Add test cases to verify copy DF and set DF options with lookaside IPsec
offload.
Signed-off-by: Anoob Joseph <ano...@marvell.com>
---
app/test/test_cryptodev.c | 75 ++++++++++++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 71 ++++++++++++++++++++++++++++--
app/test/test_cryptodev_security_ipsec.h | 10 +++++
doc/guides/rel_notes/release_22_03.rst | 1 +
4 files changed, 154 insertions(+), 3 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 203b4a4..f808719 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9169,6 +9169,13 @@ test_ipsec_proto_process(const struct ipsec_test_data
td[],
sizeof(src));
memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst,
sizeof(dst));
+
+ if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1)
+ ipsec_xform.tunnel.ipv4.df = 0;
+
+ if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0)
+ ipsec_xform.tunnel.ipv4.df = 1;
+
} else {
memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src,
sizeof(v6_src));
@@ -9282,6 +9289,9 @@ test_ipsec_proto_process(const struct ipsec_test_data
td[],
memcpy(input_text, td[i].input_text.data,
td[i].input_text.len);
+ if (test_ipsec_pkt_update(input_text, flags))
+ return TEST_FAILED;
+
/* Generate crypto op data structure */
ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
RTE_CRYPTO_OP_TYPE_SYMMETRIC);
@@ -9700,6 +9710,55 @@ test_ipsec_proto_pkt_fragment(const void *data
__rte_unused)
flags.fragment = true;
return test_ipsec_proto_all(&flags);
+
+}
+
+static int
+test_ipsec_proto_copy_df_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_COPY_DF_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_copy_df_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_COPY_DF_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_set_df_0_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_SET_DF_0_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_set_df_1_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_SET_DF_1_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
}
static int
@@ -14724,6 +14783,22 @@ static struct unit_test_suite ipsec_proto_testsuite =
{
"Fragmented packet",
ut_setup_security, ut_teardown,
test_ipsec_proto_pkt_fragment),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header copy DF (inner 0)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_copy_df_inner_0),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header copy DF (inner 1)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_copy_df_inner_1),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header set DF 0 (inner 1)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_set_df_0_inner_1),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header set DF 1 (inner 0)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_set_df_1_inner_0),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_cryptodev_security_ipsec.c
b/app/test/test_cryptodev_security_ipsec.c
index 94e5213..e662ea2 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -427,6 +427,9 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
ip->hdr_checksum = rte_ipv4_cksum(ip);
}
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_0 ||
+ flags->df == TEST_IPSEC_COPY_DF_INNER_1)
+ td->ipsec_xform.options.copy_df = 1;
}
}
@@ -640,6 +643,7 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct
ipsec_test_data *td,
{
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+ uint8_t td_output_text[4096];
int ret;
/* For tests with status as error for test success, skip verification */
@@ -720,16 +724,21 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct
ipsec_test_data *td,
return ret;
}
+ memcpy(td_output_text, td->output_text.data + skip, len);
- if (memcmp(output_text, td->output_text.data + skip, len)) {
+ if (test_ipsec_pkt_update(td_output_text, flags)) {
+ printf("Could not update expected vector");
+ return TEST_FAILED;
+ }
+
+ if (memcmp(output_text, td_output_text, len)) {
if (silent)
return TEST_FAILED;
printf("TestCase %s line %d: %s\n", __func__, __LINE__,
"output text not as expected\n");
- rte_hexdump(stdout, "expected", td->output_text.data + skip,
- len);
+ rte_hexdump(stdout, "expected", td_output_text, len);
rte_hexdump(stdout, "actual", output_text, len);
return TEST_FAILED;
}
@@ -797,10 +806,27 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct
ipsec_test_data *td,
} else {
if (td->ipsec_xform.tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ uint16_t f_off;
+
if (is_valid_ipv4_pkt(iph4) == false) {
printf("Tunnel outer header is not
IPv4\n");
return TEST_FAILED;
}
+
+ f_off = rte_be_to_cpu_16(iph4->fragment_offset);
+
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+ flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
+ if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) {
+ printf("DF bit is not set\n");
+ return TEST_FAILED;
+ }
+ } else {
+ if ((f_off & RTE_IPV4_HDR_DF_FLAG)) {
+ printf("DF bit is set\n");
+ return TEST_FAILED;
+ }
+ }
} else {
iph6 = (const struct rte_ipv6_hdr *)output_text;
if (is_valid_ipv6_pkt(iph6) == false) {
@@ -909,3 +935,42 @@ test_ipsec_stats_verify(struct rte_security_ctx *ctx,
return ret;
}
+
+int
+test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
+{
+ struct rte_ipv4_hdr *iph4;
+ bool cksum_dirty = false;
+ uint16_t frag_off;
+
+ iph4 = (struct rte_ipv4_hdr *)pkt;
+
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+ flags->df == TEST_IPSEC_SET_DF_0_INNER_1 ||
+ flags->df == TEST_IPSEC_COPY_DF_INNER_0 ||
+ flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
+
+ if (!is_ipv4(iph4)) {
+ printf("Invalid packet type");
+ return -1;
+ }
+
+ frag_off = rte_be_to_cpu_16(iph4->fragment_offset);
+
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+ flags->df == TEST_IPSEC_SET_DF_0_INNER_1)
+ frag_off |= RTE_IPV4_HDR_DF_FLAG;
+ else
+ frag_off &= ~RTE_IPV4_HDR_DF_FLAG;
+
+ iph4->fragment_offset = rte_cpu_to_be_16(frag_off);
+ cksum_dirty = true;
+ }
+
+ if (cksum_dirty && is_ipv4(iph4)) {
+ iph4->hdr_checksum = 0;
+ iph4->hdr_checksum = rte_ipv4_cksum(iph4);
+ }
+
+ return 0;
+}
diff --git a/app/test/test_cryptodev_security_ipsec.h
b/app/test/test_cryptodev_security_ipsec.h
index 6e27eba..12a9b77 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,13 @@ struct ipsec_test_data {
} xform;
};
+enum df_flags {
+ TEST_IPSEC_COPY_DF_INNER_0 = 1,
+ TEST_IPSEC_COPY_DF_INNER_1,
+ TEST_IPSEC_SET_DF_0_INNER_1,
+ TEST_IPSEC_SET_DF_1_INNER_0,
+};
+
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
@@ -66,6 +73,7 @@ struct ipsec_test_flags {
bool transport;
bool fragment;
bool stats_success;
+ enum df_flags df;
};
struct crypto_param {
@@ -226,4 +234,6 @@ int test_ipsec_stats_verify(struct rte_security_ctx *ctx,
const struct ipsec_test_flags *flags,
enum rte_security_ipsec_sa_direction dir);
+int test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags);
+
#endif
diff --git a/doc/guides/rel_notes/release_22_03.rst
b/doc/guides/rel_notes/release_22_03.rst
index a7d0e53..1c6b846 100644
--- a/doc/guides/rel_notes/release_22_03.rst
+++ b/doc/guides/rel_notes/release_22_03.rst
@@ -72,6 +72,7 @@ New Features
* Added tunnel mode fragment packet tests.
* Added security stats tests.
* Added AES-CTR tests.
+ * Added set/copy DF tests.
Removed Items
--
2.7.4
