[LTP] How about set IPsec with ip xfrm?

[LTP] How about set IPsec with ip xfrm?

[Hangbin Liu]

Hi Cyril and Alexey,

Msst of the network stress tests have IPsec testing, and
we use setkey for configuration. But setkey[1] hasn't updated
for a long time. And some distros, RHEL7 for example, even
don't have ipset-tools package. So how about rewrite IPsec
config with ip xfrm? or at least make both method works?

[1] http://ipsec-tools.sourceforge.net/

Thanks
Hangbin Liu

[LTP] How about set IPsec with ip xfrm?

[Alexey Kodanev]

Hi,
On 10/27/2015 10:32 AM, Hangbin Liu wrote:
> Hi Cyril and Alexey,
>
> Msst of the network stress tests have IPsec testing, and
> we use setkey for configuration. But setkey[1] hasn't updated
> for a long time. And some distros, RHEL7 for example, even
> don't have ipset-tools package. So how about rewrite IPsec
> config with ip xfrm? or at least make both method works?

This is a good point. IPsec tests are in icmp, tcp and udp directories, 
right? I've not touch these particular tests yet.

In OL6 we have openswan package, RHEL6 as well. And in OL7, libreswan. 
No ipsec-tools there.

Thanks,
Alexey

> [1] http://ipsec-tools.sourceforge.net/
>
> Thanks
> Hangbin Liu

[LTP] How about set IPsec with ip xfrm?

[Hangbin Liu]

2015-10-27 21:16 GMT+08:00 Alexey Kodanev <alexey.kodanev@oracle.com>:
> Hi,
> On 10/27/2015 10:32 AM, Hangbin Liu wrote:
>>
>> Hi Cyril and Alexey,
>>
>> Msst of the network stress tests have IPsec testing, and
>> we use setkey for configuration. But setkey[1] hasn't updated
>> for a long time. And some distros, RHEL7 for example, even
>> don't have ipset-tools package. So how about rewrite IPsec
>> config with ip xfrm? or at least make both method works?
>
>
> This is a good point. IPsec tests are in icmp, tcp and udp directories,

Yes, exactly.

> right? I've not touch these particular tests yet.
>
> In OL6 we have openswan package, RHEL6 as well. And in OL7, libreswan. No
> ipsec-tools there.

Yes, so run stress test on the latest distros is painful. I didn't use
openswan or
libreswan because we need update the config file each time. So I use ip-xfrm to
config the IPsec rules. Here is a draft patch(attached). You can
review it first.

Thanks
Hangbin
>
> Thanks,
> Alexey
>
>
>> [1] http://ipsec-tools.sourceforge.net/
>>
>> Thanks
>> Hangbin Liu
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.patch
Type: text/x-patch
Size: 12164 bytes
Desc: not available
URL: <http://lists.linux.it/pipermail/ltp/attachments/20151028/dafd569a/attachment-0001.bin>

[LTP] How about set IPsec with ip xfrm?

[Alexey Kodanev]

Hi,
On 10/28/2015 09:52 AM, Hangbin Liu wrote:
>
> Yes, so run stress test on the latest distros is painful. I didn't use
> openswan or
> libreswan because we need update the config file each time. So I use ip-xfrm to
> config the IPsec rules. Here is a draft patch(attached). You can
> review it first.

OK, I'll look into the patch.

Thanks,
Alexey

[LTP] How about set IPsec with ip xfrm?

[Alexey Kodanev]

Hi Hangbin,

OK, I've reviewed the icmp tests draft, here are the comments:

* I wouldn't add tst_ipsec() to test_net.sh because this function will 
only be run in IPsec related tests, the rest network tests will include 
it with no good reason. We can move all ipsec related tests to one 
directory under network/stress/ipsec and create common library script there.

* c2x() function can be added to test.sh because it is more or less 
generic, but it should be fixed to print the message in LTP style format.

* Make sure you don't run LTP_RSH directly.

* Don't use absolute path to run commands, it can differ from one 
environment to another. They should be in the PATH before the tests 
start. You can verify that particular command is available with 
tst_check_cmds() in the test script.

