* [dts] [PATCH V3] add inline_ipsec test suite
@ 2018-01-03 9:34 xu,gang
2018-01-09 13:30 ` Liu, Yong
0 siblings, 1 reply; 2+ messages in thread
From: xu,gang @ 2018-01-03 9:34 UTC (permalink / raw)
To: dts; +Cc: xu,gang
Signed-off-by: xu,gang <gangx.xu@intel.com>
---
tests/TestSuite_inline_ipsec.py | 375 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 375 insertions(+)
create mode 100644 tests/TestSuite_inline_ipsec.py
diff --git a/tests/TestSuite_inline_ipsec.py b/tests/TestSuite_inline_ipsec.py
new file mode 100644
index 0000000..76dfd78
--- /dev/null
+++ b/tests/TestSuite_inline_ipsec.py
@@ -0,0 +1,375 @@
+# BSD LICENSE
+#
+# Copyright(c) 2010-2017 Intel Corporation. All rights reserved.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+# * Neither the name of Intel Corporation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+"""
+DPDK Test suite.
+Test inline_ipsec.
+"""
+
+import utils
+import string
+import time
+import re
+import threading
+from test_case import TestCase
+import getopt
+from scapy.all import *
+
+ETHER_STANDARD_MTU = 1518
+ETHER_JUMBO_FRAME_MTU = 9000
+
+
+class TestInlineIpsec(TestCase):
+
+ def set_up_all(self):
+ """
+ Run at the start of each test suite.
+ """
+ self.verify(self.nic in ["niantic"], "%s NIC not support" % self.nic)
+ self.verify(self.drivername in ["vfio-pci"], "%s drivername not support" % self.drivername)
+ self.dut_ports = self.dut.get_ports(self.nic)
+ self.verify(len(self.dut_ports) >= 2, "Insufficient ports")
+ cores = self.dut.get_core_list("1S/4C/1T")
+ self.coremask = utils.create_mask(cores)
+
+ # get test port info
+ self.rxport = self.tester.get_local_port(1)
+ self.txport = self.tester.get_local_port(0)
+ self.rxItf = self.tester.get_interface(self.rxport)
+ self.txItf = self.tester.get_interface(self.txport)
+
+ self.rx_src = self.tester.get_mac(self.rxport)
+ self.tx_dst = self.dut.get_mac_address(self.dut_ports[0])
+
+ # get dut port pci
+ self.portpci_0 = self.dut.get_port_pci(self.dut_ports[0])
+ self.portpci_1 = self.dut.get_port_pci(self.dut_ports[1])
+
+ # enable tester mtu
+ self.rxnetobj = self.tester.ports_info[self.rxport]['port']
+ self.rxnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100)
+ self.txnetobj = self.tester.ports_info[self.txport]['port']
+ self.txnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100)
+
+ self.path = "./examples/ipsec-secgw/build/ipsec-secgw"
+ # add print code in IPSEC app
+ sedcmd = r"""sed -i -e '/process_pkts(qconf, pkts, nb_rx, portid);/i\\printf("[debug]receive %hhu packet in rxqueueid=%hhu\\n",nb_rx, queueid);' examples/ipsec-secgw/ipsec-secgw.c"""
+ self.dut.send_expect(sedcmd, "#", 60)
+
+ # build sample app
+ out = self.dut.build_dpdk_apps("./examples/ipsec-secgw")
+ self.verify("Error" not in out, "compilation error 1")
+ self.verify("No such file" not in out, "compilation error 2")
+
+ self.cfg_prepare()
+
+ def set_up(self):
+ """
+ Run before each test case.
