microsoft · Copilot · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025
@@ -0,0 +1,74 @@
+# Test Implementation Summary
+
+## Files Added/Modified
+
+### Test Files Added:
+1. **`tests/sample/dual_stack_redirect_test.c`** - New eBPF sample program demonstrating dual stack redirect logic
+2. **`tests/connect_redirect/README_DUAL_STACK_TESTS.md`** - Documentation for running and understanding the tests
+
+### Test Files Modified:
+3. **`tests/connect_redirect/connect_redirect_tests.cpp`** - Added comprehensive end-to-end tests for dual stack redirect scenarios
+4. **`tests/netebpfext_unit/netebpfext_unit.cpp`** - Added unit tests for redirect handle behavior
+5. **`tests/sample/sample.vcxproj.filters`** - Added new sample program to build system
+
+## Test Coverage Summary
+
+### 1. End-to-End Tests (`connect_redirect_tests.cpp`)
+- **Function**: `dual_stack_redirected_by_self_test()`
+- **Test Cases**: 3 test cases covering TCP, UNCONNECTED_UDP, CONNECTED_UDP
+- **Scenario**: Full dual stack redirect workflow validation
+- **Key Validation**: Proxy connections recognized as REDIRECTED_BY_SELF
+
+### 2. Unit Tests (`netebpfext_unit.cpp`)
+- **Test**: `dual_stack_redirect_handle_per_filter_context` - Validates shared redirect handles
+- **Test**: `dual_stack_redirect_context_consistency` - Validates initialization order fix
+
+### 3. Sample eBPF Program (`dual_stack_redirect_test.c`)
+- Demonstrates dual stack redirect logic
+- Includes counters for tracking filter invocations
+- Provides isolated test environment for dual stack scenarios
+
+## How Tests Validate PR #2562 Fix
+
+### Problem Validated:
+1. **Dual Stack Socket Issue**: Tests create dual stack socket (AF_INET6) connecting to IPv4-mapped address
+2. **Filter Mismatch**: Validates v6 filter triggered for dual stack, v4 filter for proxy
+3. **Redirect State Detection**: Ensures proxy connection recognized as REDIRECTED_BY_SELF not REDIRECTED_BY_OTHER
+4. **Infinite Loop Prevention**: Verifies no continuous redirection occurs
+
+### Solution Validated:
+1. **Per-Filter-Context Handle**: Tests confirm redirect handles shared between v4/v6 filters for same eBPF program
+2. **Proper Cleanup**: Unit tests validate redirect handle cleanup on detach
+3. **Initialization Order**: Tests validate sock_addr_ctx initialized before WFP field access
+
+## Running the Tests
+
+### Prerequisites:
+- Windows build environment with WDK
+- eBPF for Windows components built
+- Network test infrastructure (TCP/UDP listeners)
+
+### Commands:
+```cmd
+# Build
+msbuild ebpf-for-windows.sln
+
+# Run dual stack specific tests
+connect_redirect_tests.exe --tags="[connect_authorize_redirect_tests_dual_stack_redirected_by_self]"
+
+# Run unit tests
+netebpfext_unit.exe --tags="[dual_stack_redirect]"
+```
+
+## Expected Results:
+- ✅ Dual stack sockets properly redirected through v6 filter
+- ✅ Proxy IPv4 connections not re-redirected (REDIRECTED_BY_SELF detection)
+- ✅ No infinite redirect loops
+- ✅ All protocol types (TCP, UDP) work correctly
+- ✅ Proper cleanup of redirect handles
+
+## Integration Notes:
+- Tests use existing test infrastructure and patterns
+- Minimal changes to existing codebase
+- Comprehensive coverage of the specific issue from PR #2562
+- Documentation provided for maintainability
@@ -0,0 +1,137 @@
+# Dual Stack Redirect Tests for PR #2562
+
+This document describes the automated tests added to validate the fix for dual stack socket redirection issue addressed in PR #2562.
