Re: [PATCHv3 net-next 0/7] pktgen IPsec support

[Fan Du <fan.du@windriver.com>]

On 2013年12月16日 20:41, Jamal Hadi Salim wrote:
> On 12/15/13 02:57, Fan Du wrote:
>> Hi, Dave
>>
>> Current pktgen IPsec supports only transport/ESP combinnation,
>> This patchset enables user to do almost any IPsec transformation,
>> both transport/tunnel mode, and AH/ESP/IPcomp type.
>>
>> Below configuration has been tested, and using Wireshark could decrypt
>> out plain text in good formation without any checksum/auth errors:
>>
>> Mode/TYPE   AH  ESP
>> Transport   x   x
>> Tunnel      x   x
>>
>
> Very nice - but i couldnt see which patch added the option to enable
> checksums.

I thought we have reach the consensus on this part in previous discussion
(http://www.spinics.net/lists/netdev/msg261411.html), This enhancement
patch didn't change original behavior, nor does remove original implementation.

This enhancement expects good encapsulation format for the receiver to
de-encapsulation.

If there is a need to play bad with IP checksum, I will do this in a different
patchset, as bad checksum IP packet(with or without IPsec) got discarded
at IP layer, and a generic pktgen option should be created for this feature.

> I also think that some dose of update to the pktgen documentation in
> Documents/  would be useful.

This is snippets of doc updates I could come up with. Please check if it's ok
for you.

@@ -108,7 +108,9 @@ Examples:
                                MPLS_RND, VID_RND, SVID_RND
                                QUEUE_MAP_RND # queue map random
                                QUEUE_MAP_CPU # queue map mirrors smp_processor_id()
+                              IPSEC # Make IPsec encapsulation for packet

+ pgset spi SPI_VALUE     Set specific SA used to transform packet.

   pgset "udp_src_min 9"   set UDP source port min, If < udp_src_max, then
                           cycle through the port range.
@@ -177,6 +179,18 @@ Note when adding devices to a specific CPU there good idea to also assign
  /proc/irq/XX/smp_affinity so the TX-interrupts gets bound to the same CPU.
  as this reduces cache bouncing when freeing skb's.

+Enable IPsec
+============
+Default IPsec transformation with ESP encapsulation plus Transport mode
+could be enabled by simply setting:
+
+pgset "flag IPSEC"
+pgset "flows 1"
+
+To avoid breaking existing testbed scripts for using AH type and tunnel mode,
+user could use "pgset spi SPI_VALUE" to specify which formal of transformation
+to employ.
+

  Current commands and configuration options
  ==========================================
@@ -225,6 +239,7 @@ flag
    UDPDST_RND
    MACSRC_RND
    MACDST_RND
+  IPSEC

  dst_min


-- 
浮沉随浪只记今朝笑

--fan