+ """
+ pass
+
+ def cfg_prepare(self):
+ """
+ write the inline_ipsec configuration file
+ """
+ enc = (
+ "#SP IPv4 rules\n"
+ "sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535\n"
+ "#SA rules\n"
+ "sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 port_id 1 type inline-crypto-offload\n"
+ "#Routing rules\n"
+ "rt ipv4 dst 172.16.2.5/32 port 1\n")
+
+ dec = (
+ "#SA rules\n"
+ "sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 port_id 1 type inline-crypto-offload \n"
+ "#Routing rules\n"
+ "rt ipv4 dst 192.168.105.10/32 port 0\n"
+ )
+ enc_rss = (
+ "#SP IPv4 rules\n"
+ "sp ipv4 out esp protect 1002 pri 1 dst 192.168.102.0/24 sport 0:65535 dport 0:65535\n"
+ "sa out 1002 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.31.35 dst 172.16.32.35 port_id 1 type inline-crypto-offload \n"
+ "#Routing rules\n"
+ "rt ipv4 dst 172.16.32.35/32 port 1\n"
+ )
+ dec_rss = (
+ "#SA rules\n"
+ "sa in 3 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.21.25 dst 172.16.22.25 port_id 1 type inline-crypto-offload \n"
+ "#Routing rules\n"
+ "rt ipv4 dst 192.168.105.10/32 port 0\n"
+ )
+ dec_wrong_key = (
+ "#SA rules\n"
+ "sa in 5 aead_algo aes-128-gcm aead_key 2f:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 port_id 1 type inline-crypto-offload \n"
+ "#Routing rules\n"
+ "rt ipv4 dst 192.168.105.10/32 port 0\n"
+ )
+ enc_dec = (
+ "#SP IPv4 rules\n"
+ "sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535\n"
+ "#SA rules\n"
+ "sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 port_id 1 type inline-crypto-offload \n"
+ "sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 port_id 1 type inline-crypto-offload \n"
+ "#Routing rules\n"
+ "rt ipv4 dst 172.16.2.5/32 port 1\n"
+ "rt ipv4 dst 192.168.105.10/32 port 0\n"
+ )
+ self.set_cfg('enc.cfg', enc)
+ self.set_cfg('dec.cfg', dec)
+ self.set_cfg('enc_rss.cfg', enc_rss)
+ self.set_cfg('dec_rss.cfg', dec_rss)
+ self.set_cfg('enc_dec.cfg', enc_dec)
+ self.set_cfg('dec_wrong_key.cfg', dec_wrong_key)
+
+ def set_cfg(self, filename, cfg):
+ """
+ open file and write cfg, scp it to dut base directory
+ """
+ for i in cfg:
+ with open(filename, 'w') as f:
+ f.write(cfg)
+ self.dut.session.copy_file_to(filename, self.dut.base_dir)
+
+ def send_encryption_package(self, intf, paysize=64, do_encrypt=False, send_spi=5, count=1, inner_dst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'):
+ """
+ make a package and send
+ """
+ test = 'test-' * 2000
+ payload = test[0:int(paysize)]
+ sa_gcm = SecurityAssociation(ESP, spi=send_spi,
+ crypt_algo='AES-GCM',
+ crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',
+ auth_algo='NULL', auth_key=None,
+ tunnel_header=IP(src=sa_src, dst=sa_dst))
+ sa_gcm.crypt_algo.icv_size = 16
+
+ p = IP(src='192.168.105.10', dst=inner_dst)
+ p /= payload
+ p = IP(str(p))
+
+ if do_encrypt == True:
+ print "send encrypt package"
+ e = sa_gcm.encrypt(p)
+ else:
+ print "send normal package"
+ e = p
+
+ eth_e = Ether() / e
+ eth_e.src = self.rx_src
+ eth_e.dst = self.tx_dst
+ session_send = self.tester.create_session(
+ name='send_encryption_package')
+ sendp(eth_e, iface=intf, count=count)
+ self.tester.destroy_session(session_send)
+
+ return payload
+
+ def Ipsec_Encryption(self, config, file_name, txItf, rxItf, paysize=32, jumboframe=1518, do_encrypt=False, verify=True, send_spi=5, receive_spi=1005, count=1, inner_dst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'):
+ """
+ verify Ipsec receive package
+ """
+ cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % (
+ self.portpci_0, self.portpci_1, jumboframe, config, file_name)
+ self.dut.send_expect(cmd, "IPSEC", 60)
