[PATCH net-next 0/2] fixes for ipsec selftests

[PATCH net-next 0/2] fixes for ipsec selftests

[Shannon Nelson]

A couple of bad behaviors in the ipsec selftest were pointed out
by Anders Roxell <anders.roxell@linaro.org> and are addressed here.

Shannon Nelson (2):
  selftests: rtnetlink: hide complaint from terminated monitor
  selftests: rtnetlink: use a local IP address for IPsec tests

 tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

-- 
2.7.4

[PATCH net-next 1/2] selftests: rtnetlink: hide complaint from terminated monitor

[Shannon Nelson]

Set up the "ip xfrm monitor" subprogram so as to not see
a "Terminated" message when the subprogram is killed.

Fixes: 5e596ee171ba ("selftests: add xfrm state-policy-monitor to rtnetlink.sh")
Reported-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 tools/testing/selftests/net/rtnetlink.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index 760faef..0a2bc6e 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -532,8 +532,7 @@ kci_test_ipsec()
 
 	# start the monitor in the background
 	tmpfile=`mktemp ipsectestXXX`
-	ip x m > $tmpfile &
-	mpid=$!
+	mpid=`(ip x m > $tmpfile & echo $!) 2>/dev/null`
 	sleep 0.2
 
 	ipsecid="proto esp src $srcip dst $dstip spi 0x07"
-- 
2.7.4

[PATCH net-next 2/2] selftests: rtnetlink: use a local IP address for IPsec tests

[Shannon Nelson]

Find an IP address on this machine to use as a source IP, and
make up a destination IP address based on the source IP.  No
actual messages will be sent, just a couple of IPsec rules are
created and deleted.

Fixes: 5e596ee171ba ("selftests: add xfrm state-policy-monitor to rtnetlink.sh")
Reported-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
 tools/testing/selftests/net/rtnetlink.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index 0a2bc6e..b33a371 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -522,8 +522,12 @@ kci_test_macsec()
 #-------------------------------------------------------------------
 kci_test_ipsec()
 {
-	srcip="14.0.0.52"
-	dstip="14.0.0.70"
+	# find an ip address on this machine and make up a destination
+	srcip=`ip -o addr | awk '/inet / { print $4; }' | grep -v "^127" | head -1 | cut -f1 -d/`
+	net=`echo $srcip | cut -f1-3 -d.`
+	base=`echo $srcip | cut -f4 -d.`
+	dstip="$net."`expr $base + 1`
+
 	algo="aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128"
 
 	# flush to be sure there's nothing configured
-- 
2.7.4

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Anders Roxell]

On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>
> A couple of bad behaviors in the ipsec selftest were pointed out
> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
>
> Shannon Nelson (2):
>   selftests: rtnetlink: hide complaint from terminated monitor
>   selftests: rtnetlink: use a local IP address for IPsec tests
>
>  tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
>
> --
> 2.7.4
>

Hi Shannon,

With this patches applied and my config patch.

I still get this error when I run the ipsec test:

FAIL: can't add fou port 7777, skipping test
RTNETLINK answers: Operation not supported
FAIL: can't add macsec interface, skipping test
RTNETLINK answers: Protocol not supported
RTNETLINK answers: No such process
RTNETLINK answers: No such process
FAIL: ipsec

Can you please cc the kselftest list when sending patches to
tools/testing/selftests/ ?

Cheers,
Anders

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Shannon Nelson]

On 6/20/2018 12:09 PM, Anders Roxell wrote:
> On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>>
>> A couple of bad behaviors in the ipsec selftest were pointed out
>> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
>>
>> Shannon Nelson (2):
>>    selftests: rtnetlink: hide complaint from terminated monitor
>>    selftests: rtnetlink: use a local IP address for IPsec tests
>>
>>   tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
>>   1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> --
>> 2.7.4
>>
> 
> Hi Shannon,
> 
> With this patches applied and my config patch.
> 
> I still get this error when I run the ipsec test:
> 
> FAIL: can't add fou port 7777, skipping test
> RTNETLINK answers: Operation not supported
> FAIL: can't add macsec interface, skipping test
> RTNETLINK answers: Protocol not supported
> RTNETLINK answers: No such process
> RTNETLINK answers: No such process
> FAIL: ipsec

One of the odd things I noticed about this script is that there really 
aren't any diagnosis messages, just PASS or FAIL.  I followed this 
custom when I added the ipsec tests, but I think this is something that 
should change so we can get some idea of what breaks.

