samples/bpf: extend test_tunnel_bpf.sh with xfrm state test

	return TC_ACT_OK;

}

SEC("xfrm_get_state")

int _xfrm_get_state(struct __sk_buff *skb)

{

	struct bpf_xfrm_state x;

	char fmt[] = "reqid %d spi 0x%x remote ip 0x%x\n";

	int ret;

	ret = bpf_skb_get_xfrm_state(skb, 0, &x, sizeof(x), 0);

	if (ret < 0)

		return TC_ACT_OK;

	bpf_trace_printk(fmt, sizeof(fmt), x.reqid, bpf_ntohl(x.spi),

			 bpf_ntohl(x.remote_ipv4));

	return TC_ACT_OK;

}

char _license[] SEC("license") = "GPL";

	ip addr add dev $DEV 10.1.1.200/24

}

function setup_xfrm_tunnel {

	auth=0x$(printf '1%.0s' {1..40})

	enc=0x$(printf '2%.0s' {1..32})

	spi_in_to_out=0x1

	spi_out_to_in=0x2

	# in namespace

	# in -> out

	ip netns exec at_ns0 \

		ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \

			spi $spi_in_to_out reqid 1 mode tunnel \

			auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc

	ip netns exec at_ns0 \

		ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \

		tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \

		mode tunnel

	# out -> in

	ip netns exec at_ns0 \

		ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \

			spi $spi_out_to_in reqid 2 mode tunnel \

			auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc

	ip netns exec at_ns0 \

		ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \

		tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \

		mode tunnel

	# address & route

	ip netns exec at_ns0 \

		ip addr add dev veth0 10.1.1.100/32

	ip netns exec at_ns0 \

		ip route add 10.1.1.200 dev veth0 via 172.16.1.200 \

			src 10.1.1.100

	# out of namespace

	# in -> out

	ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \

		spi $spi_in_to_out reqid 1 mode tunnel \

		auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc

	ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \

		tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \

		mode tunnel

	# out -> in

	ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \

		spi $spi_out_to_in reqid 2 mode tunnel \

		auth-trunc 'hmac(sha1)' $auth 96  enc 'cbc(aes)' $enc

	ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \

		tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \

		mode tunnel

	# address & route

	ip addr add dev veth1 10.1.1.200/32

	ip route add 10.1.1.100 dev veth1 via 172.16.1.100 src 10.1.1.200

}

function attach_bpf {

	DEV=$1

	SET_TUNNEL=$2

	cleanup

}

function test_xfrm_tunnel {

	config_device

        tcpdump -nei veth1 ip &

	output=$(mktemp)

	cat /sys/kernel/debug/tracing/trace_pipe | tee $output &

        setup_xfrm_tunnel

	tc qdisc add dev veth1 clsact

	tc filter add dev veth1 proto ip ingress bpf da obj tcbpf2_kern.o \

		sec xfrm_get_state

	ip netns exec at_ns0 ping -c 1 10.1.1.200

	grep "reqid 1" $output

	grep "spi 0x1" $output

	grep "remote ip 0xac100164" $output

	cleanup

}

function cleanup {

	set +ex

	pkill iperf

	ip link del geneve11

	ip link del erspan11

	ip link del ip6erspan11

	ip x s flush

	ip x p flush

	pkill tcpdump

	pkill cat

	set -ex

test_geneve

echo "Testing IPIP tunnel..."

test_ipip

echo "Testing IPSec tunnel..."

test_xfrm_tunnel

echo "*** PASS ***"

 *     @xdp_md: pointer to xdp_md

 *     @delta: A negative integer to be added to xdp_md.data_end

 *     Return: 0 on success or negative on error

 *

 * int bpf_skb_get_xfrm_state(skb, index, xfrm_state, size, flags)

 *     retrieve XFRM state

 *     @skb: pointer to skb

 *     @index: index of the xfrm state in the secpath

 *     @key: pointer to 'struct bpf_xfrm_state'

 *     @size: size of 'struct bpf_xfrm_state'

 *     @flags: room for future extensions

 *     Return: 0 on success or negative error

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\

	FN(msg_cork_bytes),		\

	FN(msg_pull_data),		\

	FN(bind),			\

	FN(xdp_adjust_tail),

	FN(xdp_adjust_tail),		\

	FN(skb_get_xfrm_state),

/* integer value in 'imm' field of BPF_CALL instruction selects which helper

 * function eBPF program intends to call

	__u32 tunnel_label;

};

/* user accessible mirror of in-kernel xfrm_state.

 * new fields can only be added to the end of this structure

 */

struct bpf_xfrm_state {

	__u32 reqid;

	__u32 spi;	/* Stored in network byte order */

	__u16 family;

	union {

		__u32 remote_ipv4;	/* Stored in network byte order */

		__u32 remote_ipv6[4];	/* Stored in network byte order */

	};

};

/* Generic BPF return codes which all BPF program types may support.

 * The values are binary compatible with their TC_ACT_* counter-part to

 * provide backwards compatibility with existing SCHED_CLS and SCHED_ACT

	(void *) BPF_FUNC_bind;

static int (*bpf_xdp_adjust_tail)(void *ctx, int offset) =

	(void *) BPF_FUNC_xdp_adjust_tail;

static int (*bpf_skb_get_xfrm_state)(void *ctx, int index, void *state,

				     int size, int flags) =

	(void *) BPF_FUNC_skb_get_xfrm_state;

/* llvm builtin functions that eBPF C program may use to

 * emit BPF_LD_ABS and BPF_LD_IND instructions