+
+ session_receive = self.tester.create_session(
+ name='receive_encryption_package')
+ sa_gcm = r"sa_gcm=SecurityAssociation(ESP,spi=%s,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL',auth_key=None,tunnel_header=IP(src='172.16.1.5',dst='172.16.2.5'))" % receive_spi
+
+ session_receive.send_expect("scapy", ">>>", 10)
+ session_receive.send_expect(
+ "pkts=sniff(iface='%s',count=1,timeout=10)" % rxItf, "", 30)
+ send_package = self.send_encryption_package(
+ txItf, paysize, do_encrypt, send_spi, count, inner_dst, sa_src, sa_dst)
+
+ time.sleep(10)
+ out = session_receive.send_expect("pkts", "", 30)
+ if do_encrypt:
+ out = session_receive.send_expect("pkts[0]['IP'] ", ">>>", 10)
+ else:
+ session_receive.send_expect(sa_gcm, ">>>", 10)
+ session_receive.send_expect(
+ "results=sa_gcm.decrypt(pkts[0]['IP'])", ">>>", 10)
+ out = session_receive.send_expect("results", ">>>", 10)
+
+ if verify:
+ self.verify(send_package in out,
+ "Unreceived package or get other package")
+ else:
+ self.verify(send_package not in out,
+ "The function is not in effect")
+ session_receive.send_expect("quit()", "#", 10)
+ self.tester.destroy_session(session_receive)
+
+ def test_Ipsec_Encryption(self):
+ """
+ test Ipsec Encryption
+ """
+ config = '(0,0,21),(1,0,21)'
+ paysize = random.randint(1, ETHER_STANDARD_MTU)
+ self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg',
+ self.txItf, self.rxItf, paysize)
+
+ def test_Ipsec_Encryption_Jumboframe(self):
+ """
+ test Ipsec Encryption Jumboframe
+ """
+ config = '(0,0,21),(1,0,21)'
+ paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU)
+ self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg',
+ self.txItf, self.rxItf, paysize, ETHER_JUMBO_FRAME_MTU)
+
+ def test_Ipsec_Encryption_Rss(self):
+ """
+ test Ipsec Encryption Rss
+ """
+ config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)'
+ self.Ipsec_Encryption(config, '/root/dpdk/enc_rss.cfg', self.txItf,
+ self.rxItf, send_spi=2, receive_spi=1002, inner_dst='192.168.102.10')
+ out = self.dut.get_session_output()
+ verifycode = "receive 1 packet in rxqueueid=1"
+ self.verify(verifycode in out, "rxqueueid error")
+
+ def test_IPSec_Decryption(self):
+ """
+ test IPSec Decryption
+ """
+ config = '(0,0,21),(1,0,21)'
+ paysize = random.randint(1, ETHER_STANDARD_MTU)
+ self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf,
+ self.txItf, paysize, do_encrypt=True, count=2)
+
+ def test_IPSec_Decryption_Jumboframe(self):
+ """
+ test IPSec Decryption Jumboframe
+ """
+ config = '(0,0,21),(1,0,21)'
+ paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU)
+ self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf,
+ self.txItf, paysize, ETHER_JUMBO_FRAME_MTU, do_encrypt=True, count=2)
+
+ def test_Ipsec_Decryption_Rss(self):
+ """
+ test Ipsec Decryption Rss
+ """
+ config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)'
+ self.Ipsec_Encryption(config, '/root/dpdk/dec_rss.cfg', self.rxItf, self.txItf, do_encrypt=True,
+ send_spi=3, receive_spi=1003, count=2, sa_src='172.16.21.25', sa_dst='172.16.22.25')
+ out = self.dut.get_session_output()
+ verifycode = "receive 1 packet in rxqueueid=1"
+ self.verify(verifycode in out, "rxqueueid error")
+
+ def test_Ipsec_Decryption_wrongkey(self):
+ """
+ test Ipsec Decryption wrongkey
+ """
+ config = '(0,0,21),(1,0,21)'
+ paysize = random.randint(1, ETHER_STANDARD_MTU)
+ self.Ipsec_Encryption(config, '/root/dpdk/dec_wrong_key.cfg', self.rxItf,
+ self.txItf, paysize, do_encrypt=True, verify=False, count=2)
+ out = self.dut.get_session_output()
+ verifycode = "IPSEC_ESP: failed crypto op"