I'm curious about the "RTNETLINK answers" messages and where they might 
be coming from, especially "RTNETLINK answers: Protocol not supported". 
What version of iproute2 are you using?  Is it older than iproute2-ss130716?

What distro and kernel are you running?

What are the XFRM and AES settings in your kernel config - what is the 
output from
	egrep -i "xfrm|_aes" .config

I did also notice that the ipsec test should set ret=0 at its start. 
Can you either add this or comment out all the other tests in 
kci_test_rtnl() so that only the kci_test_ipsec is run and send me the 
output?

Thanks,
sln


> 
> Can you please cc the kselftest list when sending patches to
> tools/testing/selftests/ ?
> 
> Cheers,
> Anders
> 

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Anders Roxell]

On Thu, 21 Jun 2018 at 00:26, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>
> On 6/20/2018 12:09 PM, Anders Roxell wrote:
> > On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@oracle.com> wrote:
> >>
> >> A couple of bad behaviors in the ipsec selftest were pointed out
> >> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
> >>
> >> Shannon Nelson (2):
> >>    selftests: rtnetlink: hide complaint from terminated monitor
> >>    selftests: rtnetlink: use a local IP address for IPsec tests
> >>
> >>   tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
> >>   1 file changed, 7 insertions(+), 4 deletions(-)
> >>
> >> --
> >> 2.7.4
> >>
> >
> > Hi Shannon,
> >
> > With this patches applied and my config patch.
> >
> > I still get this error when I run the ipsec test:
> >
> > FAIL: can't add fou port 7777, skipping test
> > RTNETLINK answers: Operation not supported
> > FAIL: can't add macsec interface, skipping test
> > RTNETLINK answers: Protocol not supported
> > RTNETLINK answers: No such process
> > RTNETLINK answers: No such process
> > FAIL: ipsec
>
> One of the odd things I noticed about this script is that there really
> aren't any diagnosis messages, just PASS or FAIL.  I followed this
> custom when I added the ipsec tests, but I think this is something that
> should change so we can get some idea of what breaks.
>
> I'm curious about the "RTNETLINK answers" messages and where they might
> be coming from, especially "RTNETLINK answers: Protocol not supported".

I added: "set -x" in the beginning of the rtnetlink.sh script.
+ ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
0x3132333435
363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
RTNETLINK answers: Protocol not supported

> What version of iproute2 are you using?  Is it older than iproute2-ss130716?

I use iproute2 release 4.17.0.

>
> What distro and kernel are you running?

for this test linux-next tag: next-20180620 distro OE (morty)

>
> What are the XFRM and AES settings in your kernel config - what is the
> output from
>         egrep -i "xfrm|_aes" .config

CONFIG_XFRM=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
CONFIG_CRYPTO_AES=y

>
> I did also notice that the ipsec test should set ret=0 at its start.

did.

> Can you either add this or comment out all the other tests in
> kci_test_rtnl() so that only the kci_test_ipsec is run and send me the
> output?

done.

