[Swan-dev] pluto: tweak logging and ipsec traffic for HW offload

Andrew Cagney andrew.cagney at gmail.com
Thu Jan 18 04:16:42 EET 2024 

On Wed, 17 Jan 2024 at 19:52, Paul Wouters <paul at vault.libreswan.fi> wrote:
>
> New commits:
> commit ec028da78d9cbcfd004d009a02fc82ecbe7a5a14
> Author: Paul Wouters <paul.wouters at aiven.io>
> Date:   Wed Jan 17 19:42:43 2024 -0500
>
>     pluto: tweak logging and ipsec traffic for HW offload
>
>     Don't log/whack:
>
>     "test" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1'
>     "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet
>     "test" #2: kernel_xfrm_policy_add() adding offload via interface ens8191f0np0 for IPsec policy, type: Packet
>     "test" #2: initiator established Child SA using #1; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xd58a3176 <0x13602000 xfrm=AES_GCM_16_128-NONE DPD=passive}
>
>     Instead:
>
>     "test" #5: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '10.0.1.1'
>     "test" #6: initiator established Child SA using #5; IPsec transport [10.0.1.2/32===10.0.1.1/32] {ESP/ESN=>0xe93b3bb9 <0xc212f708 xfrm=AES_GCM_16_128-NONE esp-hw-offload=packet DPD=passive}

Much better - keeping with one log line for establishing the child.  BTW,
  {ESP/ESN... esp-hw-offload=packet ...}
could be reduced further to:
  {ESP/ESN... nic-offload=packet ...}
so the field matches the config file name, or even:
  {ESP/ESN... offload=packet ...}
since "esp" and "hw" are redundant here

>     Also show this in trafficstatus:
>
>     Since the new output appears as part of the ESP string before the
>     existing comma, this shouldn't break people parsing this output.
>
>     We don't yet remember the crypto in a state variable, so unfortunately
>     this uses c->iface->nic_offload with c->config->nic_offload to determine
>     crypto state. This should really get moved to somewhere in struct state.

You mean h/w offload status?  It isn't negotiated, and no fallback is
allowed, hence c->config->nic_offload is always correct.
(yes, there's a rumor that Linux can silently fall back to software
when crypto, but pluto can't see that).

More information about the Swan-dev mailing list