[Swan-dev] XFRM IP ref-counting testing PR

Antony Antony antony at phenome.org
Thu Jul 20 20:07:29 EEST 2023

Hi Brady,

See some feedback from testing your latest branch, from an hour ago.

On Thu, Jul 20, 2023 at 05:07:10PM +0200, Brady Johnson wrote:
> Hello,
> I submit several patch sets to my XFRM IP ref-counting PR [0] in the past
> few days. I fixed the assert/segfault that Antony reported on the PR, plus
> several other fixes and improvements.
> I created a slide [1] explaining the manual testing I have performed.
> Can I get a code review of the PR, please.

> I tried running the ikev2-xfrmi-15-interface-ip test that Antony created,
> but it failed and there were lots and lots of differences.

Huge diff is expected, because there is no reference console output in that 
test directory. I didn't not add east.console.txt and west.console.txt so 
diff will be huge.

I just read the whole output until we are confident to commit reference 
output:) I noticed one error when adding connection in the test.

ipsec add west
003 ERROR: "west": ip_addr_xfrmi_store_ips() ifinfo_response NULL
002 "west": added IKEv2 connection

> But I still get failures when I run the basic tests like basic-pluto-01 on
> the main branch with Fedora-38, so maybe there are problems with the test
> suites???
> Here are the basic-pluto-01 errors I get on git main:

add leftinterface-ip= in west.conf.

interface-ip= will be rightinterface-ip= and no 
effect on west.  In basic-pluto-01 west is left.

Assuming configuration is correct I expect 3 hunks differences to basic-pluto-01.

1. ipsec look and  xfrm policy should have something like the following line

+ if_id 0x1

2. xfrm state also should have the the same if_id

+ if_id 0x1

3. route should be point to ipsecX and not to via

- via dev eth1
+ dev ipsec1 proto kernel scope link src
+ dev ipsec1 scope link

" via dev eth1" probably should be manually deleted
check westinit.sh first line where I delete that route.

> $ more west.console.diff
> --- west.console.txt 2023-07-20 14:40:01.926847087 +0000
> +++ OUTPUT/west.console.txt 2023-07-20 14:51:24.049038460 +0000
> @@ -209,8 +209,8 @@
>  iptables filter TABLE
>  Chain INPUT (policy ACCEPT)
>  target     prot opt source               destination
> -ACCEPT     all  --              policy match
> dir in pol ipsec
> -DROP       all  --
> +ACCEPT     0    --              policy match
> dir in pol ipsec
> +DROP       0    --

the above diff appear due difference between KVM and namespace and not 
actually working xfrmi and leftinterface-ip. Refrence is output from kvm.

More information about the Swan-dev mailing list