Same result as before... added "set -x" and this is the output:
+ devdummy=test-dummy0
+ ret=0
+ ksft_skip=4
++ id -u
+ '[' 0 -ne 0 ']'
+ for x in ip tc
+ ip -Version
+ '[' 0 -ne 0 ']'
+ for x in ip tc
+ tc -Version
+ '[' 0 -ne 0 ']'
+ kci_test_rtnl
+ kci_test_ipsec
+ ret=0
++ ip -o addr
++ awk '/inet / { print $4; }'
++ grep -v '^127'
++ head -1
++ cut -f1 -d/
+ srcip=10.66.17.140
++ echo 10.66.17.140
++ cut -f1-3 -d.
+ net=10.66.17
++ echo 10.66.17.140
++ cut -f4 -d.
+ base=140
++ expr 140 + 1
+ dstip=10.66.17.141
+ algo='aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128'
+ ip x s flush
+ ip x p flush
+ check_err 0
+ '[' 0 -eq 0 ']'
+ ret=0
++ mktemp ipsectestXXX
+ tmpfile=ipsectestHFP
+ mpid=3339
+ sleep 0.2
+ ipsecid='proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07'
+ ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
0x3132333435
363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
RTNETLINK answers: Protocol not supported
+ check_err 2
+ '[' 0 -eq 0 ']'
+ ret=2
++ ip x s list
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
+ lines=0
+ test 0 -eq 2
+ check_err 1
+ '[' 2 -eq 0 ']'
+ ip x s count
+ grep -q 'SAD count 1'
+ check_err 1
+ '[' 2 -eq 0 ']'
++ ip x s get proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
RTNETLINK answers: No such process
+ lines=0
+ test 0 -eq 2
+ check_err 1
+ '[' 2 -eq 0 ']'
+ ip x s delete proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07
RTNETLINK answers: No such process
+ check_err 2
+ '[' 2 -eq 0 ']'
++ ip x s list
++ wc -l
+ lines=0
+ test 0 -eq 0
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ipsecsel='dir out src 10.66.17.140/24 dst 10.66.17.141/24'
+ ip x p add dir out src 10.66.17.140/24 dst 10.66.17.141/24 tmpl
proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode transport
reqid 0x07
+ check_err 0
+ '[' 2 -eq 0 ']'
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
++ ip x p list
+ lines=2
+ test 2 -eq 2
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p count
+ grep -q 'SPD IN  0 OUT 1 FWD 0'
+ check_err 0
+ '[' 2 -eq 0 ']'
++ ip x p get dir out src 10.66.17.140/24 dst 10.66.17.141/24
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
+ lines=2
+ test 2 -eq 2
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p delete dir out src 10.66.17.140/24 dst 10.66.17.141/24
+ check_err 0
+ '[' 2 -eq 0 ']'
++ ip x p list
++ wc -l
+ lines=0
+ test 0 -eq 0
+ check_err 0
+ '[' 2 -eq 0 ']'
+ kill 3339
++ wc -l ipsectestHFP
++ cut '-d ' -f1
+ lines=8
+ test 8 -eq 20
+ check_err 1
+ '[' 2 -eq 0 ']'
+ rm -rf ipsectestHFP
+ ip x s flush
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p flush
+ check_err 0
+ '[' 2 -eq 0 ']'
+ '[' 2 -ne 0 ']'
+ echo 'FAIL: ipsec'
FAIL: ipsec
+ return 1
+ exit 2

Cheers,
Anders

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Shannon Nelson]

On 6/20/2018 4:18 PM, Anders Roxell wrote:
> On Thu, 21 Jun 2018 at 00:26, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>>
>> On 6/20/2018 12:09 PM, Anders Roxell wrote:
>>> On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>>>>
>>>> A couple of bad behaviors in the ipsec selftest were pointed out
>>>> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
>>>>
>>>> Shannon Nelson (2):
>>>>     selftests: rtnetlink: hide complaint from terminated monitor
>>>>     selftests: rtnetlink: use a local IP address for IPsec tests
>>>>
>>>>    tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
>>>>    1 file changed, 7 insertions(+), 4 deletions(-)
>>>>
>>>> --
>>>> 2.7.4
>>>>
>>>
>>> Hi Shannon,
>>>
>>> With this patches applied and my config patch.
>>>
>>> I still get this error when I run the ipsec test:
>>>
>>> FAIL: can't add fou port 7777, skipping test
>>> RTNETLINK answers: Operation not supported
>>> FAIL: can't add macsec interface, skipping test
>>> RTNETLINK answers: Protocol not supported
>>> RTNETLINK answers: No such process
>>> RTNETLINK answers: No such process
>>> FAIL: ipsec
>>
>> One of the odd things I noticed about this script is that there really
>> aren't any diagnosis messages, just PASS or FAIL.  I followed this
>> custom when I added the ipsec tests, but I think this is something that
>> should change so we can get some idea of what breaks.
>>
>> I'm curious about the "RTNETLINK answers" messages and where they might
>> be coming from, especially "RTNETLINK answers: Protocol not supported".
> 
> I added: "set -x" in the beginning of the rtnetlink.sh script.
> + ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
> transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
> 0x3132333435
> 363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
> RTNETLINK answers: Protocol not supported

Okay, so ip didn't like this command...