+
+## Problem Description
+
+PR #2562 fixed an issue where dual stack sockets were not properly handling the `redirected_by_self` case. The problem occurred when:
+
+1. An original connection used a dual stack socket (AF_INET6) to connect to an IPv4-mapped address
+2. This triggered the v6 connect_redirect filter in WFP
+3. The connection was redirected to a proxy
+4. The proxy then created an IPv4 socket (AF_INET) to connect to the original destination
+5. This triggered the v4 connect_redirect filter
+6. Due to different filter IDs, `FwpsQueryConnectionRedirectState` returned `REDIRECTED_BY_OTHER` instead of `REDIRECTED_BY_SELF`
+7. This caused the proxy connection to be redirected again, creating an infinite loop
+
+## Solution
+
+The fix changed the redirect handle allocation from per-filter to per-filter_context (per eBPF program), ensuring that both v4 and v6 filters for the same eBPF program share the same redirect handle.
+
+## Test Coverage
+
+### 1. End-to-End Tests (`tests/connect_redirect/connect_redirect_tests.cpp`)
+
+#### Test Function: `dual_stack_redirected_by_self_test()`
+
+This comprehensive test validates the complete dual stack redirect scenario:
+
+**Test Steps:**
+1. Create a dual stack socket (AF_INET6 with dual stack enabled)
+2. Create an IPv4 proxy socket 
+3. Configure redirect policy to redirect VIP to local proxy
+4. Dual stack socket connects to VIP → triggers v6 filter → gets redirected to proxy
+5. Proxy IPv4 socket connects to original destination → triggers v4 filter → should be recognized as REDIRECTED_BY_SELF
+6. Verify no infinite redirection occurs
+
+**Test Cases:**
+- `dual_stack_redirected_by_self_vip_address_local_address_TCP`
+- `dual_stack_redirected_by_self_vip_address_local_address_UNCONNECTED_UDP`  
+- `dual_stack_redirected_by_self_vip_address_local_address_CONNECTED_UDP`
+
+### 2. Unit Tests (`tests/netebpfext_unit/netebpfext_unit.cpp`)
+
+#### Test: `dual_stack_redirect_handle_per_filter_context`
+
+Validates that IPv4 and IPv6 connect filters for the same eBPF program share the same redirect handle.
+
+#### Test: `dual_stack_redirect_context_consistency`
+
+Validates the initialization order fix where `sock_addr_ctx` is populated before WFP field access.
+
+### 3. Sample eBPF Program (`tests/sample/dual_stack_redirect_test.c`)
+
+A dedicated eBPF program that demonstrates dual stack redirect logic with:
+- Separate handling for IPv4 and IPv6 connections
+- Counters to track which filters are invoked
+- Policy map for controlling redirect behavior
+
+## Running the Tests
+
+### Prerequisites
+- Windows development environment with WDK
+- eBPF for Windows built and installed
+- Test infrastructure set up (TCP/UDP listeners on required ports)
+
+### Running End-to-End Tests
+
+```cmd
+# Build the solution
+msbuild ebpf-for-windows.sln /p:Configuration=Debug
+
+# Run connect redirect tests with dual stack tag
+connect_redirect_tests.exe --tags="[connect_authorize_redirect_tests_dual_stack_redirected_by_self]"
+```
+
+### Running Unit Tests
+
+```cmd
+# Run netebpfext unit tests with dual stack redirect tag
+netebpfext_unit.exe --tags="[dual_stack_redirect]"  
+```
+
+### Test Parameters
+
+The connect redirect tests require network configuration parameters:
+
+```cmd
+connect_redirect_tests.exe --virtual-ip-v4=192.168.1.100 --virtual-ip-v6=fe80::100 --local-ip-v4=192.168.1.50 --local-ip-v6=fe80::50 --remote-ip-v4=192.168.1.200 --remote-ip-v6=fe80::200 --destination-port=4444 --proxy-port=4443
+```
+
+## Expected Results
+
+### Successful Test Results
+
+1. **Dual Stack Connection**: Successfully redirected from VIP to proxy
+2. **Proxy Connection**: Successfully connects to original destination without redirection
+3. **No Infinite Loop**: Proxy connection is recognized as REDIRECTED_BY_SELF
+4. **Proper Response**: Client receives expected server response through proxy
+
+### Test Validation Points
+
+- ✅ Redirect handle is shared between v4 and v6 filters
