[PATCH v1 bpf-next 0/2] BPF: support mark in bpf_fib_lookup

[PATCH v1 bpf-next 0/2] BPF: support mark in bpf_fib_lookup

[Anton Protopopov]

This patch series adds policy routing support in bpf_fib_lookup.
This is a useful functionality which was missing for a long time,
as without it some networking setups can't be implemented in BPF.
One example can be found here [1].

A while ago there was an attempt to add this functionality [2] by
Rumen Telbizov and David Ahern. I've completely refactored the code,
except that the changes to the struct bpf_fib_lookup were copy-pasted
from the original patch.

The first patch implements the functionality, the second patch adds
a few selftests.

  [1] https://github.com/cilium/cilium/pull/12770
  [2] https://lore.kernel.org/all/20210629185537.78008-2-rumen.telbizov@menlosecurity.com/

Anton Protopopov (2):
  bpf: add support for passing mark with bpf_fib_lookup
  selftests/bpf: Add BPF_FIB_LOOKUP_MARK tests

 include/uapi/linux/bpf.h                      |  20 ++-
 net/core/filter.c                             |  12 +-
 tools/include/uapi/linux/bpf.h                |  20 ++-
 .../selftests/bpf/prog_tests/fib_lookup.c     | 160 ++++++++++++++----
 4 files changed, 176 insertions(+), 36 deletions(-)

-- 
2.34.1

[PATCH v1 bpf-next 1/2] bpf: add support for passing mark with bpf_fib_lookup

[Anton Protopopov]

Extend the bpf_fib_lookup() helper by making it to utilize mark if
the BPF_FIB_LOOKUP_MARK flag is set. In order to pass the mark the
four bytes of struct bpf_fib_lookup are used, shared with the
output-only smac/dmac fields.

Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
---
 include/uapi/linux/bpf.h       | 20 ++++++++++++++++++--
 net/core/filter.c              | 12 +++++++++---
 tools/include/uapi/linux/bpf.h | 20 ++++++++++++++++++--
 3 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 9585f5345353..96d57e483133 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -3394,6 +3394,10 @@ union bpf_attr {
  *			for the nexthop. If the src addr cannot be derived,
  *			**BPF_FIB_LKUP_RET_NO_SRC_ADDR** is returned. In this
  *			case, *params*->dmac and *params*->smac are not set either.
+ *		**BPF_FIB_LOOKUP_MARK**
+ *			Use the mark present in *params*->mark for the fib lookup.
+ *			This option should not be used with BPF_FIB_LOOKUP_DIRECT,
+ *			as it only has meaning for full lookups.
  *
  *		*ctx* is either **struct xdp_md** for XDP programs or
  *		**struct sk_buff** tc cls_act programs.
@@ -7120,6 +7124,7 @@ enum {
 	BPF_FIB_LOOKUP_SKIP_NEIGH = (1U << 2),
 	BPF_FIB_LOOKUP_TBID    = (1U << 3),
 	BPF_FIB_LOOKUP_SRC     = (1U << 4),
+	BPF_FIB_LOOKUP_MARK    = (1U << 5),
 };
 
 enum {
@@ -7197,8 +7202,19 @@ struct bpf_fib_lookup {
 		__u32	tbid;
 	};
 
-	__u8	smac[6];     /* ETH_ALEN */
-	__u8	dmac[6];     /* ETH_ALEN */
+	union {
+		/* input */
+		struct {
+			__u32	mark;   /* policy routing */
+			/* 2 4-byte holes for input */
+		};
+
+		/* output: source and dest mac */
+		struct {
+			__u8	smac[6];	/* ETH_ALEN */
+			__u8	dmac[6];	/* ETH_ALEN */
+		};
+	};
 };
 
 struct bpf_redir_neigh {
diff --git a/net/core/filter.c b/net/core/filter.c
index 0c66e4a3fc5b..1205dd777dc2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5884,7 +5884,10 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
 
 		err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
 	} else {
-		fl4.flowi4_mark = 0;
+		if (flags & BPF_FIB_LOOKUP_MARK)
+			fl4.flowi4_mark = params->mark;
+		else
+			fl4.flowi4_mark = 0;
 		fl4.flowi4_secid = 0;
 		fl4.flowi4_tun_key.tun_id = 0;
 		fl4.flowi4_uid = sock_net_uid(net, NULL);
@@ -6027,7 +6030,10 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
 		err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
 						   strict);
 	} else {
-		fl6.flowi6_mark = 0;
+		if (flags & BPF_FIB_LOOKUP_MARK)
+			fl6.flowi6_mark = params->mark;
+		else
+			fl6.flowi6_mark = 0;
 		fl6.flowi6_secid = 0;
 		fl6.flowi6_tun_key.tun_id = 0;
 		fl6.flowi6_uid = sock_net_uid(net, NULL);
@@ -6105,7 +6111,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
 
 #define BPF_FIB_LOOKUP_MASK (BPF_FIB_LOOKUP_DIRECT | BPF_FIB_LOOKUP_OUTPUT | \
 			     BPF_FIB_LOOKUP_SKIP_NEIGH | BPF_FIB_LOOKUP_TBID | \
-			     BPF_FIB_LOOKUP_SRC)
+			     BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_MARK)
 
 BPF_CALL_4(bpf_xdp_fib_lookup, struct xdp_buff *, ctx,
 	   struct bpf_fib_lookup *, params, int, plen, u32, flags)
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index bf80b614c4db..4c9b5bfbd9c6 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -3393,6 +3393,10 @@ union bpf_attr {
  *			for the nexthop. If the src addr cannot be derived,
  *			**BPF_FIB_LKUP_RET_NO_SRC_ADDR** is returned. In this
  *			case, *params*->dmac and *params*->smac are not set either.
+ *		**BPF_FIB_LOOKUP_MARK**
+ *			Use the mark present in *params*->mark for the fib lookup.
+ *			This option should not be used with BPF_FIB_LOOKUP_DIRECT,
+ *			as it only has meaning for full lookups.
  *
  *		*ctx* is either **struct xdp_md** for XDP programs or
  *		**struct sk_buff** tc cls_act programs.
@@ -7119,6 +7123,7 @@ enum {
 	BPF_FIB_LOOKUP_SKIP_NEIGH = (1U << 2),
 	BPF_FIB_LOOKUP_TBID    = (1U << 3),
 	BPF_FIB_LOOKUP_SRC     = (1U << 4),
+	BPF_FIB_LOOKUP_MARK    = (1U << 5),
 };
 
 enum {
@@ -7196,8 +7201,19 @@ struct bpf_fib_lookup {
 		__u32	tbid;
 	};
 
-	__u8	smac[6];     /* ETH_ALEN */
-	__u8	dmac[6];     /* ETH_ALEN */
+	union {
+		/* input */
+		struct {
+			__u32	mark;   /* policy routing */
+			/* 2 4-byte holes for input */
+		};
+
+		/* output: source and dest mac */
+		struct {
+			__u8	smac[6];	/* ETH_ALEN */
+			__u8	dmac[6];	/* ETH_ALEN */
+		};
+	};
 };
 
 struct bpf_redir_neigh {
-- 
2.34.1

[PATCH v1 bpf-next 2/2] selftests/bpf: Add BPF_FIB_LOOKUP_MARK tests

[Anton Protopopov]

This patch extends the fib_lookup test suite by adding a few test
cases for each IP family to test the new BPF_FIB_LOOKUP_MARK flag
to the bpf_fib_lookup:

  * Test destination IP address selection with and without a mark
    and/or the BPF_FIB_LOOKUP_MARK flag set

To test this functionality another network namespace and a new veth
pair were added to the test.

Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
---
 .../selftests/bpf/prog_tests/fib_lookup.c     | 160 ++++++++++++++----
 1 file changed, 131 insertions(+), 29 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/fib_lookup.c b/tools/testing/selftests/bpf/prog_tests/fib_lookup.c
index 3379df2d4cf2..a78316431f32 100644
--- a/tools/testing/selftests/bpf/prog_tests/fib_lookup.c
+++ b/tools/testing/selftests/bpf/prog_tests/fib_lookup.c
@@ -10,6 +10,7 @@
 #include "fib_lookup.skel.h"
 
 #define NS_TEST			"fib_lookup_ns"
+#define NS_REMOTE		"remote_ns"
 #define IPV6_IFACE_ADDR		"face::face"
 #define IPV6_IFACE_ADDR_SEC	"cafe::cafe"
 #define IPV6_ADDR_DST		"face::3"
@@ -26,6 +27,17 @@
 #define IPV6_TBID_ADDR		"fd00::FFFF"
 #define IPV6_TBID_NET		"fd00::"
 #define IPV6_TBID_DST		"fd00::2"
+#define MARK_NO_POLICY		33
+#define MARK			42
+#define MARK_TABLE		"200"
+#define IPV4_REMOTE_DST		"1.2.3.4"
+#define IPV4_LOCAL		"10.4.0.3"
+#define IPV4_GW1		"10.4.0.1"
+#define IPV4_GW2		"10.4.0.2"
+#define IPV6_REMOTE_DST		"be:ef::b0:10"
+#define IPV6_LOCAL		"fd01::3"
+#define IPV6_GW1		"fd01::1"
+#define IPV6_GW2		"fd01::2"
 #define DMAC			"11:11:11:11:11:11"
 #define DMAC_INIT { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, }
 #define DMAC2			"01:01:01:01:01:01"
@@ -36,9 +48,12 @@ struct fib_lookup_test {
 	const char *daddr;
 	int expected_ret;
 	const char *expected_src;
+	const char *expected_dst;
 	int lookup_flags;
 	__u32 tbid;
 	__u8 dmac[6];
+	__u32 mark;
+	const char *ifname;
 };
 
 static const struct fib_lookup_test tests[] = {
@@ -90,10 +105,47 @@ static const struct fib_lookup_test tests[] = {
 	  .daddr = IPV6_ADDR_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
 	  .expected_src = IPV6_IFACE_ADDR_SEC,
 	  .lookup_flags = BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_SKIP_NEIGH, },
+	/* policy routing */
+	{ .desc = "IPv4 policy routing, default",
+	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV4_GW1, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
+	{ .desc = "IPv4 policy routing, mark doesn't point to a policy",
+	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV4_GW1, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
+	  .mark = MARK_NO_POLICY, },
+	{ .desc = "IPv4 policy routing, mark points to a policy",
+	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV4_GW2, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
+	  .mark = MARK, },
+	{ .desc = "IPv4 policy routing, mark points to a policy, but no flag",
+	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV4_GW1, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
+	  .mark = MARK, },
+	{ .desc = "IPv6 policy routing, default",
+	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV6_GW1, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
+	{ .desc = "IPv6 policy routing, mark doesn't point to a policy",
+	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV6_GW1, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
+	  .mark = MARK_NO_POLICY, },
+	{ .desc = "IPv6 policy routing, mark points to a policy",
+	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV6_GW2, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
+	  .mark = MARK, },
+	{ .desc = "IPv6 policy routing, mark points to a policy, but no flag",
+	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
+	  .expected_dst = IPV6_GW1, .ifname = "veth3",
+	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
+	  .mark = MARK, },
 };
 
-static int ifindex;
-
 static int setup_netns(void)
 {
 	int err;
@@ -144,12 +196,40 @@ static int setup_netns(void)
 	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth1.forwarding)"))
 		goto fail;
 
+	/* Setup for policy routing tests */
+	SYS(fail, "ip link add veth3 type veth peer name veth4");
+	SYS(fail, "ip link set dev veth3 up");
+	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);
+
+	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
+	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
+	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
+	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
+	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
+	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);
+	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
+	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
+	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
+	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
+	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
+	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
+
+	err = write_sysctl("/proc/sys/net/ipv4/conf/veth3/forwarding", "1");
+	if (!ASSERT_OK(err, "write_sysctl(net.ipv4.conf.veth3.forwarding)"))
+		goto fail;
+
+	err = write_sysctl("/proc/sys/net/ipv6/conf/veth3/forwarding", "1");
+	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth3.forwarding)"))
+		goto fail;
+
 	return 0;
 fail:
 	return -1;
 }
 
-static int set_lookup_params(struct bpf_fib_lookup *params, const struct fib_lookup_test *test)
+static int set_lookup_params(struct bpf_fib_lookup *params,
+			     const struct fib_lookup_test *test,
+			     int ifindex)
 {
 	int ret;
 
@@ -159,6 +239,9 @@ static int set_lookup_params(struct bpf_fib_lookup *params, const struct fib_loo
 	params->ifindex = ifindex;
 	params->tbid = test->tbid;
 
+	if (test->lookup_flags & BPF_FIB_LOOKUP_MARK)
+		params->mark = test->mark;
+
 	if (inet_pton(AF_INET6, test->daddr, params->ipv6_dst) == 1) {
 		params->family = AF_INET6;
 		if (!(test->lookup_flags & BPF_FIB_LOOKUP_SRC)) {
@@ -190,40 +273,45 @@ static void mac_str(char *b, const __u8 *mac)
 		mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
 }
 
-static void assert_src_ip(struct bpf_fib_lookup *fib_params, const char *expected_src)
+static void assert_ip_address(int family, void *addr, const char *expected_str)
 {
+	char str[INET6_ADDRSTRLEN];
+	u8 expected_addr[16];
+	int addr_len = 0;
 	int ret;
-	__u32 src6[4];
-	__be32 src4;
 