>> What are the XFRM and AES settings in your kernel config - what is the
>> output from
>>          egrep -i "xfrm|_aes" .config
> 
> CONFIG_XFRM=y
> CONFIG_XFRM_ALGO=y
> CONFIG_XFRM_USER=y
> CONFIG_INET_XFRM_MODE_TUNNEL=y
> CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> CONFIG_INET6_XFRM_MODE_TUNNEL=y
> CONFIG_INET6_XFRM_MODE_BEET=y
> CONFIG_CRYPTO_AES=y

And this is probably why - there seem to be a few config variables 
missing, including CONFIG_INET_XFRM_MODE_TRANSPORT, which might be why 
the ip command fails above.

Here's what I have in my config:
CONFIG_XFRM=y
CONFIG_XFRM_OFFLOAD=y
CONFIG_XFRM_ALGO=m
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_AES_TI is not set
CONFIG_CRYPTO_AES_X86_64=m
CONFIG_CRYPTO_AES_NI_INTEL=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m

Can I talk you into adding CONFIG_INET_XFRM_MODE_TRANSPORT to your 
config and trying again?

sln

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Anders Roxell]

On Thu, 21 Jun 2018 at 02:32, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>
> On 6/20/2018 4:18 PM, Anders Roxell wrote:
> > On Thu, 21 Jun 2018 at 00:26, Shannon Nelson <shannon.nelson@oracle.com> wrote:
> >>
> >> On 6/20/2018 12:09 PM, Anders Roxell wrote:
> >>> On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@oracle.com> wrote:
> >>>>
> >>>> A couple of bad behaviors in the ipsec selftest were pointed out
> >>>> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
> >>>>
> >>>> Shannon Nelson (2):
> >>>>     selftests: rtnetlink: hide complaint from terminated monitor
> >>>>     selftests: rtnetlink: use a local IP address for IPsec tests
> >>>>
> >>>>    tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
> >>>>    1 file changed, 7 insertions(+), 4 deletions(-)
> >>>>
> >>>> --
> >>>> 2.7.4
> >>>>
> >>>
> >>> Hi Shannon,
> >>>
> >>> With this patches applied and my config patch.
> >>>
> >>> I still get this error when I run the ipsec test:
> >>>
> >>> FAIL: can't add fou port 7777, skipping test
> >>> RTNETLINK answers: Operation not supported
> >>> FAIL: can't add macsec interface, skipping test
> >>> RTNETLINK answers: Protocol not supported
> >>> RTNETLINK answers: No such process
> >>> RTNETLINK answers: No such process
> >>> FAIL: ipsec
> >>
> >> One of the odd things I noticed about this script is that there really
> >> aren't any diagnosis messages, just PASS or FAIL.  I followed this
> >> custom when I added the ipsec tests, but I think this is something that
> >> should change so we can get some idea of what breaks.
> >>
> >> I'm curious about the "RTNETLINK answers" messages and where they might
> >> be coming from, especially "RTNETLINK answers: Protocol not supported".
> >
> > I added: "set -x" in the beginning of the rtnetlink.sh script.
> > + ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
> > transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
> > 0x3132333435
> > 363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
> > RTNETLINK answers: Protocol not supported
>
> Okay, so ip didn't like this command...
>
> >> What are the XFRM and AES settings in your kernel config - what is the
> >> output from
> >>          egrep -i "xfrm|_aes" .config
> >
> > CONFIG_XFRM=y
> > CONFIG_XFRM_ALGO=y
> > CONFIG_XFRM_USER=y
> > CONFIG_INET_XFRM_MODE_TUNNEL=y
> > CONFIG_INET6_XFRM_MODE_TRANSPORT=y
> > CONFIG_INET6_XFRM_MODE_TUNNEL=y
> > CONFIG_INET6_XFRM_MODE_BEET=y
> > CONFIG_CRYPTO_AES=y
>
> And this is probably why - there seem to be a few config variables
> missing, including CONFIG_INET_XFRM_MODE_TRANSPORT, which might be why
> the ip command fails above.
>
> Here's what I have in my config:
> CONFIG_XFRM=y
> CONFIG_XFRM_OFFLOAD=y
> CONFIG_XFRM_ALGO=m
> CONFIG_XFRM_USER=m
> # CONFIG_XFRM_SUB_POLICY is not set
> # CONFIG_XFRM_MIGRATE is not set
> CONFIG_XFRM_STATISTICS=y
> CONFIG_XFRM_IPCOMP=m
> CONFIG_INET_XFRM_TUNNEL=m
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
> CONFIG_INET_XFRM_MODE_TUNNEL=m
> CONFIG_INET_XFRM_MODE_BEET=m
> CONFIG_INET6_XFRM_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_BEET=m
> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
> CONFIG_SECURITY_NETWORK_XFRM=y
> CONFIG_CRYPTO_AES=y
> # CONFIG_CRYPTO_AES_TI is not set
> CONFIG_CRYPTO_AES_X86_64=m
> CONFIG_CRYPTO_AES_NI_INTEL=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
> CONFIG_CRYPTO_DEV_PADLOCK_AES=m
>
> Can I talk you into adding CONFIG_INET_XFRM_MODE_TRANSPORT to your
> config