* icmp_check_connectivity (ping) can be merged to test_net.sh, other 
network test could run it too.

Thanks,
Alexey

[LTP] How about set IPsec with ip xfrm?

[Hangbin Liu]

Hi Alexey,

Thanks for reviewing the patch. Please see the comments below.

2015-11-03 22:03 GMT+08:00 Alexey Kodanev <alexey.kodanev@oracle.com>:
> Hi Hangbin,
>
> OK, I've reviewed the icmp tests draft, here are the comments:
>
> * I wouldn't add tst_ipsec() to test_net.sh because this function will only
> be run in IPsec related tests, the rest network tests will include it with
> no good reason. We can move all ipsec related tests to one directory under
> network/stress/ipsec and create common library script there.

OK, I can put it under stress/ns-tools/set_ipsec

>
> * c2x() function can be added to test.sh because it is more or less generic,
> but it should be fixed to print the message in LTP style format.

I'd prefer to keep c2x() with set_ipsec at present. We can move it to
test_net.sh
when someone want to use it.

>
> * Make sure you don't run LTP_RSH directly.

Got it, I will use tst_rhost_run() instead.

>
> * Don't use absolute path to run commands, it can differ from one
> environment to another. They should be in the PATH before the tests start.
> You can verify that particular command is available with tst_check_cmds() in
> the test script.

OK
>
> * icmp_check_connectivity (ping) can be merged to test_net.sh, other network
> test could run it too.

I tried to merge it to test_net.sh. But I found we need to check icmp
connectivity
from remove sometimes. Then I'm not sure how to call a function in
test_net.sh from
remove except source test_net.sh in remote. Or we need to add another parameter
in icmp_check_connectivity() like rhost to run cmd from remote. like

tst_icmp_connectivity/tst_ping rhost IFACE ADDR [SIZE]

or just use it as the old way

tst_rhost_run check_icmpv4_connectivity  IFACE ADDR [SIZE]

Which style do you prefer?

Thanks
Hangbin

[LTP] How about set IPsec with ip xfrm?

[Alexey Kodanev]

Hi,
On 09.11.2015 5:42, Hangbin Liu wrote:
> Hi Alexey,
>
> Thanks for reviewing the patch. Please see the comments below.
>
> 2015-11-03 22:03 GMT+08:00 Alexey Kodanev <alexey.kodanev@oracle.com>:
>> Hi Hangbin,
>>
>> OK, I've reviewed the icmp tests draft, here are the comments:
>>
>> * I wouldn't add tst_ipsec() to test_net.sh because this function will only
>> be run in IPsec related tests, the rest network tests will include it with
>> no good reason. We can move all ipsec related tests to one directory under
>> network/stress/ipsec and create common library script there.
> OK, I can put it under stress/ns-tools/set_ipsec

Why set_ipsec? I thought it should be a library with common functions, 
vars, etc. for ipsec tests? Something like ipsec_lib.sh.
I'm not sure that ns-tools is the right place for it.

>
>> * c2x() function can be added to test.sh because it is more or less generic,
>> but it should be fixed to print the message in LTP style format.
> I'd prefer to keep c2x() with set_ipsec at present. We can move it to
> test_net.sh
> when someone want to use it.

Nonetheless, it should use LTP style to print test information.

>> * icmp_check_connectivity (ping) can be merged to test_net.sh, other network
>> test could run it too.
> I tried to merge it to test_net.sh. But I found we need to check icmp
> connectivity
> from remove sometimes. Then I'm not sure how to call a function in
> test_net.sh from
> remove except source test_net.sh in remote. Or we need to add another parameter
> in icmp_check_connectivity() like rhost to run cmd from remote. like
>
> tst_icmp_connectivity/tst_ping rhost IFACE ADDR [SIZE]
>
> or just use it as the old way
>
> tst_rhost_run check_icmpv4_connectivity  IFACE ADDR [SIZE]
>
> Which style do you prefer?

I guess we can always ping from the other way, as a consequence you 
don't have to run some
script that sources test_net.sh or make a separate command for it.

Thanks,
Alexey