[Swan-dev] XFRM IP ref-counting testing PR

Antony Antony antony at phenome.org
Thu Jul 20 20:07:29 EEST 2023 

Hi Brady,

See some feedback from testing your latest branch, from an hour ago.

On Thu, Jul 20, 2023 at 05:07:10PM +0200, Brady Johnson wrote:
> Hello,
> 
> I submit several patch sets to my XFRM IP ref-counting PR [0] in the past
> few days. I fixed the assert/segfault that Antony reported on the PR, plus
> several other fixes and improvements.
> 
> I created a slide [1] explaining the manual testing I have performed.
> 
> Can I get a code review of the PR, please.


> I tried running the ikev2-xfrmi-15-interface-ip test that Antony created,
> but it failed and there were lots and lots of differences.

Huge diff is expected, because there is no reference console output in that 
test directory. I didn't not add east.console.txt and west.console.txt so 
diff will be huge.

I just read the whole output until we are confident to commit reference 
output:) I noticed one error when adding connection in the test.

ipsec add west
003 ERROR: "west": ip_addr_xfrmi_store_ips() ifinfo_response NULL
002 "west": added IKEv2 connection

> But I still get failures when I run the basic tests like basic-pluto-01 on
> the main branch with Fedora-38, so maybe there are problems with the test
> suites???
> 
> Here are the basic-pluto-01 errors I get on git main:

add leftinterface-ip=192.0.1.251/24 in west.conf.

interface-ip=192.0.1.251/24 will be rightinterface-ip=192.0.1.251/24 and no 
effect on west.  In basic-pluto-01 west is left.

Assuming configuration is correct I expect 3 hunks differences to basic-pluto-01.

1. ipsec look and  xfrm policy should have something like the following line

+ if_id 0x1

2. xfrm state also should have the the same if_id

+ if_id 0x1

3. route should be point to ipsecX and not to via 192.1.2.23

- 192.0.2.0/24 via 192.1.2.23 dev eth1
+ 192.0.1.0/24 dev ipsec1 proto kernel scope link src 192.0.1.251
+ 192.0.2.0/24 dev ipsec1 scope link

"192.0.2.0/24 via 192.1.2.23 dev eth1" probably should be manually deleted
check westinit.sh first line where I delete that route.

> $ more west.console.diff
> --- west.console.txt 2023-07-20 14:40:01.926847087 +0000
> +++ OUTPUT/west.console.txt 2023-07-20 14:51:24.049038460 +0000
> @@ -209,8 +209,8 @@
>  iptables filter TABLE
>  Chain INPUT (policy ACCEPT)
>  target     prot opt source               destination
> -ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match
> dir in pol ipsec
> -DROP       all  --  192.0.2.0/24         0.0.0.0/0
> +ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            policy match
> dir in pol ipsec
> +DROP       0    --  192.0.2.0/24         0.0.0.0/0

the above diff appear due difference between KVM and namespace and not 
actually working xfrmi and leftinterface-ip. Refrence is output from kvm.

More information about the Swan-dev mailing list