Skip to content

bpf:ipsec: extend bpf tests for ipsec_maybe_redirect_to_encrypt #39623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
May 27, 2025
Merged

bpf:ipsec: extend bpf tests for ipsec_maybe_redirect_to_encrypt #39623

merged 10 commits into from
May 27, 2025

Conversation

smagnani96
Copy link
Contributor

@smagnani96 smagnani96 commented May 19, 2025
edited
Loading

Being hugely inspired by b824305, especially for infrastructure and subset of tests to run. Had to refactor a lot of stuff though, and tried to modify the infra so that we just have 2 files, native and tunnel. Inside each of them, they now test both IPv4 and IPv6.

In brief, this patch covers tests for ipsec_maybe_redirect_to_encrypt() with:

  1. Native IPv4 packet
  2. Native IPv6 packet
  3. VXLANv4-InnerIPv4 packet
  4. VXLANv4-InnerIPv6 packet

In addition, this patch lands the infra for the following tests, which cannot be enabled yet (MBOI for/after #39620):

  1. VXLANv6-InnerIPV4
  2. VXLANv6-InnerIPV6

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 19, 2025
@smagnani96 smagnani96 force-pushed the pr/smagnani96/vine-bpf-test branch 2 times, most recently from 6056013 to f6f71be Compare May 19, 2025 20:10
@smagnani96 smagnani96 added kind/enhancement This would improve or streamline existing functionality. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/misc This PR makes changes that have no direct user impact. feature/ipsec Relates to Cilium's IPsec feature labels May 20, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 20, 2025
@smagnani96 smagnani96 force-pushed the pr/smagnani96/vine-bpf-test branch from f6f71be to aacee97 Compare May 20, 2025 13:21
@smagnani96
Copy link
Contributor Author

/test

@smagnani96 smagnani96 self-assigned this May 21, 2025
@smagnani96 smagnani96 marked this pull request as ready for review May 21, 2025 11:42
@smagnani96 smagnani96 requested a review from a team as a code owner May 21, 2025 11:42
@smagnani96 smagnani96 requested a review from YutaroHayakawa May 21, 2025 11:42
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 21, 2025
@julianwiedmann julianwiedmann added release-note/ci This PR makes changes to the CI. and removed release-note/misc This PR makes changes that have no direct user impact. labels May 22, 2025
julianwiedmann
julianwiedmann reviewed May 22, 2025
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👋 just a few comments inline, since this area is dear to my heart :). Feel free to decline / defer to a follow-up PR.

smagnani96 added 10 commits May 22, 2025 09:35
@smagnani96
bpf:tests: add pktgen helpers for VXLANv6 underlay and VXLANv4-InnerV6
f071962 
This land basic helpers to push:

1. IPv6 underlay VXLAN: despite not being yet fully supported, this commit
   adds helpers that can be then used for testing when landing support.
2. IPv6 inner packets rather than manually having to do it step-by-step

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: VXLAN helpers support for ipsec_maybe_redirect_to_encrypt
08ef0fe 
This commit lands support to our bpf unit test suite for subsequent
commits in which we need to generate either native and VXLAN packets
for checking the ipsec egress hook function.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: adjust native IPv4 tests for ipsec_maybe_redirect_to_encrypt
b6b479d 
This takes the current test for calling ipsec_maybe_redirect_to_encrypt
with a native packet into inline function, which accept a parameter to
determine whether the packet is ipv4 or ipv6. This is useful to introduce
IPv6 support in subsequent commit.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: add native IPv6 tests for ipsec_maybe_redirect_to_encrypt
005edf5 
Given the refactor in the previous commit, let's now enable also
ipsec_maybe_redirect_to_encrypt tests for native IPv6 packets.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: native IPv4 bad ids for ipsec_maybe_redirect_to_encrypt
7464186 
This adds a separate IPv4 test case when calling ipsec_maybe_redirect_to_encrypt
with a native packet to make sure that, given wrong identities, the hook
does not encrypt the packet.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: add native IPv6 bad ids for ipsec_maybe_redirect_to_encrypt
6973d69 
Similar as in previous commit, let's now also enable bad identities tests
for native IPv6 packets when calling ipsec_maybe_redirect_to_encrypt, to
make sure packets don't get encrypted.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: VXLANv4-InnerIPv4 tests for ipsec_maybe_redirect_to_encrypt
4e95911 
Similar as in previous commits, let's now add additional tests for the
ipsec_maybe_redirect_to_encrypt hook when being called with an overlay
IPv4 packet containing an inner IPv4 packet. Given it is overlay, we now
expect it to always be encrypted, expect when already encrypted and marked
with the MARK_MAGIC_OVERLAY_ENCRYPTED mark.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: VXLANv4-InnerIPv6 tests for ipsec_maybe_redirect_to_encrypt
4a778c1 
Complementary to the previous commit, let's now also add tests when having
and IPv4 overlay packet with an inner IPv6 packet.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: VXLANv6-InnerIPv4 tests for ipsec_maybe_redirect_to_encrypt
ab8a9d7 
Complementary to the previous commit, let's now also add tests when having
and IPv6 overlay packet with an inner IPv4 packet.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:tests: VXLANv6-InnerIPv6 tests for ipsec_maybe_redirect_to_encrypt
476b33b 
Complementary to the previous commit, let's now also add tests when having
and IPv6 overlay packet with an inner IPv6 packet.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/vine-bpf-test branch from aacee97 to 476b33b Compare May 22, 2025 13:48
@smagnani96
Copy link
Contributor Author

/test

@smagnani96 smagnani96 requested a review from julianwiedmann May 22, 2025 14:56
@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 27, 2025
@julianwiedmann julianwiedmann added this pull request to the merge queue May 27, 2025
Merged via the queue into main with commit c967d7b May 27, 2025
79 checks passed
@julianwiedmann julianwiedmann deleted the pr/smagnani96/vine-bpf-test branch May 27, 2025 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YutaroHayakawa YutaroHayakawa YutaroHayakawa approved these changes

@julianwiedmann julianwiedmann Awaiting requested review from julianwiedmann

Assignees

@smagnani96 smagnani96

Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature kind/enhancement This would improve or streamline existing functionality. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smagnani96 @YutaroHayakawa @julianwiedmann