]
Thanks,
Danel