-	switch (fib_params->family) {
+	switch (family) {
 	case AF_INET6:
-		ret = inet_pton(AF_INET6, expected_src, src6);
-		ASSERT_EQ(ret, 1, "inet_pton(expected_src)");
-
-		ret = memcmp(src6, fib_params->ipv6_src, sizeof(fib_params->ipv6_src));
-		if (!ASSERT_EQ(ret, 0, "fib_lookup ipv6 src")) {
-			char str_src6[64];
-
-			inet_ntop(AF_INET6, fib_params->ipv6_src, str_src6,
-				  sizeof(str_src6));
-			printf("ipv6 expected %s actual %s ", expected_src,
-			       str_src6);
-		}
-
+		ret = inet_pton(AF_INET6, expected_str, expected_addr);
+		ASSERT_EQ(ret, 1, "inet_pton(AF_INET6, expected_str)");
+		addr_len = 16;
 		break;
 	case AF_INET:
-		ret = inet_pton(AF_INET, expected_src, &src4);
-		ASSERT_EQ(ret, 1, "inet_pton(expected_src)");
-
-		ASSERT_EQ(fib_params->ipv4_src, src4, "fib_lookup ipv4 src");
-
+		ret = inet_pton(AF_INET, expected_str, expected_addr);
+		ASSERT_EQ(ret, 1, "inet_pton(AF_INET, expected_str)");
+		addr_len = 4;
 		break;
 	default:
-		PRINT_FAIL("invalid addr family: %d", fib_params->family);
+		PRINT_FAIL("invalid address family: %d", family);
+		break;
+	}
+
+	if (memcmp(addr, expected_addr, addr_len)) {
+		inet_ntop(family, addr, str, sizeof(str));
+		PRINT_FAIL("expected %s actual %s ", expected_str, str);
 	}
 }
 
+static void assert_src_ip(struct bpf_fib_lookup *params, const char *expected)
+{
+	assert_ip_address(params->family, params->ipv6_src, expected);
+}
+
+static void assert_dst_ip(struct bpf_fib_lookup *params, const char *expected)
+{
+	assert_ip_address(params->family, params->ipv6_dst, expected);
+}
+
 void test_fib_lookup(void)
 {
 	struct bpf_fib_lookup *fib_params;
@@ -231,6 +319,7 @@ void test_fib_lookup(void)
 	struct __sk_buff skb = { };
 	struct fib_lookup *skel;
 	int prog_fd, err, ret, i;
+	int default_ifindex;
 
 	/* The test does not use the skb->data, so
 	 * use pkt_v6 for both v6 and v4 test.
@@ -248,6 +337,7 @@ void test_fib_lookup(void)
 	prog_fd = bpf_program__fd(skel->progs.fib_lookup);
 
 	SYS(fail, "ip netns add %s", NS_TEST);
+	SYS(fail, "ip netns add %s", NS_REMOTE);
 
 	nstoken = open_netns(NS_TEST);
 	if (!ASSERT_OK_PTR(nstoken, "open_netns"))
@@ -256,15 +346,23 @@ void test_fib_lookup(void)
 	if (setup_netns())
 		goto fail;
 
-	ifindex = if_nametoindex("veth1");
-	skb.ifindex = ifindex;
+	default_ifindex = if_nametoindex("veth1");
+	if (!ASSERT_NEQ(default_ifindex, 0, "if_nametoindex(veth1)"))
+		goto fail;
+
 	fib_params = &skel->bss->fib_params;
 
 	for (i = 0; i < ARRAY_SIZE(tests); i++) {
 		printf("Testing %s ", tests[i].desc);
 
-		if (set_lookup_params(fib_params, &tests[i]))
+		if (tests[i].ifname)
+			skb.ifindex = if_nametoindex(tests[i].ifname);
+		else
+			skb.ifindex = default_ifindex;
+
+		if (set_lookup_params(fib_params, &tests[i], skb.ifindex))
 			continue;
+
 		skel->bss->fib_lookup_ret = -1;
 		skel->bss->lookup_flags = tests[i].lookup_flags;
 
@@ -278,6 +376,9 @@ void test_fib_lookup(void)
 		if (tests[i].expected_src)
 			assert_src_ip(fib_params, tests[i].expected_src);
 
+		if (tests[i].expected_dst)
+			assert_dst_ip(fib_params, tests[i].expected_dst);
+
 		ret = memcmp(tests[i].dmac, fib_params->dmac, sizeof(tests[i].dmac));
 		if (!ASSERT_EQ(ret, 0, "dmac not match")) {
 			char expected[18], actual[18];
@@ -299,5 +400,6 @@ void test_fib_lookup(void)
 	if (nstoken)
 		close_netns(nstoken);
 	SYS_NOFAIL("ip netns del " NS_TEST);
+	SYS_NOFAIL("ip netns del " NS_REMOTE);
 	fib_lookup__destroy(skel);
 }
-- 
2.34.1

Re: [PATCH v1 bpf-next 2/2] selftests/bpf: Add BPF_FIB_LOOKUP_MARK tests

[Martin KaFai Lau]

On 3/22/24 7:02 AM, Anton Protopopov wrote:
> This patch extends the fib_lookup test suite by adding a few test
> cases for each IP family to test the new BPF_FIB_LOOKUP_MARK flag
> to the bpf_fib_lookup:
> 
>    * Test destination IP address selection with and without a mark
>      and/or the BPF_FIB_LOOKUP_MARK flag set
> 
> To test this functionality another network namespace and a new veth
> pair were added to the test.
> 

[ ... ]

>   static const struct fib_lookup_test tests[] = {
> @@ -90,10 +105,47 @@ static const struct fib_lookup_test tests[] = {
>   	  .daddr = IPV6_ADDR_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>   	  .expected_src = IPV6_IFACE_ADDR_SEC,
>   	  .lookup_flags = BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> +	/* policy routing */
> +	{ .desc = "IPv4 policy routing, default",
> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> +	{ .desc = "IPv4 policy routing, mark doesn't point to a policy",
> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> +	  .mark = MARK_NO_POLICY, },
> +	{ .desc = "IPv4 policy routing, mark points to a policy",
> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV4_GW2, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> +	  .mark = MARK, },
> +	{ .desc = "IPv4 policy routing, mark points to a policy, but no flag",
> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
> +	  .mark = MARK, },
> +	{ .desc = "IPv6 policy routing, default",
> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> +	{ .desc = "IPv6 policy routing, mark doesn't point to a policy",
> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> +	  .mark = MARK_NO_POLICY, },
> +	{ .desc = "IPv6 policy routing, mark points to a policy",
> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV6_GW2, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> +	  .mark = MARK, },
> +	{ .desc = "IPv6 policy routing, mark points to a policy, but no flag",
> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
> +	  .mark = MARK, },
>   };
>   
> -static int ifindex;
> -
>   static int setup_netns(void)
>   {
>   	int err;
> @@ -144,12 +196,40 @@ static int setup_netns(void)
>   	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth1.forwarding)"))
>   		goto fail;
>   
> +	/* Setup for policy routing tests */
> +	SYS(fail, "ip link add veth3 type veth peer name veth4");
> +	SYS(fail, "ip link set dev veth3 up");
> +	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);
> +
> +	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
> +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
> +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
> +	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
> +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
> +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);

Trying to see if the setup can be simplified.

