eBPF unit test: add general tc ut

[sancppp]

What type of PR is this?

/kind enhancement

What this PR does / why we need it:

> make ebpf_unit_test V=1 -j
... build
go test ./bpftest -bpf-ut-path /root/github/kmesh/test/bpf_ut -test.v
go test ./bpftest -bpf-ut-path /root/github/kmesh/test/bpf_ut -test.v
=== RUN   TestBPF
=== RUN   TestBPF/Workload
=== RUN   TestBPF/Workload/XDP
=== RUN   TestBPF/Workload/XDP/xdp_shutdown_in_userspace_test.o
=== RUN   TestBPF/Workload/XDP/xdp_shutdown_in_userspace_test.o/1_shutdown_in_userspace__should_shutdown
    bpf_test.go:113: Running test /root/github/kmesh/test/bpf_ut/xdp_shutdown_in_userspace_test.o
    bpf_test.go:264: Successfully registered tail call policies_check -> km_xdp_tailcall[0]
    bpf_test.go:264: Successfully registered tail call policy_check -> km_xdp_tailcall[1]
    bpf_test.go:264: Successfully registered tail call xdp_shutdown_in_userspace -> km_xdp_tailcall[2]
time="2025-05-06T14:46:29+08:00" level=info msg="[XDP] INFO: auth denied, src ip: 10.0.0.15, port: 23445\n" subsys=ebpf
=== RUN   TestBPF/Workload/XDP/xdp_shutdown_in_userspace_test.o/2_shutdown_in_userspace__should_not_shutdown
    bpf_test.go:113: Running test /root/github/kmesh/test/bpf_ut/xdp_shutdown_in_userspace_test.o
    bpf_test.go:264: Successfully registered tail call policies_check -> km_xdp_tailcall[0]
    bpf_test.go:264: Successfully registered tail call policy_check -> km_xdp_tailcall[1]
    bpf_test.go:264: Successfully registered tail call xdp_shutdown_in_userspace -> km_xdp_tailcall[2]
=== RUN   TestBPF/Workload/XDP/xdp_authz_offload_test.o
=== RUN   TestBPF/Workload/XDP/xdp_authz_offload_test.o/3_deny_policy_matched
    bpf_test.go:113: Running test /root/github/kmesh/test/bpf_ut/xdp_authz_offload_test.o
    bpf_test.go:264: Successfully registered tail call policies_check -> km_xdp_tailcall[0]
    bpf_test.go:264: Successfully registered tail call policy_check -> km_xdp_tailcall[1]
    bpf_test.go:264: Successfully registered tail call xdp_shutdown_in_userspace -> km_xdp_tailcall[2]
time="2025-05-06T14:46:30+08:00" level=info msg="[AUTH] DEBUG: policy bpfut_deny__10.0.0.15->10.1.0.15:80 matched" subsys=ebpf
time="2025-05-06T14:46:30+08:00" level=info msg="[AUTH] DEBUG: src ip: 10.0.0.15, src port:23445" subsys=ebpf
time="2025-05-06T14:46:30+08:00" level=info msg="[AUTH] DEBUG: dst ip: 10.1.0.15, dst port:80\n" subsys=ebpf
=== RUN   TestBPF/Workload/XDP/xdp_authz_offload_test.o/4_allow_policy_matched
    bpf_test.go:113: Running test /root/github/kmesh/test/bpf_ut/xdp_authz_offload_test.o
    bpf_test.go:264: Successfully registered tail call policies_check -> km_xdp_tailcall[0]
    bpf_test.go:264: Successfully registered tail call policy_check -> km_xdp_tailcall[1]
    bpf_test.go:264: Successfully registered tail call xdp_shutdown_in_userspace -> km_xdp_tailcall[2]
time="2025-05-06T14:46:30+08:00" level=info msg="[AUTH] DEBUG: policy bpfut_allow__10.0.0.15->10.1.0.15:80 matched" subsys=ebpf
time="2025-05-06T14:46:30+08:00" level=info msg="[AUTH] DEBUG: src ip: 10.0.0.15, src port:23445" subsys=ebpf
time="2025-05-06T14:46:30+08:00" level=info msg="[AUTH] DEBUG: dst ip: 10.1.0.15, dst port:80\n" subsys=ebpf
=== RUN   TestBPF/Workload/SockOps
=== RUN   TestBPF/Workload/SockOps/workload_sockops_test.o
=== RUN   TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_TCP_CONNECT_CB__modify_kmesh_managed_ip
    workload_test.go:357: km_manage[192.168.0.86] = 0
=== RUN   TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB__enable_encoding_metadata
    workload_test.go:440: Connect success: 192.168.0.86:12345 -> 192.168.0.86:54321
    workload_test.go:465: km_socket get key[192.168.0.86:12345->192.168.0.86:54321], test success.
=== RUN   TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB__auth_ip_tuple
    workload_test.go:520: Connect success: 192.168.0.86:12345 -> 192.168.0.86:54321
    workload_test.go:551: Received km_auth_req ringbuf_msg: type=0, src=192.168.0.86:12345, dst=192.168.0.86:54321
=== RUN   TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_STATE_CB__clean_auth_map
    workload_test.go:632: Connect success: 192.168.0.86:12345 -> 192.168.0.86:54321
    workload_test.go:648: km_auth_res map entry was successfully cleaned up
=== RUN   TestBPF/GeneralTC
=== RUN   TestBPF/GeneralTC/tc_mark_encrypt_test.o
=== RUN   TestBPF/GeneralTC/tc_mark_encrypt_test.o/tc_mark_encrypt
    bpf_test.go:113: Running test /root/github/kmesh/test/bpf_ut/tc_mark_encrypt_test.o
=== RUN   TestBPF/GeneralTC/tc_mark_decrypt_test.o
=== RUN   TestBPF/GeneralTC/tc_mark_decrypt_test.o/tc_mark_decrypt
    bpf_test.go:113: Running test /root/github/kmesh/test/bpf_ut/tc_mark_decrypt_test.o
time="2025-05-06T14:46:43+08:00" level=error msg="ringbuf new reader from rb map failed:add fd to epoll: bad file descriptor" subsys=ebpf
--- PASS: TestBPF (14.50s)
    --- PASS: TestBPF/Workload (14.50s)
        --- PASS: TestBPF/Workload/XDP (1.25s)
            --- PASS: TestBPF/Workload/XDP/xdp_shutdown_in_userspace_test.o (0.59s)
                --- PASS: TestBPF/Workload/XDP/xdp_shutdown_in_userspace_test.o/1_shutdown_in_userspace__should_shutdown (0.29s)
                --- PASS: TestBPF/Workload/XDP/xdp_shutdown_in_userspace_test.o/2_shutdown_in_userspace__should_not_shutdown (0.30s)
            --- PASS: TestBPF/Workload/XDP/xdp_authz_offload_test.o (0.66s)
                --- PASS: TestBPF/Workload/XDP/xdp_authz_offload_test.o/3_deny_policy_matched (0.34s)
                --- PASS: TestBPF/Workload/XDP/xdp_authz_offload_test.o/4_allow_policy_matched (0.32s)
        --- PASS: TestBPF/Workload/SockOps (13.25s)
            --- PASS: TestBPF/Workload/SockOps/workload_sockops_test.o (13.25s)
                --- PASS: TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_TCP_CONNECT_CB__modify_kmesh_managed_ip (4.03s)
                --- PASS: TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB__enable_encoding_metadata (3.07s)
                --- PASS: TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB__auth_ip_tuple (3.07s)
                --- PASS: TestBPF/Workload/SockOps/workload_sockops_test.o/BPF_SOCK_OPS_STATE_CB__clean_auth_map (3.08s)
    --- PASS: TestBPF/GeneralTC (0.00s)
        --- PASS: TestBPF/GeneralTC/tc_mark_encrypt_test.o (0.00s)
            --- PASS: TestBPF/GeneralTC/tc_mark_encrypt_test.o/tc_mark_encrypt (0.00s)
        --- PASS: TestBPF/GeneralTC/tc_mark_decrypt_test.o (0.00s)
            --- PASS: TestBPF/GeneralTC/tc_mark_decrypt_test.o/tc_mark_decrypt (0.00s)
PASS
ok      kmesh.net/kmesh/test/bpf_ut/bpftest     14.547s
make[1]: Leaving directory '/root/github/kmesh/test/bpf_ut'

