[Swan-dev] pluto: tweak logging and ipsec traffic for HW offload
Andrew Cagney
andrew.cagney at gmail.com
Thu Jan 18 04:16:42 EET 2024
On Wed, 17 Jan 2024 at 19:52, Paul Wouters <paul at vault.libreswan.fi> wrote:
>
> New commits:
> commit ec028da78d9cbcfd004d009a02fc82ecbe7a5a14
> Author: Paul Wouters <paul.wouters at aiven.io>
> Date: Wed Jan 17 19:42:43 2024 -0500
>
> pluto: tweak logging and ipsec traffic for HW offload
>
> Don't log/whack:
>
> "test" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1'
> "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet
> "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet
> "test" #2: initiator established Child SA using #1; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xd58a3176 <0x13602000 xfrm=AES_GCM_16_128-NONE DPD=passive}
>
> Instead:
>
> "test" #5: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1'
> "test" #6: initiator established Child SA using #5; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xe93b3bb9 <0xc212f708 xfrm=AES_GCM_16_128-NONE esp-hw-offload=packet DPD=passive}
Much better - keeping with one log line for establishing the child. BTW,
{ESP/ESN... esp-hw-offload=packet ...}
could be reduced further to:
{ESP/ESN... nic-offload=packet ...}
so the field matches the config file name, or even:
{ESP/ESN... offload=packet ...}
since "esp" and "hw" are redundant here
> Also show this in trafficstatus:
>
> Since the new output appears as part of the ESP string before the
> existing comma, this shouldn't break people parsing this output.
>
> We don't yet remember the crypto in a state variable, so unfortunately
> this uses c->iface->nic_offload with c->config->nic_offload to determine
> crypto state. This should really get moved to somewhere in struct state.
You mean h/w offload status? It isn't negotiated, and no fallback is
allowed, hence c->config->nic_offload is always correct.
(yes, there's a rumor that Linux can silently fall back to software
when crypto, but pluto can't see that).
More information about the Swan-dev
mailing list