Does it need to add another netns and setup a reachable IPV[46]_GW[12] gateway?

The test is not sending any traffic and it is a BPF_FIB_LOOKUP_SKIP_NEIGH test.

> +	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
> +	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
> +	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
> +	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
> +	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> +	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> +
> +	err = write_sysctl("/proc/sys/net/ipv4/conf/veth3/forwarding", "1");
> +	if (!ASSERT_OK(err, "write_sysctl(net.ipv4.conf.veth3.forwarding)"))
> +		goto fail;
> +
> +	err = write_sysctl("/proc/sys/net/ipv6/conf/veth3/forwarding", "1");
> +	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth3.forwarding)"))
> +		goto fail;
> +
>   	return 0;
>   fail:
>   	return -1;
>   }

[ ... ]

> @@ -248,6 +337,7 @@ void test_fib_lookup(void)
>   	prog_fd = bpf_program__fd(skel->progs.fib_lookup);
>   
>   	SYS(fail, "ip netns add %s", NS_TEST);
> +	SYS(fail, "ip netns add %s", NS_REMOTE);

Re: [PATCH v1 bpf-next 2/2] selftests/bpf: Add BPF_FIB_LOOKUP_MARK tests

[Anton Protopopov]

On Sat, Mar 23, 2024 at 03:34:10PM -0700, Martin KaFai Lau wrote:
> On 3/22/24 7:02 AM, Anton Protopopov wrote:
> > This patch extends the fib_lookup test suite by adding a few test
> > cases for each IP family to test the new BPF_FIB_LOOKUP_MARK flag
> > to the bpf_fib_lookup:
> > 
> >    * Test destination IP address selection with and without a mark
> >      and/or the BPF_FIB_LOOKUP_MARK flag set
> > 
> > To test this functionality another network namespace and a new veth
> > pair were added to the test.
> > 
> 
> [ ... ]
> 
> >   static const struct fib_lookup_test tests[] = {
> > @@ -90,10 +105,47 @@ static const struct fib_lookup_test tests[] = {
> >   	  .daddr = IPV6_ADDR_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> >   	  .expected_src = IPV6_IFACE_ADDR_SEC,
> >   	  .lookup_flags = BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> > +	/* policy routing */
> > +	{ .desc = "IPv4 policy routing, default",
> > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> > +	{ .desc = "IPv4 policy routing, mark doesn't point to a policy",
> > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > +	  .mark = MARK_NO_POLICY, },
> > +	{ .desc = "IPv4 policy routing, mark points to a policy",
> > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV4_GW2, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > +	  .mark = MARK, },
> > +	{ .desc = "IPv4 policy routing, mark points to a policy, but no flag",
> > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
> > +	  .mark = MARK, },
> > +	{ .desc = "IPv6 policy routing, default",
> > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> > +	{ .desc = "IPv6 policy routing, mark doesn't point to a policy",
> > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > +	  .mark = MARK_NO_POLICY, },
> > +	{ .desc = "IPv6 policy routing, mark points to a policy",
> > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV6_GW2, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > +	  .mark = MARK, },
> > +	{ .desc = "IPv6 policy routing, mark points to a policy, but no flag",
> > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> > +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
> > +	  .mark = MARK, },
> >   };
> > -static int ifindex;
> > -
> >   static int setup_netns(void)
> >   {
> >   	int err;
> > @@ -144,12 +196,40 @@ static int setup_netns(void)
> >   	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth1.forwarding)"))
> >   		goto fail;
> > +	/* Setup for policy routing tests */
> > +	SYS(fail, "ip link add veth3 type veth peer name veth4");
> > +	SYS(fail, "ip link set dev veth3 up");
> > +	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);
> > +
> > +	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
> > +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
> > +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
> > +	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
> > +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
> > +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);
> 
> Trying to see if the setup can be simplified.
> 
> Does it need to add another netns and setup a reachable IPV[46]_GW[12] gateway?
> 
> The test is not sending any traffic and it is a BPF_FIB_LOOKUP_SKIP_NEIGH test.

I think this will not work without another namespace, as FIB lookup will
return DST="final destination", not DST="gateway", as the gateway is in the
same namespace and can be skipped.

Instead of adding a new namespace I can move the second interface to the
root namespace. This will work, but then we're interfering with the root
namespace.

> > +	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
> > +	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
> > +	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
> > +	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
> > +	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> > +	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> > +
> > +	err = write_sysctl("/proc/sys/net/ipv4/conf/veth3/forwarding", "1");
> > +	if (!ASSERT_OK(err, "write_sysctl(net.ipv4.conf.veth3.forwarding)"))
> > +		goto fail;
> > +
> > +	err = write_sysctl("/proc/sys/net/ipv6/conf/veth3/forwarding", "1");
> > +	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth3.forwarding)"))
> > +		goto fail;
> > +
> >   	return 0;
> >   fail:
> >   	return -1;
> >   }
> 
> [ ... ]
> 
> > @@ -248,6 +337,7 @@ void test_fib_lookup(void)
> >   	prog_fd = bpf_program__fd(skel->progs.fib_lookup);
> >   	SYS(fail, "ip netns add %s", NS_TEST);
> > +	SYS(fail, "ip netns add %s", NS_REMOTE);
> 
> 

Re: [PATCH v1 bpf-next 1/2] bpf: add support for passing mark with bpf_fib_lookup

[David Ahern]