Which issue(s) this PR fixes:
Fixes #1209

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[Copilot]

Pull Request Overview

This PR enhances the eBPF unit tests by adding general TC tests for marking encryption and decryption. The key changes include adding new test files for tc_mark_encrypt and tc_mark_decrypt, updating the encryption mark value and comment for consistency, and extending the test harness in Go to run the new general TC tests.

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
test/bpf_ut/tc_mark_encrypt_test.c	Adds unit tests for tc_mark_encrypt with updated expected mark value
test/bpf_ut/tc_mark_decrypt_test.c	Adds unit tests for tc_mark_decrypt
test/bpf_ut/include/tc_common.h	Introduces packet building and checking macros for TC unit tests
test/bpf_ut/bpftest/general_test.go	Adds a new general TC test runner in Go
test/bpf_ut/bpftest/bpf_test.go	Integrates the new GeneralTC test group into the test suite
bpf/kmesh/general/tc_mark_encrypt.c	Updates the encryption mark value and comment to 0x00e0 for clarity

Files not reviewed (1)

• test/bpf_ut/Makefile: Language not supported

Comments suppressed due to low confidence (2)

test/bpf_ut/include/tc_common.h:44

• The default IP header in the build_tc_packet macro uses a hard-coded destination IP (0x0100000A) that is inconsistent with the test constants (e.g. DEST_IP defined as 0x0F00010A). Consider updating the default value to match or clearly document its intended purpose if it is not expected to be used.

.daddr = bpf_htons(0x0100000A)  /* 10.0.0.1 - assuming DEST_IP */

bpf/kmesh/general/tc_mark_encrypt.c:20

• Since this file is being included directly in test files, defining tc_mark_encrypt as a non-static function might lead to multiple definition issues during linking. Consider declaring it as 'static inline' to ensure proper scoping within each test compilation unit.

int tc_mark_encrypt(struct __sk_buff *ctx)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 46.16%. Comparing base (72c7022) to head (8bcb39d).
Report is 21 commits behind head on main.

see 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 09e9e8f...8bcb39d. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[YaoZengzeng]

/retest

[hzxuzhonghu]

/lgtm

[kmesh-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hzxuzhonghu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment