#!/usr/bin/env python3
# SPDX-License-Identifier: GPL-2.0
"""Traffic test for VXLAN + IPsec crypto-offload."""

import os

from lib.py import ksft_run, ksft_exit, ksft_eq, ksft_ge
from lib.py import ksft_variants, KsftNamedVariant, KsftSkipEx
from lib.py import CmdExitFailure, NetDrvEpEnv, cmd, defer, ethtool, ip
from lib.py import Iperf3Runner

# Inner tunnel addresses - TEST-NET-2 (RFC 5737) / doc prefix (RFC 3849)
INNER_V4_LOCAL = "198.51.100.1"
INNER_V4_REMOTE = "198.51.100.2"
INNER_V6_LOCAL = "2001:db8:100::1"
INNER_V6_REMOTE = "2001:db8:100::2"

# ESP parameters
SPI_OUT = "0x1000"
SPI_IN = "0x1001"
# 128-bit key + 32-bit salt = 20 bytes hex, 128-bit ICV
ESP_AEAD = "aead 'rfc4106(gcm(aes))' 0x" + "01" * 20 + " 128"


def xfrm(args, host=None):
    """Runs 'ip xfrm' via shell to preserve parentheses in algo names."""
    cmd(f"ip xfrm {args}", shell=True, host=host)


def check_xfrm_offload_support():
    """Skips if iproute2 lacks xfrm offload support."""
    out = cmd("ip xfrm state help", fail=False)
    if "offload" not in out.stdout + out.stderr:
        raise KsftSkipEx("iproute2 too old, missing xfrm offload")


def check_esp_hw_offload(cfg):
    """Skips if device lacks esp-hw-offload support."""
    check_xfrm_offload_support()
    try:
        feat = ethtool(f"-k {cfg.ifname}", json=True)[0]
    except (CmdExitFailure, IndexError) as e:
        raise KsftSkipEx(f"can't query features: {e}") from e
    if not feat.get("esp-hw-offload", {}).get("active"):
        raise KsftSkipEx("Device does not support esp-hw-offload")


def get_tx_drops(cfg):
    """Returns TX dropped counter from the physical device."""
    stats = ip("-s -s link show dev " + cfg.ifname, json=True)[0]
    return stats["stats64"]["tx"]["dropped"]


def setup_vxlan_ipsec(cfg, outer_ipver, inner_ipver):
    """Sets up VXLAN tunnel with IPsec transport-mode crypto-offload."""
    vxlan_name = f"vx{os.getpid()}"
    local_addr = cfg.addr_v[outer_ipver]
    remote_addr = cfg.remote_addr_v[outer_ipver]

    if inner_ipver == "4":
        inner_local = f"{INNER_V4_LOCAL}/24"
        inner_remote = f"{INNER_V4_REMOTE}/24"
        addr_extra = ""
    else:
        inner_local = f"{INNER_V6_LOCAL}/64"
        inner_remote = f"{INNER_V6_REMOTE}/64"
        addr_extra = " nodad"

    if outer_ipver == "6":
        vxlan_opts = "udp6zerocsumtx udp6zerocsumrx"
    else:
        vxlan_opts = "noudpcsum"

    # VXLAN tunnel - local side
    ip(f"link add {vxlan_name} type vxlan id 100 dstport 4789 {vxlan_opts} "
       f"local {local_addr} remote {remote_addr} dev {cfg.ifname}")
    defer(ip, f"link del {vxlan_name}")
    ip(f"addr add {inner_local} dev {vxlan_name}{addr_extra}")
    ip(f"link set {vxlan_name} up")

    # VXLAN tunnel - remote side
    ip(f"link add {vxlan_name} type vxlan id 100 dstport 4789 {vxlan_opts} "
       f"local {remote_addr} remote {local_addr} dev {cfg.remote_ifname}",
       host=cfg.remote)
    defer(ip, f"link del {vxlan_name}", host=cfg.remote)
    ip(f"addr add {inner_remote} dev {vxlan_name}{addr_extra}",
       host=cfg.remote)
    ip(f"link set {vxlan_name} up", host=cfg.remote)

    # xfrm state - local outbound SA
    xfrm(f"state add src {local_addr} dst {remote_addr} "
         f"proto esp spi {SPI_OUT} "
         f"{ESP_AEAD} "
         f"mode transport offload crypto dev {cfg.ifname} dir out")
    defer(xfrm, f"state del src {local_addr} dst {remote_addr} "
                f"proto esp spi {SPI_OUT}")