On 3/22/24 8:02 AM, Anton Protopopov wrote:
> Extend the bpf_fib_lookup() helper by making it to utilize mark if
> the BPF_FIB_LOOKUP_MARK flag is set. In order to pass the mark the
> four bytes of struct bpf_fib_lookup are used, shared with the
> output-only smac/dmac fields.
> 
> Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> ---
>  include/uapi/linux/bpf.h       | 20 ++++++++++++++++++--
>  net/core/filter.c              | 12 +++++++++---
>  tools/include/uapi/linux/bpf.h | 20 ++++++++++++++++++--
>  3 files changed, 45 insertions(+), 7 deletions(-)
> 
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index 9585f5345353..96d57e483133 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -3394,6 +3394,10 @@ union bpf_attr {
>   *			for the nexthop. If the src addr cannot be derived,
>   *			**BPF_FIB_LKUP_RET_NO_SRC_ADDR** is returned. In this
>   *			case, *params*->dmac and *params*->smac are not set either.
> + *		**BPF_FIB_LOOKUP_MARK**
> + *			Use the mark present in *params*->mark for the fib lookup.
> + *			This option should not be used with BPF_FIB_LOOKUP_DIRECT,
> + *			as it only has meaning for full lookups.
>   *
>   *		*ctx* is either **struct xdp_md** for XDP programs or
>   *		**struct sk_buff** tc cls_act programs.
> @@ -7120,6 +7124,7 @@ enum {
>  	BPF_FIB_LOOKUP_SKIP_NEIGH = (1U << 2),
>  	BPF_FIB_LOOKUP_TBID    = (1U << 3),
>  	BPF_FIB_LOOKUP_SRC     = (1U << 4),
> +	BPF_FIB_LOOKUP_MARK    = (1U << 5),
>  };
>  
>  enum {
> @@ -7197,8 +7202,19 @@ struct bpf_fib_lookup {
>  		__u32	tbid;
>  	};
>  
> -	__u8	smac[6];     /* ETH_ALEN */
> -	__u8	dmac[6];     /* ETH_ALEN */
> +	union {
> +		/* input */
> +		struct {
> +			__u32	mark;   /* policy routing */
> +			/* 2 4-byte holes for input */
> +		};
> +
> +		/* output: source and dest mac */
> +		struct {
> +			__u8	smac[6];	/* ETH_ALEN */
> +			__u8	dmac[6];	/* ETH_ALEN */
> +		};
> +	};
>  };
>  
>  struct bpf_redir_neigh {
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 0c66e4a3fc5b..1205dd777dc2 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -5884,7 +5884,10 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
>  
>  		err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
>  	} else {
> -		fl4.flowi4_mark = 0;
> +		if (flags & BPF_FIB_LOOKUP_MARK)
> +			fl4.flowi4_mark = params->mark;
> +		else
> +			fl4.flowi4_mark = 0;
>  		fl4.flowi4_secid = 0;
>  		fl4.flowi4_tun_key.tun_id = 0;
>  		fl4.flowi4_uid = sock_net_uid(net, NULL);
> @@ -6027,7 +6030,10 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
>  		err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
>  						   strict);
>  	} else {
> -		fl6.flowi6_mark = 0;
> +		if (flags & BPF_FIB_LOOKUP_MARK)
> +			fl6.flowi6_mark = params->mark;
> +		else
> +			fl6.flowi6_mark = 0;
>  		fl6.flowi6_secid = 0;
>  		fl6.flowi6_tun_key.tun_id = 0;
>  		fl6.flowi6_uid = sock_net_uid(net, NULL);
> @@ -6105,7 +6111,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
>  
>  #define BPF_FIB_LOOKUP_MASK (BPF_FIB_LOOKUP_DIRECT | BPF_FIB_LOOKUP_OUTPUT | \
>  			     BPF_FIB_LOOKUP_SKIP_NEIGH | BPF_FIB_LOOKUP_TBID | \
> -			     BPF_FIB_LOOKUP_SRC)
> +			     BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_MARK)
>  
>  BPF_CALL_4(bpf_xdp_fib_lookup, struct xdp_buff *, ctx,
>  	   struct bpf_fib_lookup *, params, int, plen, u32, flags)
> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> index bf80b614c4db..4c9b5bfbd9c6 100644
> --- a/tools/include/uapi/linux/bpf.h
> +++ b/tools/include/uapi/linux/bpf.h
> @@ -3393,6 +3393,10 @@ union bpf_attr {
>   *			for the nexthop. If the src addr cannot be derived,
>   *			**BPF_FIB_LKUP_RET_NO_SRC_ADDR** is returned. In this
>   *			case, *params*->dmac and *params*->smac are not set either.
> + *		**BPF_FIB_LOOKUP_MARK**
> + *			Use the mark present in *params*->mark for the fib lookup.
> + *			This option should not be used with BPF_FIB_LOOKUP_DIRECT,
> + *			as it only has meaning for full lookups.
>   *
>   *		*ctx* is either **struct xdp_md** for XDP programs or
>   *		**struct sk_buff** tc cls_act programs.
> @@ -7119,6 +7123,7 @@ enum {
>  	BPF_FIB_LOOKUP_SKIP_NEIGH = (1U << 2),
>  	BPF_FIB_LOOKUP_TBID    = (1U << 3),
>  	BPF_FIB_LOOKUP_SRC     = (1U << 4),
> +	BPF_FIB_LOOKUP_MARK    = (1U << 5),
>  };
>  
>  enum {
> @@ -7196,8 +7201,19 @@ struct bpf_fib_lookup {
>  		__u32	tbid;
>  	};
>  
> -	__u8	smac[6];     /* ETH_ALEN */
> -	__u8	dmac[6];     /* ETH_ALEN */
> +	union {
> +		/* input */
> +		struct {
> +			__u32	mark;   /* policy routing */
> +			/* 2 4-byte holes for input */
> +		};
> +
> +		/* output: source and dest mac */
> +		struct {
> +			__u8	smac[6];	/* ETH_ALEN */
> +			__u8	dmac[6];	/* ETH_ALEN */
> +		};
> +	};
>  };
>  
>  struct bpf_redir_neigh {

It would be good to add

static_assert(sizeof(struct bpf_fib_lookup) == 64, "bpf_fib_lookup size
check");

to ensure this struct never exceeds a cacheline.