+ self.verify(verifycode in out, "Ipsec Decryption wrongkey failed")
+
+ def test_Ipsec_Encryption_Decryption(self):
+ """
+ test Ipsec Encryption Decryption
+ """
+ cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % (
+ self.portpci_0, self.portpci_1, '1518', '(0,0,21),(1,0,21)', '/root/dpdk/enc_dec.cfg')
+ self.dut.send_expect(cmd, "IPSEC", 60)
+ session_receive = self.tester.create_session(
+ name='receive_encryption_package')
+ sa_gcm = r"sa_gcm=SecurityAssociation(ESP, spi=1005,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL', auth_key=None,tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5'))"
+
+ session_receive.send_expect("scapy", ">>>", 60)
+ session_receive.send_expect(sa_gcm, ">>>", 60)
+ session_receive.send_expect(
+ "pkts=sniff(iface='%s',count=3,timeout=30)" % self.rxItf, "", 60)
+ session_receive2 = self.tester.create_session(
+ name='receive_encryption_package2')
+
+ session_receive2.send_expect("scapy", ">>>", 60)
+ session_receive2.send_expect(sa_gcm, ">>>", 60)
+ session_receive2.send_expect(
+ "pkts=sniff(iface='%s',count=2,timeout=30)" % self.txItf, "", 60)
+
+ payload = "test for Ipsec Encryption Decryption simultaneously"
+ sa_gcm = SecurityAssociation(ESP, spi=5,
+ crypt_algo='AES-GCM',
+ crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',
+ auth_algo='NULL', auth_key=None,
+ tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5'))
+ sa_gcm.crypt_algo.icv_size = 16
+
+ p = IP(src='192.168.105.10', dst='192.168.105.10')
+ p /= payload
+ p = IP(str(p))
+
+ e1 = sa_gcm.encrypt(p)
+ e2 = p
+
+ eth_e1 = Ether() / e1
+ eth_e1.src = self.rx_src
+ eth_e1.dst = self.tx_dst
+ eth_e2 = Ether() / e2
+ eth_e2.src = self.rx_src
+ eth_e2.dst = self.tx_dst
+
+ sendp(eth_e1, iface=self.rxItf, count=2)
+ sendp(eth_e2, iface=self.txItf, count=1)
+ time.sleep(30)
+ session_receive.send_expect(
+ "results=sa_gcm.decrypt(pkts[2]['IP'])", ">>>", 60)
+ out = session_receive.send_expect("results", ">>>", 60)
+ self.verify(payload in out,
+ "The package is not received. Please check the package")
+ out = session_receive2.send_expect("pkts[1]", ">>>", 60)
+ self.verify(payload in out,
+ "The package is not received. Please check the package")
+
+ def tear_down(self):
+ """
+ Run after each test case.
+ """
+ self.tester.send_expect("^C", "#", 5)
+ self.dut.kill_all()
+ time.sleep(2)
+
+ def tear_down_all(self):
+ """
+ Run after each test suite.
+ """
+ self.rxnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU)
+ self.txnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU)
--
1.9.3
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dts] [PATCH V3] add inline_ipsec test suite
2018-01-03 9:34 [dts] [PATCH V3] add inline_ipsec test suite xu,gang
@ 2018-01-09 13:30 ` Liu, Yong
0 siblings, 0 replies; 2+ messages in thread
From: Liu, Yong @ 2018-01-09 13:30 UTC (permalink / raw)
To: xu,gang, dts
Gang,
Your suite is depend on scapy to encap/decap ESP packets. I known that
scapy not support that with previous versions.
Could you list which version is needed in the suite or even further more
check the needed version?
Thanks,
Marvin
On 01/03/2018 05:34 PM, xu,gang wrote:
> Signed-off-by: xu,gang<gangx.xu@intel.com>
> ---
> tests/TestSuite_inline_ipsec.py | 375 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 375 insertions(+)
> create mode 100644 tests/TestSuite_inline_ipsec.py
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-01-09 5:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-03 9:34 [dts] [PATCH V3] add inline_ipsec test suite xu,gang
2018-01-09 13:30 ` Liu, Yong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).