+- ✅ `FwpsQueryConnectionRedirectState` returns `REDIRECTED_BY_SELF` for proxy connections
+- ✅ No infinite redirection loops occur
+- ✅ Redirect context is properly initialized before WFP field access
+- ✅ Both TCP and UDP protocols work correctly
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Test Infrastructure**: Ensure TCP/UDP listeners are running on specified ports
+2. **Network Configuration**: Verify IP addresses are reachable and properly configured
+3. **Permissions**: Tests may require administrator privileges for WFP operations
+4. **eBPF Program Loading**: Verify eBPF programs are properly loaded and attached
+
+### Debug Information
+
+The tests include extensive logging:
+- Connection attempt details
+- Redirect policy application
+- WFP filter invocations  
+- Expected vs actual responses
+
+### Log Analysis
+
+Look for these key log messages:
+- `"DUAL_STACK_REDIRECTED_BY_SELF: vip_address -> local_address"`
+- `"Found v6 proxy entry value"` (dual stack connection)
+- `"Found v4 proxy entry value"` (proxy connection, should not redirect)
+
+## Integration with CI/CD
+
+These tests should be included in the automated test suite to prevent regression of the dual stack redirect fix. They validate critical functionality for:
+- Load balancers using dual stack sockets
+- Proxy servers handling mixed IPv4/IPv6 traffic
+- Service mesh implementations with traffic redirection
@@ -740,6 +740,134 @@ DECLARE_CONNECTION_REDIRECTION_V6_TEST_GROUP(
 // Dual stack socket, IPv6, CONNECTED_UDP
 DECLARE_CONNECTION_REDIRECTION_V6_TEST_GROUP("dual_ipv6", socket_family_t::IPv6, true, connection_type_t::CONNECTED_UDP)
 
+//
+// Tests for redirected_by_self scenario with dual stack sockets
+// These tests validate the fix from PR #2562 where dual stack socket redirects
+// were not properly recognized as REDIRECTED_BY_SELF when the proxy used a different IP family
+//
+
+void
+dual_stack_redirected_by_self_test(ADDRESS_FAMILY family, connection_type_t connection_type, bool dual_stack, _In_ test_addresses_t& addresses)
+{
+    _initialize_test_globals();
+    _globals.family = family;
+    _globals.connection_type = connection_type;
+
+    const char* connection_type_string =
+        (_globals.connection_type == connection_type_t::TCP)
+            ? "TCP"
+            : ((_globals.connection_type == connection_type_t::UNCONNECTED_UDP) ? "UNCONNECTED_UDP"
+                                                                                : "CONNECTED_UDP");
+    const char* family_string = (_globals.family == AF_INET) ? "IPv4" : "IPv6";
+    const char* dual_stack_string = dual_stack ? "Dual Stack" : "No Dual Stack";
+    printf(
+        "DUAL_STACK_REDIRECTED_BY_SELF: vip_address -> local_address | %s | %s | %s\n", 
+        connection_type_string, 
+        family_string, 
+        dual_stack_string);
+
+    client_socket_t* dual_stack_sender_socket = nullptr;
+    client_socket_t* ipv4_proxy_socket = nullptr;
+
+    // Create dual stack client socket (this triggers the v6 connect filter)
+    get_client_socket(true, &dual_stack_sender_socket, addresses.local_address);
+
+    // Create IPv4 proxy socket (this should be recognized as REDIRECTED_BY_SELF, not REDIRECTED_BY_OTHER)
+    get_client_socket(false, &ipv4_proxy_socket, addresses.local_address);
+
+    // Test the dual stack redirect scenario from PR #2562:
+    // 1. Dual stack socket connects to IPv4-mapped destination (triggers v6 filter)
+    // 2. v6 filter redirects to proxy port (using shared redirect handle per filter context)
+    // 3. Proxy creates IPv4 socket to connect to original destination
+    // 4. v4 filter should recognize this as REDIRECTED_BY_SELF (same redirect handle)
+    // 5. Connection should proceed without infinite redirection loop
+
+    // Setup policy to redirect VIP to local proxy
+    _update_policy_map(
+        addresses.vip_address, 
+        addresses.local_address, 
+        _globals.destination_port, 
+        _globals.proxy_port, 