The patch itself looks good to me:

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH v1 bpf-next 1/2] bpf: add support for passing mark with bpf_fib_lookup

[Anton Protopopov]

On Sun, Mar 24, 2024 at 11:38:44AM -0600, David Ahern wrote:
> On 3/22/24 8:02 AM, Anton Protopopov wrote:
> > Extend the bpf_fib_lookup() helper by making it to utilize mark if
> > the BPF_FIB_LOOKUP_MARK flag is set. In order to pass the mark the
> > four bytes of struct bpf_fib_lookup are used, shared with the
> > output-only smac/dmac fields.
> > 
> > Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
> > Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> > ---
> >  include/uapi/linux/bpf.h       | 20 ++++++++++++++++++--
> >  net/core/filter.c              | 12 +++++++++---
> >  tools/include/uapi/linux/bpf.h | 20 ++++++++++++++++++--
> >  3 files changed, 45 insertions(+), 7 deletions(-)
> > 
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index 9585f5345353..96d57e483133 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -3394,6 +3394,10 @@ union bpf_attr {
> >   *			for the nexthop. If the src addr cannot be derived,
> >   *			**BPF_FIB_LKUP_RET_NO_SRC_ADDR** is returned. In this
> >   *			case, *params*->dmac and *params*->smac are not set either.
> > + *		**BPF_FIB_LOOKUP_MARK**
> > + *			Use the mark present in *params*->mark for the fib lookup.
> > + *			This option should not be used with BPF_FIB_LOOKUP_DIRECT,
> > + *			as it only has meaning for full lookups.
> >   *
> >   *		*ctx* is either **struct xdp_md** for XDP programs or
> >   *		**struct sk_buff** tc cls_act programs.
> > @@ -7120,6 +7124,7 @@ enum {
> >  	BPF_FIB_LOOKUP_SKIP_NEIGH = (1U << 2),
> >  	BPF_FIB_LOOKUP_TBID    = (1U << 3),
> >  	BPF_FIB_LOOKUP_SRC     = (1U << 4),
> > +	BPF_FIB_LOOKUP_MARK    = (1U << 5),
> >  };
> >  
> >  enum {
> > @@ -7197,8 +7202,19 @@ struct bpf_fib_lookup {
> >  		__u32	tbid;
> >  	};
> >  
> > -	__u8	smac[6];     /* ETH_ALEN */
> > -	__u8	dmac[6];     /* ETH_ALEN */
> > +	union {
> > +		/* input */
> > +		struct {
> > +			__u32	mark;   /* policy routing */
> > +			/* 2 4-byte holes for input */
> > +		};
> > +
> > +		/* output: source and dest mac */
> > +		struct {
> > +			__u8	smac[6];	/* ETH_ALEN */
> > +			__u8	dmac[6];	/* ETH_ALEN */
> > +		};
> > +	};
> >  };
> >  
> >  struct bpf_redir_neigh {
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 0c66e4a3fc5b..1205dd777dc2 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -5884,7 +5884,10 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
> >  
> >  		err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
> >  	} else {
> > -		fl4.flowi4_mark = 0;
> > +		if (flags & BPF_FIB_LOOKUP_MARK)
> > +			fl4.flowi4_mark = params->mark;
> > +		else
> > +			fl4.flowi4_mark = 0;
> >  		fl4.flowi4_secid = 0;
> >  		fl4.flowi4_tun_key.tun_id = 0;
> >  		fl4.flowi4_uid = sock_net_uid(net, NULL);
> > @@ -6027,7 +6030,10 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
> >  		err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
> >  						   strict);
> >  	} else {
> > -		fl6.flowi6_mark = 0;
> > +		if (flags & BPF_FIB_LOOKUP_MARK)
> > +			fl6.flowi6_mark = params->mark;
> > +		else
> > +			fl6.flowi6_mark = 0;
> >  		fl6.flowi6_secid = 0;
> >  		fl6.flowi6_tun_key.tun_id = 0;
> >  		fl6.flowi6_uid = sock_net_uid(net, NULL);
> > @@ -6105,7 +6111,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
> >  
> >  #define BPF_FIB_LOOKUP_MASK (BPF_FIB_LOOKUP_DIRECT | BPF_FIB_LOOKUP_OUTPUT | \
> >  			     BPF_FIB_LOOKUP_SKIP_NEIGH | BPF_FIB_LOOKUP_TBID | \
> > -			     BPF_FIB_LOOKUP_SRC)
> > +			     BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_MARK)
> >  
> >  BPF_CALL_4(bpf_xdp_fib_lookup, struct xdp_buff *, ctx,
> >  	   struct bpf_fib_lookup *, params, int, plen, u32, flags)
> > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> > index bf80b614c4db..4c9b5bfbd9c6 100644
> > --- a/tools/include/uapi/linux/bpf.h
> > +++ b/tools/include/uapi/linux/bpf.h
> > @@ -3393,6 +3393,10 @@ union bpf_attr {
> >   *			for the nexthop. If the src addr cannot be derived,
> >   *			**BPF_FIB_LKUP_RET_NO_SRC_ADDR** is returned. In this
> >   *			case, *params*->dmac and *params*->smac are not set either.
> > + *		**BPF_FIB_LOOKUP_MARK**
> > + *			Use the mark present in *params*->mark for the fib lookup.
> > + *			This option should not be used with BPF_FIB_LOOKUP_DIRECT,
> > + *			as it only has meaning for full lookups.
> >   *
> >   *		*ctx* is either **struct xdp_md** for XDP programs or
> >   *		**struct sk_buff** tc cls_act programs.
> > @@ -7119,6 +7123,7 @@ enum {
> >  	BPF_FIB_LOOKUP_SKIP_NEIGH = (1U << 2),
> >  	BPF_FIB_LOOKUP_TBID    = (1U << 3),
> >  	BPF_FIB_LOOKUP_SRC     = (1U << 4),
> > +	BPF_FIB_LOOKUP_MARK    = (1U << 5),
> >  };
> >  
> >  enum {
> > @@ -7196,8 +7201,19 @@ struct bpf_fib_lookup {
> >  		__u32	tbid;
> >  	};
> >  
> > -	__u8	smac[6];     /* ETH_ALEN */
> > -	__u8	dmac[6];     /* ETH_ALEN */
> > +	union {
> > +		/* input */
> > +		struct {
> > +			__u32	mark;   /* policy routing */
> > +			/* 2 4-byte holes for input */
> > +		};
> > +
> > +		/* output: source and dest mac */
> > +		struct {
> > +			__u8	smac[6];	/* ETH_ALEN */
> > +			__u8	dmac[6];	/* ETH_ALEN */
> > +		};
> > +	};
> >  };
> >  
> >  struct bpf_redir_neigh {
> 
> It would be good to add
> 
> static_assert(sizeof(struct bpf_fib_lookup) == 64, "bpf_fib_lookup size
> check");
> 
> to ensure this struct never exceeds a cacheline.

Thanks, added: https://github.com/aspsk/bpf-next/commit/7cd3685e52d5

> 
> The patch itself looks good to me:
> 
> Reviewed-by: David Ahern <dsahern@kernel.org>

Thanks!