Yes you can.

> and trying again?

same issue with CONFIG_INET_XFRM_MODE_TRANSPORT=y

Cheers,
Anders

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Shannon Nelson]

On 6/21/2018 9:56 AM, Anders Roxell wrote:
> On Thu, 21 Jun 2018 at 02:32, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>>
>> On 6/20/2018 4:18 PM, Anders Roxell wrote:
>>> On Thu, 21 Jun 2018 at 00:26, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>>>>
>>>> On 6/20/2018 12:09 PM, Anders Roxell wrote:
>>>>> On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@oracle.com> wrote:
>>>>>>
>>>>>> A couple of bad behaviors in the ipsec selftest were pointed out
>>>>>> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
>>>>>>
>>>>>> Shannon Nelson (2):
>>>>>>      selftests: rtnetlink: hide complaint from terminated monitor
>>>>>>      selftests: rtnetlink: use a local IP address for IPsec tests
>>>>>>
>>>>>>     tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
>>>>>>     1 file changed, 7 insertions(+), 4 deletions(-)
>>>>>>
>>>>>> --
>>>>>> 2.7.4
>>>>>>
>>>>>
>>>>> Hi Shannon,
>>>>>
>>>>> With this patches applied and my config patch.
>>>>>
>>>>> I still get this error when I run the ipsec test:
>>>>>
>>>>> FAIL: can't add fou port 7777, skipping test
>>>>> RTNETLINK answers: Operation not supported
>>>>> FAIL: can't add macsec interface, skipping test
>>>>> RTNETLINK answers: Protocol not supported
>>>>> RTNETLINK answers: No such process
>>>>> RTNETLINK answers: No such process
>>>>> FAIL: ipsec
>>>>
>>>> One of the odd things I noticed about this script is that there really
>>>> aren't any diagnosis messages, just PASS or FAIL.  I followed this
>>>> custom when I added the ipsec tests, but I think this is something that
>>>> should change so we can get some idea of what breaks.
>>>>
>>>> I'm curious about the "RTNETLINK answers" messages and where they might
>>>> be coming from, especially "RTNETLINK answers: Protocol not supported".
>>>
>>> I added: "set -x" in the beginning of the rtnetlink.sh script.
>>> + ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
>>> transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
>>> 0x3132333435
>>> 363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
>>> RTNETLINK answers: Protocol not supported
>>
>> Okay, so ip didn't like this command...
>>
>>>> What are the XFRM and AES settings in your kernel config - what is the
>>>> output from
>>>>           egrep -i "xfrm|_aes" .config
>>>
>>> CONFIG_XFRM=y
>>> CONFIG_XFRM_ALGO=y
>>> CONFIG_XFRM_USER=y
>>> CONFIG_INET_XFRM_MODE_TUNNEL=y
>>> CONFIG_INET6_XFRM_MODE_TRANSPORT=y
>>> CONFIG_INET6_XFRM_MODE_TUNNEL=y
>>> CONFIG_INET6_XFRM_MODE_BEET=y
>>> CONFIG_CRYPTO_AES=y
>>
>> And this is probably why - there seem to be a few config variables
>> missing, including CONFIG_INET_XFRM_MODE_TRANSPORT, which might be why
>> the ip command fails above.
>>
>> Here's what I have in my config:
>> CONFIG_XFRM=y
>> CONFIG_XFRM_OFFLOAD=y
>> CONFIG_XFRM_ALGO=m
>> CONFIG_XFRM_USER=m
>> # CONFIG_XFRM_SUB_POLICY is not set
>> # CONFIG_XFRM_MIGRATE is not set
>> CONFIG_XFRM_STATISTICS=y
>> CONFIG_XFRM_IPCOMP=m
>> CONFIG_INET_XFRM_TUNNEL=m
>> CONFIG_INET_XFRM_MODE_TRANSPORT=m
>> CONFIG_INET_XFRM_MODE_TUNNEL=m
>> CONFIG_INET_XFRM_MODE_BEET=m
>> CONFIG_INET6_XFRM_TUNNEL=m
>> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>> CONFIG_INET6_XFRM_MODE_TUNNEL=m
>> CONFIG_INET6_XFRM_MODE_BEET=m
>> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
>> CONFIG_SECURITY_NETWORK_XFRM=y
>> CONFIG_CRYPTO_AES=y
>> # CONFIG_CRYPTO_AES_TI is not set
>> CONFIG_CRYPTO_AES_X86_64=m
>> CONFIG_CRYPTO_AES_NI_INTEL=m
>> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
>> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
>> CONFIG_CRYPTO_DEV_PADLOCK_AES=m
>>
>> Can I talk you into adding CONFIG_INET_XFRM_MODE_TRANSPORT to your
>> config
> 
> Yes you can.
> 
>> and trying again?
> 
> same issue with CONFIG_INET_XFRM_MODE_TRANSPORT=y

