selftests/bpf: Test that dst is cleared on same-protocol encap

Verify that bpf_skb_adjust_room() clears the routing dst even when
the encap L3 protocol matches the original packet (e.g. IPIP).
The dst selected for the inner packet is not valid for the
encapsulated result; a stale dst could lead to misrouting.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://patch.msgid.link/20260329180428.2657785-2-kuba@kernel.org

diff --git a/tools/testing/selftests/bpf/prog_tests/test_dst_clear.c b/tools/testing/selftests/bpf/prog_tests/test_dst_clear.c
new file mode 100644 (file)
index 0000000..7c35ca6
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/test_dst_clear.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Meta Platforms, Inc. and affiliates. */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+
+#include "test_progs.h"
+#include "network_helpers.h"
+#include "test_dst_clear.skel.h"
+
+#define IPV4_IFACE_ADDR "1.0.0.1"
+#define UDP_TEST_PORT 7777
+
+void test_ns_dst_clear(void)
+{
+       LIBBPF_OPTS(bpf_tcx_opts, tcx_opts);
+       struct test_dst_clear *skel;
+       struct sockaddr_in addr;
+       struct bpf_link *link;
+       socklen_t addrlen;
+       char buf[128] = {};
+       int sockfd, err;
+
+       skel = test_dst_clear__open_and_load();
+       if (!ASSERT_OK_PTR(skel, "skel open_and_load"))
+               return;
+
+       SYS(fail, "ip addr add %s/8 dev lo", IPV4_IFACE_ADDR);
+
+       link = bpf_program__attach_tcx(skel->progs.dst_clear,
+                                      if_nametoindex("lo"), &tcx_opts);
+       if (!ASSERT_OK_PTR(link, "attach_tcx"))
+               goto fail;
+       skel->links.dst_clear = link;
+
+       addrlen = sizeof(addr);
+       err = make_sockaddr(AF_INET, IPV4_IFACE_ADDR, UDP_TEST_PORT,
+                           (void *)&addr, &addrlen);
+       if (!ASSERT_OK(err, "make_sockaddr"))
+               goto fail;
+       sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+       if (!ASSERT_NEQ(sockfd, -1, "socket"))
+               goto fail;
+       err = sendto(sockfd, buf, sizeof(buf), 0, (void *)&addr, addrlen);
+       close(sockfd);
+       if (!ASSERT_EQ(err, sizeof(buf), "send"))
+               goto fail;
+
+       ASSERT_TRUE(skel->bss->had_dst, "had_dst");
+       ASSERT_TRUE(skel->bss->dst_cleared, "dst_cleared");
+
+fail:
+       test_dst_clear__destroy(skel);
+}

diff --git a/tools/testing/selftests/bpf/progs/test_dst_clear.c b/tools/testing/selftests/bpf/progs/test_dst_clear.c
new file mode 100644 (file)
index 0000000..c22a6ee
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/test_dst_clear.c
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Meta Platforms, Inc. and affiliates. */
+
+#include "vmlinux.h"
+#include "bpf_tracing_net.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+#define UDP_TEST_PORT 7777
+
+void *bpf_cast_to_kern_ctx(void *) __ksym;
+
+bool had_dst = false;
+bool dst_cleared = false;
+
+SEC("tc/egress")
+int dst_clear(struct __sk_buff *skb)
+{
+       struct sk_buff *kskb;
+       struct iphdr iph;
+       struct udphdr udph;
+       int err;
+
+       if (skb->protocol != __bpf_constant_htons(ETH_P_IP))
+               return TC_ACT_OK;
+
+       if (bpf_skb_load_bytes(skb, ETH_HLEN, &iph, sizeof(iph)))
+               return TC_ACT_OK;
+
+       if (iph.protocol != IPPROTO_UDP)
+               return TC_ACT_OK;
+
+       if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(iph), &udph, sizeof(udph)))
+               return TC_ACT_OK;
+
+       if (udph.dest != __bpf_constant_htons(UDP_TEST_PORT))
+               return TC_ACT_OK;
+
+       kskb = bpf_cast_to_kern_ctx(skb);
+       had_dst = (kskb->_skb_refdst != 0);
+
+       /* Same-protocol encap (IPIP): protocol stays IPv4, but the dst
+        * from the original routing is no longer valid for the outer hdr.
+        */
+       err = bpf_skb_adjust_room(skb, (s32)sizeof(struct iphdr),
+                                 BPF_ADJ_ROOM_MAC,
+                                 BPF_F_ADJ_ROOM_FIXED_GSO |
+                                 BPF_F_ADJ_ROOM_ENCAP_L3_IPV4);
+       if (err)
+               return TC_ACT_SHOT;
+
+       dst_cleared = (kskb->_skb_refdst == 0);
+
+       return TC_ACT_SHOT;
+}
+
+char __license[] SEC("license") = "GPL";