[PATCH v2 net-next 0/2] netdevsim: add fake FT/CLS_FLOWER offload

[PATCH v2 net-next 0/2] netdevsim: add fake FT/CLS_FLOWER offload

[Florian Westphal]

v2: fix up error reporting via extack
    shellcheck cleanups
    sort config toggles

1) Enable nf_tables offload control plane testing in netdevsim. Tag
   existing offload fn to allow error injection for testing rollback and abort
   logic.

2) Add nft_offload selftest to exercise the control plane and error
   unwind via fault injection.

Florian Westphal (2):
  netdevsim: tc: allow to test nf_tables offload control plane code
  selftests: netfilter: add phony nft_offload test

 drivers/net/netdevsim/bpf.c                   |   6 -
 drivers/net/netdevsim/tc.c                    |  20 ++-
 .../testing/selftests/net/netfilter/Makefile  |   1 +
 tools/testing/selftests/net/netfilter/config  |   6 +
 .../selftests/net/netfilter/nft_offload.sh    | 132 ++++++++++++++++++
 5 files changed, 158 insertions(+), 7 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/nft_offload.sh

-- 
2.53.0

[PATCH v2 net-next 1/2] netdevsim: tc: allow to test nf_tables offload control plane code

[Florian Westphal]

The actual 'offload' is phony, all commands are ignored: this is only
useful to test control plane code.

Tag the existing callback to permit error injection to test rollback/abort
code in nf_tables.  This is also for fuzzers - the fault injection
framework allows probabilistic error insertion.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 v2: move extack error to nsim_setup_tc_block_cb

 drivers/net/netdevsim/bpf.c |  6 ------
 drivers/net/netdevsim/tc.c  | 20 +++++++++++++++++++-
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index 8eebcc933ddb..16aa88278398 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -123,12 +123,6 @@ int nsim_bpf_setup_tc_block_cb(enum tc_setup_type type,
 	struct netdevsim *ns = cb_priv;
 	struct bpf_prog *oldprog;
 
-	if (type != TC_SETUP_CLSBPF) {
-		NSIM_EA(cls_bpf->common.extack,
-			"only offload of BPF classifiers supported");
-		return -EOPNOTSUPP;
-	}
-
 	if (!tc_cls_can_offload_and_chain0(ns->netdev, &cls_bpf->common))
 		return -EOPNOTSUPP;
 
diff --git a/drivers/net/netdevsim/tc.c b/drivers/net/netdevsim/tc.c
index 8f013a5895a2..a415e02a6df1 100644
--- a/drivers/net/netdevsim/tc.c
+++ b/drivers/net/netdevsim/tc.c
@@ -9,7 +9,22 @@
 static int
 nsim_setup_tc_block_cb(enum tc_setup_type type, void *type_data, void *cb_priv)
 {
-	return nsim_bpf_setup_tc_block_cb(type, type_data, cb_priv);
+	struct flow_cls_common_offload *common = type_data;
+	int err = 0;
+
+	switch (type) {
+	case TC_SETUP_CLSBPF:
+		err = nsim_bpf_setup_tc_block_cb(type, type_data, cb_priv);
+		break;
+	case TC_SETUP_CLSFLOWER:
+		break;
+	default:
+		NSIM_EA(common->extack, "offload type not supported");
+		err = -EOPNOTSUPP;
+		break;
+	}
+
+	return err;
 }
 
 static void nsim_taprio_stats(struct tc_taprio_qopt_stats *stats)
@@ -73,7 +88,10 @@ nsim_setup_tc(struct net_device *dev, enum tc_setup_type type, void *type_data)
 						  &nsim_block_cb_list,
 						  nsim_setup_tc_block_cb,
 						  ns, ns, true);
+	case TC_SETUP_FT:
+		return 0;
 	default:
 		return -EOPNOTSUPP;
 	}
 }
+ALLOW_ERROR_INJECTION(nsim_setup_tc, ERRNO);
-- 
2.53.0

[PATCH v2 net-next 2/2] selftests: netfilter: add phony nft_offload test

[Florian Westphal]

... "phony", because its not testing offloads, it tests the control
plane code.  Also test error unwind via fault injection framework.

For a proper test, real hardware would be required given we'd have
check if 'previously handed off to hardware' offload commands are
properly removed again on failure or rule flush.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 v2: sort config
     shellcheck fixups

 .../testing/selftests/net/netfilter/Makefile  |   1 +
 tools/testing/selftests/net/netfilter/config  |   6 +
 .../selftests/net/netfilter/nft_offload.sh    | 132 ++++++++++++++++++
 3 files changed, 139 insertions(+)
 create mode 100755 tools/testing/selftests/net/netfilter/nft_offload.sh