Re: [PATCH v1 bpf-next 2/2] selftests/bpf: Add BPF_FIB_LOOKUP_MARK tests

[Martin KaFai Lau]

On 3/24/24 8:04 AM, Anton Protopopov wrote:
> On Sat, Mar 23, 2024 at 03:34:10PM -0700, Martin KaFai Lau wrote:
>> On 3/22/24 7:02 AM, Anton Protopopov wrote:
>>> This patch extends the fib_lookup test suite by adding a few test
>>> cases for each IP family to test the new BPF_FIB_LOOKUP_MARK flag
>>> to the bpf_fib_lookup:
>>>
>>>     * Test destination IP address selection with and without a mark
>>>       and/or the BPF_FIB_LOOKUP_MARK flag set
>>>
>>> To test this functionality another network namespace and a new veth
>>> pair were added to the test.
>>>
>>
>> [ ... ]
>>
>>>    static const struct fib_lookup_test tests[] = {
>>> @@ -90,10 +105,47 @@ static const struct fib_lookup_test tests[] = {
>>>    	  .daddr = IPV6_ADDR_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>>    	  .expected_src = IPV6_IFACE_ADDR_SEC,
>>>    	  .lookup_flags = BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_SKIP_NEIGH, },
>>> +	/* policy routing */
>>> +	{ .desc = "IPv4 policy routing, default",
>>> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
>>> +	{ .desc = "IPv4 policy routing, mark doesn't point to a policy",
>>> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
>>> +	  .mark = MARK_NO_POLICY, },
>>> +	{ .desc = "IPv4 policy routing, mark points to a policy",
>>> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV4_GW2, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
>>> +	  .mark = MARK, },
>>> +	{ .desc = "IPv4 policy routing, mark points to a policy, but no flag",
>>> +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
>>> +	  .mark = MARK, },
>>> +	{ .desc = "IPv6 policy routing, default",
>>> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
>>> +	{ .desc = "IPv6 policy routing, mark doesn't point to a policy",
>>> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
>>> +	  .mark = MARK_NO_POLICY, },
>>> +	{ .desc = "IPv6 policy routing, mark points to a policy",
>>> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV6_GW2, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
>>> +	  .mark = MARK, },
>>> +	{ .desc = "IPv6 policy routing, mark points to a policy, but no flag",
>>> +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
>>> +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
>>> +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
>>> +	  .mark = MARK, },
>>>    };
>>> -static int ifindex;
>>> -
>>>    static int setup_netns(void)
>>>    {
>>>    	int err;
>>> @@ -144,12 +196,40 @@ static int setup_netns(void)
>>>    	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth1.forwarding)"))
>>>    		goto fail;
>>> +	/* Setup for policy routing tests */
>>> +	SYS(fail, "ip link add veth3 type veth peer name veth4");
>>> +	SYS(fail, "ip link set dev veth3 up");
>>> +	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);
>>> +
>>> +	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
>>> +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
>>> +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
>>> +	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
>>> +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
>>> +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);
>>
>> Trying to see if the setup can be simplified.
>>
>> Does it need to add another netns and setup a reachable IPV[46]_GW[12] gateway?
>>
>> The test is not sending any traffic and it is a BPF_FIB_LOOKUP_SKIP_NEIGH test.
> 
> I think this will not work without another namespace, as FIB lookup will
> return DST="final destination", not DST="gateway", as the gateway is in the
> same namespace and can be skipped.

hmm... not sure I understand why it would get "final destination". Am I missing something?
To be specific, there is no need to configure the IPV[46]_GW[12] address:

-	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);

	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
-	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
-	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
-	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
-	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);
	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);

[root@arch-fb-vm1 ~]# ip netns exec fib_lookup_ns /bin/bash

[root@arch-fb-vm1 ~]# ip -6 rule
0:	from all lookup local
2:	from all fwmark 0x2a lookup 200
32766:	from all lookup main

[root@arch-fb-vm1 ~]# ip -6 route show table main
be:ef::b0:10 via fd01::1 dev veth3 metric 1024 linkdown pref medium

[root@arch-fb-vm1 ~]# ip -6 route show table 200
be:ef::b0:10 via fd01::2 dev veth3 metric 1024 linkdown pref medium

[root@arch-fb-vm1 ~]# ip -6 route get be:ef::b0:10
be:ef::b0:10 from :: via fd01::1 dev veth3 src fd01::3 metric 1024 pref medium

[root@arch-fb-vm1 ~]# ip -6 route get be:ef::b0:10 mark 0x2a
be:ef::b0:10 from :: via fd01::2 dev veth3 table 200 src fd01::3 metric 1024 pref medium

> 
> Instead of adding a new namespace I can move the second interface to the
> root namespace. This will work, but then we're interfering with the root
> namespace.
> 
>>> +	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
>>> +	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
>>> +	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
>>> +	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
>>> +	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
>>> +	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
>>> +
>>> +	err = write_sysctl("/proc/sys/net/ipv4/conf/veth3/forwarding", "1");
>>> +	if (!ASSERT_OK(err, "write_sysctl(net.ipv4.conf.veth3.forwarding)"))
>>> +		goto fail;
>>> +
>>> +	err = write_sysctl("/proc/sys/net/ipv6/conf/veth3/forwarding", "1");
>>> +	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth3.forwarding)"))
>>> +		goto fail;
>>> +
>>>    	return 0;
>>>    fail:
>>>    	return -1;
>>>    }
>>
>> [ ... ]
>>
>>> @@ -248,6 +337,7 @@ void test_fib_lookup(void)
>>>    	prog_fd = bpf_program__fd(skel->progs.fib_lookup);
>>>    	SYS(fail, "ip netns add %s", NS_TEST);
>>> +	SYS(fail, "ip netns add %s", NS_REMOTE);
>>
>>

Re: [PATCH v1 bpf-next 2/2] selftests/bpf: Add BPF_FIB_LOOKUP_MARK tests

[Anton Protopopov]

