Add IPv6 filter tests to complement existing IPv4 tests

Copilot · tomastigera · Copilot · commit 88594e2805b5 · 2025-10-30T23:07:23.000Z
Co-authored-by: tomastigera &lt;49207409+tomastigera@users.noreply.github.com&gt;
diff --git a/felix/bpf/ut/filter_test.go b/felix/bpf/ut/filter_test.go
@@ -142,3 +142,118 @@ func TestFilter(t *testing.T) {
 		})
 	}
 }
+
+func TestFilterIPv6(t *testing.T) {
+	RegisterTestingT(t)
+
+	_, _, _, _, bytes, _ := testPacketV6(
+		&layers.Ethernet{
+			SrcMAC:       []byte{0, 0, 0, 0, 0, 1},
+			DstMAC:       []byte{0, 0, 0, 0, 0, 2},
+			EthernetType: layers.EthernetTypeIPv6,
+		},
+		&layers.IPv6{
+			Version:    6,
+			HopLimit:   64,
+			SrcIP:      net.IP([]byte{0x20, 0x1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}),
+			DstIP:      net.IP([]byte{0x20, 0x1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}),
+			NextHeader: layers.IPProtocolUDP,
+		},
+		&layers.UDP{
+			SrcPort: 1234,
+			DstPort: 666,
+		},
+		make([]byte, 36),
+	)
+
+	type testCase struct {
+		expression string
+		match      bool
+	}
+
+	tests := []testCase{
+		// L2
+		{"ip", false},
+		{"ip6", true},
+		{"ip6 and tcp", false},
+		// L2 + L3
+		{"", true},
+		{"udp", true},
+		{"host 2001::1 or host 2001::5", true},
+		{"host 2001::1 and host 2001::5", false},
+		{"src 2001::1 and dst 2001::2", true},
+		{"dst 2001::1 and src 2001::2", false},
+		{"(host 2001::1 or host 2001::5) and (udp port 666)", true},
+		{"(host 2001::1 or host 2001::5) and (udp port 1212)", false},
+		{"len >= 64", true},
+		{"len < 64", false},
+		{"len >= 500", false},
+		{"portrange 600-700", true},
+		{"tcp portrange 600-700", false},
+		{"portrange 700-800", false},
+	}
+
+	links := []struct {
+		level string
+		typ   layers.LinkType
+		data  []byte
+		tests []testCase
+	}{
+		{"L2", layers.LinkTypeEthernet, bytes, tests},
+		{"L3", layers.LinkTypeIPv6, bytes[14:], tests[3:]},
+	}
+
+	for _, link := range links {
+		for _, tc := range link.tests {
+			t.Run(link.level+"_"+tc.expression, func(t *testing.T) {
+
+				insns, err := filter.NewStandAlone(link.typ, 64, tc.expression)
+				Expect(err).NotTo(HaveOccurred())
+				fd, err := bpf.LoadBPFProgramFromInsns(insns, "filter", "Apache-2.0", unix.BPF_PROG_TYPE_SCHED_CLS)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(fd).NotTo(BeZero())
+				defer func() {
+					Expect(fd.Close()).NotTo(HaveOccurred())
+				}()
+
+				rc, err := bpf.RunBPFProgram(fd, link.data, 1)
+				Expect(err).NotTo(HaveOccurred())
+				erc := -1
+				if !tc.match {
+					erc = 2
+				}
+				Expect(rc.RC).To(BeNumerically("==", erc))
+			})
+		}
+	}
+
+	link := links[0]
+
+	for _, tc := range link.tests {
+		if tc.expression == "" {
+			continue
+		}
+
+		neg := "not ( " + tc.expression + " )"
+
+		t.Run(link.level+"_"+neg, func(t *testing.T) {
+
+			insns, err := filter.NewStandAlone(layers.LinkTypeEthernet, 64, neg)
+			Expect(err).NotTo(HaveOccurred())
+			fd, err := bpf.LoadBPFProgramFromInsns(insns, "filter", "Apache-2.0", unix.BPF_PROG_TYPE_SCHED_CLS)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(fd).NotTo(BeZero())
+			defer func() {
+				Expect(fd.Close()).NotTo(HaveOccurred())
+			}()
+
+			rc, err := bpf.RunBPFProgram(fd, link.data, 1)
+			Expect(err).NotTo(HaveOccurred())
+			erc := 2
+			if !tc.match {
+				erc = -1
+			}
+			Expect(rc.RC).To(BeNumerically("==", erc))
+		})
+	}
+}