diff --git a/tools/testing/selftests/net/netfilter/Makefile b/tools/testing/selftests/net/netfilter/Makefile
index d953ee218c0f..f88dd4ef8d26 100644
--- a/tools/testing/selftests/net/netfilter/Makefile
+++ b/tools/testing/selftests/net/netfilter/Makefile
@@ -32,6 +32,7 @@ TEST_PROGS := \
 	nft_meta.sh \
 	nft_nat.sh \
 	nft_nat_zones.sh \
+	nft_offload.sh \
 	nft_queue.sh \
 	nft_synproxy.sh \
 	nft_tproxy_tcp.sh \
diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config
index 979cff56e1f5..c3c121b6f300 100644
--- a/tools/testing/selftests/net/netfilter/config
+++ b/tools/testing/selftests/net/netfilter/config
@@ -11,7 +11,12 @@ CONFIG_BRIDGE_NF_EBTABLES_LEGACY=m
 CONFIG_BRIDGE_VLAN_FILTERING=y
 CONFIG_CGROUP_BPF=y
 CONFIG_CRYPTO_SHA1=m
+CONFIG_DEBUG_FS=y
 CONFIG_DUMMY=m
+CONFIG_FAIL_FUNCTION=y
+CONFIG_FAULT_INJECTION=y
+CONFIG_FAULT_INJECTION_DEBUG_FS=y
+CONFIG_FUNCTION_ERROR_INJECTION=y
 CONFIG_INET_DIAG=m
 CONFIG_INET_ESP=m
 CONFIG_INET_SCTP_DIAG=m
@@ -36,6 +41,7 @@ CONFIG_IP_VS_RR=m
 CONFIG_MACVLAN=m
 CONFIG_NAMESPACES=y
 CONFIG_NET_CLS_U32=m
+CONFIG_NETDEVSIM=m
 CONFIG_NETFILTER=y
 CONFIG_NETFILTER_ADVANCED=y
 CONFIG_NETFILTER_NETLINK=m
diff --git a/tools/testing/selftests/net/netfilter/nft_offload.sh b/tools/testing/selftests/net/netfilter/nft_offload.sh
new file mode 100755
index 000000000000..859bdedf1a51
--- /dev/null
+++ b/tools/testing/selftests/net/netfilter/nft_offload.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+source lib.sh
+
+checktool "nft --version" "run test without nft tool"
+modprobe -q netdevsim
+
+sysfs="/sys/kernel/debug/fail_function"
+failname="/proc/self/make-it-fail"
+duration=30
+fault=0
+ret=0
+file_ft=""
+file_rs=""
+id=$((RANDOM%65536))
+
+read -r t < /proc/sys/kernel/tainted
+if [ "$t" -ne 0 ];then
+	echo SKIP: kernel is tainted
+	exit $ksft_skip
+fi
+
+cleanup() {
+    cleanup_netdevsim "$id" "$NS"
+    cleanup_ns "$NS"
+    [ "$fault" -eq 1 ] && echo '!nsim_setup_tc' > "$sysfs/inject"
+    rm -f "$file_ft" "$file_rs"
+}
+trap cleanup EXIT
+
+skip() {
+	echo "SKIP: $*"
+	[ $ret -eq 0 ] && exit 4
+
+	exit $ret
+}
+
+set -e
+setup_ns NS
+
+create_netdevsim "$id" "$NS" >/dev/null
+nsim_port=$(create_netdevsim_port "$id" "$NS" 2)
+
+file_ft=$(mktemp)
+cat > "$file_ft" <<EOF
+flush ruleset
+table inet t {
+	flowtable f {
+		flags offload
+		hook ingress priority filter + 10
+		devices = { "$nsim_port", "dummyf1" }
+	}
+
+	chain cf {
+		type filter hook forward priority 0; policy accept;
+		ct state new meta l4proto tcp flow add @f
+	}
+}
+EOF
+
+if ip netns exec "$NS" nft -f "$file_ft"; then
+	echo "PASS: flowtable offload"
+else
+	echo "FAIL: flowtable offload"
+	ret=1
+fi
+
+file_rs=$(mktemp)
+cat > "$file_rs" <<EOF
+table netdev t {
+	chain c {
+		type filter hook ingress device $nsim_port priority 1
+		flags offload
+		ip saddr 10.2.1.1 ip daddr 10.2.1.2 ip protocol icmp accept
+		ip saddr 10.2.1.1 ip daddr 10.2.1.3 ip protocol icmp drop
+		ip saddr 10.2.1.0/24 ip daddr 10.2.1.0/24 ip protocol icmp accept
+		ip6 saddr dead:beef::1 ip6 daddr dead:beef::2 meta l4proto ipv6-icmp accept
+		ip6 saddr dead:beef::1 ip6 daddr dead:beef::3 meta l4proto ipv6-icmp drop
+		ip6 saddr dead:beef::/64 ip6 daddr dead:beef::/64 meta l4proto ipv6-icmp accept
+	}
+}
+EOF
+if ip netns exec "$NS" nft -f "$file_rs"; then
+	echo "PASS: ruleset offload"
+else
+	echo "FAIL: ruleset offload"
+	ret=1
+fi
+
+test -d "$sysfs" || skip "$sysfs not present"
+grep -q nsim_setup_tc "$sysfs/injectable" || skip "nsim_setup_tc fault injection not available"
+
+echo Y > "$sysfs/task-filter"
+echo 0 > "$sysfs/verbose"
+echo "nsim_setup_tc" > "$sysfs/inject"
+fault=1
+
+p=$(((RANDOM%90) + 10))
+echo $p > "$sysfs/probability"
+echo -1 > "$sysfs/times"
+
+count=0
+ok=0
+
+now=$(date +%s)
+stop=$((now+duration))
+
+# fault-injection enabled rule loads are expected to fail.
+set +e
+while [ "$now" -le "$stop" ]; do
+	for f in "$file_ft" "$file_rs"; do
+		if ip netns exec "$NS" bash -c "echo 1 > $failname ; ip netns exec \"$NS\" nft -f $f" 2> /dev/null;then
+			ok=$((ok+1))
+		fi
+		count=$((count+1))
+	done
+	now=$(date +%s)
+done
+
+sleep 5
+
+read -r t < /proc/sys/kernel/tainted
+if [ "$t" -eq 0 ];then
+	echo "PASS: Not tainted. $count rounds, $ok successful ruleset loads with P $p."
+else
+	echo "ERROR: Tainted. $count rounds, $ok successful ruleset loads with P $p."
+	dmesg
+	ret=1
+fi
+
+exit $ret
-- 
2.53.0