    # xfrm state - local inbound SA
    xfrm(f"state add src {remote_addr} dst {local_addr} "
         f"proto esp spi {SPI_IN} "
         f"{ESP_AEAD} "
         f"mode transport offload crypto dev {cfg.ifname} dir in")
    defer(xfrm, f"state del src {remote_addr} dst {local_addr} "
                f"proto esp spi {SPI_IN}")

    # xfrm state - remote outbound SA (mirror, software crypto)
    xfrm(f"state add src {remote_addr} dst {local_addr} "
         f"proto esp spi {SPI_IN} "
         f"{ESP_AEAD} "
         f"mode transport",
         host=cfg.remote)
    defer(xfrm, f"state del src {remote_addr} dst {local_addr} "
                f"proto esp spi {SPI_IN}", host=cfg.remote)

    # xfrm state - remote inbound SA (mirror, software crypto)
    xfrm(f"state add src {local_addr} dst {remote_addr} "
         f"proto esp spi {SPI_OUT} "
         f"{ESP_AEAD} "
         f"mode transport",
         host=cfg.remote)
    defer(xfrm, f"state del src {local_addr} dst {remote_addr} "
                f"proto esp spi {SPI_OUT}", host=cfg.remote)

    # xfrm policy - local out
    xfrm(f"policy add src {local_addr} dst {remote_addr} "
         f"proto udp dport 4789 dir out "
         f"tmpl src {local_addr} dst {remote_addr} proto esp mode transport")
    defer(xfrm, f"policy del src {local_addr} dst {remote_addr} "
                f"proto udp dport 4789 dir out")

    # xfrm policy - local in
    xfrm(f"policy add src {remote_addr} dst {local_addr} "
         f"proto udp dport 4789 dir in "
         f"tmpl src {remote_addr} dst {local_addr} proto esp mode transport")
    defer(xfrm, f"policy del src {remote_addr} dst {local_addr} "
                f"proto udp dport 4789 dir in")

    # xfrm policy - remote out
    xfrm(f"policy add src {remote_addr} dst {local_addr} "
         f"proto udp dport 4789 dir out "
         f"tmpl src {remote_addr} dst {local_addr} proto esp mode transport",
         host=cfg.remote)
    defer(xfrm, f"policy del src {remote_addr} dst {local_addr} "
                f"proto udp dport 4789 dir out", host=cfg.remote)

    # xfrm policy - remote in
    xfrm(f"policy add src {local_addr} dst {remote_addr} "
         f"proto udp dport 4789 dir in "
         f"tmpl src {local_addr} dst {remote_addr} proto esp mode transport",
         host=cfg.remote)
    defer(xfrm, f"policy del src {local_addr} dst {remote_addr} "
                f"proto udp dport 4789 dir in", host=cfg.remote)


def _vxlan_ipsec_variants():
    """Generates outer/inner IP version variants."""
    for outer in ["4", "6"]:
        for inner in ["4", "6"]:
            yield KsftNamedVariant(f"outer_v{outer}_inner_v{inner}", outer, inner)


@ksft_variants(_vxlan_ipsec_variants())
def test_vxlan_ipsec_crypto_offload(cfg, outer_ipver, inner_ipver):
    """Tests VXLAN+IPsec crypto-offload has no TX drops."""
    cfg.require_ipver(outer_ipver)
    check_esp_hw_offload(cfg)

    setup_vxlan_ipsec(cfg, outer_ipver, inner_ipver)

    if inner_ipver == "4":
        inner_local = INNER_V4_LOCAL
        inner_remote = INNER_V4_REMOTE
        ping = "ping"
    else:
        inner_local = INNER_V6_LOCAL
        inner_remote = INNER_V6_REMOTE
        ping = "ping -6"

    cmd(f"{ping} -c 1 -W 2 {inner_remote}")

    drops_before = get_tx_drops(cfg)

    runner = Iperf3Runner(cfg, server_ip=inner_local,
                          client_ip=inner_remote)
    bw_gbps = runner.measure_bandwidth(reverse=True)

    cfg.wait_hw_stats_settle()
    drops_after = get_tx_drops(cfg)

    ksft_eq(drops_after - drops_before, 0,
            comment="TX drops during VXLAN+IPsec")
    ksft_ge(bw_gbps, 0.1,
            comment="Minimum 100Mbps over VXLAN+IPsec")


def main():
    """Runs VXLAN+IPsec crypto-offload GSO selftest."""
    with NetDrvEpEnv(__file__, nsim_test=False) as cfg:
        ksft_run([test_vxlan_ipsec_crypto_offload], args=(cfg,))
    ksft_exit()


if __name__ == "__main__":
    main()