On Mon, Mar 25, 2024 at 11:12:39AM -0700, Martin KaFai Lau wrote:
> On 3/24/24 8:04 AM, Anton Protopopov wrote:
> > On Sat, Mar 23, 2024 at 03:34:10PM -0700, Martin KaFai Lau wrote:
> > > On 3/22/24 7:02 AM, Anton Protopopov wrote:
> > > > This patch extends the fib_lookup test suite by adding a few test
> > > > cases for each IP family to test the new BPF_FIB_LOOKUP_MARK flag
> > > > to the bpf_fib_lookup:
> > > > 
> > > >     * Test destination IP address selection with and without a mark
> > > >       and/or the BPF_FIB_LOOKUP_MARK flag set
> > > > 
> > > > To test this functionality another network namespace and a new veth
> > > > pair were added to the test.
> > > > 
> > > 
> > > [ ... ]
> > > 
> > > >    static const struct fib_lookup_test tests[] = {
> > > > @@ -90,10 +105,47 @@ static const struct fib_lookup_test tests[] = {
> > > >    	  .daddr = IPV6_ADDR_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > >    	  .expected_src = IPV6_IFACE_ADDR_SEC,
> > > >    	  .lookup_flags = BPF_FIB_LOOKUP_SRC | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> > > > +	/* policy routing */
> > > > +	{ .desc = "IPv4 policy routing, default",
> > > > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> > > > +	{ .desc = "IPv4 policy routing, mark doesn't point to a policy",
> > > > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > > > +	  .mark = MARK_NO_POLICY, },
> > > > +	{ .desc = "IPv4 policy routing, mark points to a policy",
> > > > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV4_GW2, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > > > +	  .mark = MARK, },
> > > > +	{ .desc = "IPv4 policy routing, mark points to a policy, but no flag",
> > > > +	  .daddr = IPV4_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV4_GW1, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
> > > > +	  .mark = MARK, },
> > > > +	{ .desc = "IPv6 policy routing, default",
> > > > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH, },
> > > > +	{ .desc = "IPv6 policy routing, mark doesn't point to a policy",
> > > > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > > > +	  .mark = MARK_NO_POLICY, },
> > > > +	{ .desc = "IPv6 policy routing, mark points to a policy",
> > > > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV6_GW2, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_MARK | BPF_FIB_LOOKUP_SKIP_NEIGH,
> > > > +	  .mark = MARK, },
> > > > +	{ .desc = "IPv6 policy routing, mark points to a policy, but no flag",
> > > > +	  .daddr = IPV6_REMOTE_DST, .expected_ret = BPF_FIB_LKUP_RET_SUCCESS,
> > > > +	  .expected_dst = IPV6_GW1, .ifname = "veth3",
> > > > +	  .lookup_flags = BPF_FIB_LOOKUP_SKIP_NEIGH,
> > > > +	  .mark = MARK, },
> > > >    };
> > > > -static int ifindex;
> > > > -
> > > >    static int setup_netns(void)
> > > >    {
> > > >    	int err;
> > > > @@ -144,12 +196,40 @@ static int setup_netns(void)
> > > >    	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth1.forwarding)"))
> > > >    		goto fail;
> > > > +	/* Setup for policy routing tests */
> > > > +	SYS(fail, "ip link add veth3 type veth peer name veth4");
> > > > +	SYS(fail, "ip link set dev veth3 up");
> > > > +	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);
> > > > +
> > > > +	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
> > > > +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
> > > > +	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
> > > > +	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
> > > > +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
> > > > +	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);
> > > 
> > > Trying to see if the setup can be simplified.
> > > 
> > > Does it need to add another netns and setup a reachable IPV[46]_GW[12] gateway?
> > > 
> > > The test is not sending any traffic and it is a BPF_FIB_LOOKUP_SKIP_NEIGH test.
> > 
> > I think this will not work without another namespace, as FIB lookup will
> > return DST="final destination", not DST="gateway", as the gateway is in the
> > same namespace and can be skipped.
> 
> hmm... not sure I understand why it would get "final destination". Am I missing something?
> To be specific, there is no need to configure the IPV[46]_GW[12] address:
> 
> -	SYS(fail, "ip link set dev veth4 netns %s up", NS_REMOTE);
> 
> 	SYS(fail, "ip addr add %s/24 dev veth3", IPV4_LOCAL);
> -	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW1);
> -	SYS(fail, "ip netns exec %s ip addr add %s/24 dev veth4", NS_REMOTE, IPV4_GW2);
> 	SYS(fail, "ip addr add %s/64 dev veth3 nodad", IPV6_LOCAL);
> -	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW1);
> -	SYS(fail, "ip netns exec %s ip addr add %s/64 dev veth4 nodad", NS_REMOTE, IPV6_GW2);
> 	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
> 	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
> 	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
> 	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
> 	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> 	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> 
> [root@arch-fb-vm1 ~]# ip netns exec fib_lookup_ns /bin/bash
> 
> [root@arch-fb-vm1 ~]# ip -6 rule
> 0:	from all lookup local
> 2:	from all fwmark 0x2a lookup 200
> 32766:	from all lookup main
> 
> [root@arch-fb-vm1 ~]# ip -6 route show table main
> be:ef::b0:10 via fd01::1 dev veth3 metric 1024 linkdown pref medium
> 
> [root@arch-fb-vm1 ~]# ip -6 route show table 200
> be:ef::b0:10 via fd01::2 dev veth3 metric 1024 linkdown pref medium
> 
> [root@arch-fb-vm1 ~]# ip -6 route get be:ef::b0:10
> be:ef::b0:10 from :: via fd01::1 dev veth3 src fd01::3 metric 1024 pref medium
> 
> [root@arch-fb-vm1 ~]# ip -6 route get be:ef::b0:10 mark 0x2a
> be:ef::b0:10 from :: via fd01::2 dev veth3 table 200 src fd01::3 metric 1024 pref medium

Ok, thanks. I will send a v2 with a simplified test

> > 
> > Instead of adding a new namespace I can move the second interface to the
> > root namespace. This will work, but then we're interfering with the root
> > namespace.
> > 
> > > > +	SYS(fail, "ip route add %s/32 via %s", IPV4_REMOTE_DST, IPV4_GW1);
> > > > +	SYS(fail, "ip route add %s/32 via %s table %s", IPV4_REMOTE_DST, IPV4_GW2, MARK_TABLE);
> > > > +	SYS(fail, "ip -6 route add %s/128 via %s", IPV6_REMOTE_DST, IPV6_GW1);
> > > > +	SYS(fail, "ip -6 route add %s/128 via %s table %s", IPV6_REMOTE_DST, IPV6_GW2, MARK_TABLE);
> > > > +	SYS(fail, "ip rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> > > > +	SYS(fail, "ip -6 rule add prio 2 fwmark %d lookup %s", MARK, MARK_TABLE);
> > > > +
> > > > +	err = write_sysctl("/proc/sys/net/ipv4/conf/veth3/forwarding", "1");
> > > > +	if (!ASSERT_OK(err, "write_sysctl(net.ipv4.conf.veth3.forwarding)"))
> > > > +		goto fail;
> > > > +
> > > > +	err = write_sysctl("/proc/sys/net/ipv6/conf/veth3/forwarding", "1");
> > > > +	if (!ASSERT_OK(err, "write_sysctl(net.ipv6.conf.veth3.forwarding)"))
> > > > +		goto fail;
> > > > +
> > > >    	return 0;
> > > >    fail:
> > > >    	return -1;
> > > >    }
> > > 
> > > [ ... ]
> > > 
> > > > @@ -248,6 +337,7 @@ void test_fib_lookup(void)
> > > >    	prog_fd = bpf_program__fd(skel->progs.fib_lookup);
> > > >    	SYS(fail, "ip netns add %s", NS_TEST);
> > > > +	SYS(fail, "ip netns add %s", NS_REMOTE);
> > > 
> > > 
>