+        _globals.connection_type, 
+        dual_stack, 
+        true); // add policy
+
+    {
+        impersonation_helper_t helper(_globals.user_type);
+        uint64_t authentication_id = _get_current_thread_authentication_id();
+        SAFE_REQUIRE(authentication_id != 0);
+
+        // Step 1: Dual stack socket connects to VIP (triggers v6 filter, gets redirected)
+        dual_stack_sender_socket->send_message_to_remote_host(CLIENT_MESSAGE, addresses.vip_address, _globals.destination_port);
+        dual_stack_sender_socket->complete_async_send(1000, expected_result_t::SUCCESS);
+
+        dual_stack_sender_socket->post_async_receive();
+        dual_stack_sender_socket->complete_async_receive(2000, false);
+
+        uint32_t bytes_received = 0;
+        char* received_message = nullptr;
+        dual_stack_sender_socket->get_received_message(bytes_received, received_message);
+
+        // Verify the dual stack connection was redirected to proxy
+        std::string expected_response = REDIRECT_CONTEXT_MESSAGE + std::to_string(_globals.proxy_port);
+        SAFE_REQUIRE(strlen(received_message) == strlen(expected_response.c_str()));
+        SAFE_REQUIRE(memcmp(received_message, expected_response.c_str(), strlen(received_message)) == 0);
+    }
+
+    // Step 2: Simulate proxy making IPv4 connection to original destination
+    // This tests the core fix: redirect handle is shared between v4/v6 filters for same eBPF program
+    // so FwpsQueryConnectionRedirectState should return REDIRECTED_BY_SELF, not REDIRECTED_BY_OTHER
+    {
+        impersonation_helper_t helper(_globals.user_type);
+
+        // The proxy connects directly to the original destination (no redirection)
+        ipv4_proxy_socket->send_message_to_remote_host(CLIENT_MESSAGE, addresses.vip_address, _globals.destination_port);
+        ipv4_proxy_socket->complete_async_send(1000, expected_result_t::SUCCESS);
+
+        ipv4_proxy_socket->post_async_receive();
+        ipv4_proxy_socket->complete_async_receive(2000, false);
+
+        uint32_t bytes_received = 0;
+        char* received_message = nullptr;
+        ipv4_proxy_socket->get_received_message(bytes_received, received_message);
+
+        // Verify the proxy connection was NOT redirected (recognized as REDIRECTED_BY_SELF)
+        // It should get the direct server response, not the redirect context message
+        std::string expected_response = SERVER_MESSAGE + std::to_string(_globals.destination_port);
+        SAFE_REQUIRE(strlen(received_message) == strlen(expected_response.c_str()));
+        SAFE_REQUIRE(memcmp(received_message, expected_response.c_str(), strlen(received_message)) == 0);
+    }
+
+    // Remove policy from map
+    _update_policy_map(
+        addresses.vip_address, 
+        addresses.local_address, 
+        _globals.destination_port, 
+        _globals.proxy_port, 
+        _globals.connection_type, 
+        dual_stack, 
+        false); // remove policy
+
+    delete dual_stack_sender_socket;
+    delete ipv4_proxy_socket;
+}
+
+// Test cases for dual stack redirected_by_self scenario
+TEST_CASE("dual_stack_redirected_by_self_vip_address_local_address_TCP", "[connect_authorize_redirect_tests_dual_stack_redirected_by_self]")
+{
+    dual_stack_redirected_by_self_test(AF_INET, connection_type_t::TCP, true, _globals.addresses[socket_family_t::Dual]);
+}
+
+TEST_CASE("dual_stack_redirected_by_self_vip_address_local_address_UNCONNECTED_UDP", "[connect_authorize_redirect_tests_dual_stack_redirected_by_self]")
+{
+    dual_stack_redirected_by_self_test(AF_INET, connection_type_t::UNCONNECTED_UDP, true, _globals.addresses[socket_family_t::Dual]);
+}
+
+TEST_CASE("dual_stack_redirected_by_self_vip_address_local_address_CONNECTED_UDP", "[connect_authorize_redirect_tests_dual_stack_redirected_by_self]")
+{
+    dual_stack_redirected_by_self_test(AF_INET, connection_type_t::CONNECTED_UDP, true, _globals.addresses[socket_family_t::Dual]);
+}
+
 int
 main(int argc, char* argv[])
 {