Interesting.  I took only CONFIG_INET_XFRM_MODE_TRANSPORT out of my 
config and was able to see the "Protocol not supported" message.  I'm 
not familiar enough with the crypto algorithm setup, but I suspect 
there's a combination of the other missing CONFIGs that are needed along 
with CONFIG_INET_XFRM_MODE_TRANSPORT.

My knee-jerk reaction voice wants to say this is the test working as 
expected, pointing out to us that the kernel config is not up to what it 
should be.  However, perhaps a better answer is that the test should be 
reworked to just skip the rest if it can't set up the expected test 
environment, as is done in the macsec case.

So the remaining question then is should the test be marked as failed, 
as in the macsec test if it can't set up it's interface, or just skipped?

sln

> 
> Cheers,
> Anders
> 

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[David Miller]

From: Shannon Nelson <shannon.nelson@oracle.com>
Date: Tue, 19 Jun 2018 22:42:41 -0700

> A couple of bad behaviors in the ipsec selftest were pointed out
> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
> 
> Shannon Nelson (2):
>   selftests: rtnetlink: hide complaint from terminated monitor
>   selftests: rtnetlink: use a local IP address for IPsec tests

Series applied, but I wonder about patch #2.

The idea is that we don't make modifications to the actual system
networking configuration and therefore make changes that can't
possibly disrupt connectivity for the system under test.

Using a configured local IP address seems to subvert that.

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[Shannon Nelson]

On 6/21/2018 9:49 PM, David Miller wrote:
> From: Shannon Nelson <shannon.nelson@oracle.com>
> Date: Tue, 19 Jun 2018 22:42:41 -0700
> 
>> A couple of bad behaviors in the ipsec selftest were pointed out
>> by Anders Roxell <anders.roxell@linaro.org> and are addressed here.
>>
>> Shannon Nelson (2):
>>    selftests: rtnetlink: hide complaint from terminated monitor
>>    selftests: rtnetlink: use a local IP address for IPsec tests
> 
> Series applied, but I wonder about patch #2.
> 
> The idea is that we don't make modifications to the actual system
> networking configuration and therefore make changes that can't
> possibly disrupt connectivity for the system under test.
> 
> Using a configured local IP address seems to subvert that.

Yeah, I'm not so thrilled with it either.  I've got a couple more 
changes coming Real Soon Now that extend netdevsim and add a couple of 
tests for ipsec-hw-offload, so while I finish those up I can change this 
again and make use of netdevsim to leave existing devices alone.

For that matter, if you want to cut down on patch thrash, just drop patch 2.

sln

Re: [PATCH net-next 0/2] fixes for ipsec selftests

[David Miller]

From: Shannon Nelson <shannon.nelson@oracle.com>
Date: Thu, 21 Jun 2018 23:50:36 -0700

> For that matter, if you want to cut down on patch thrash, just drop
> patch 2.

Too late, already in my tree :)

Don't worry about it for now.