[ovs-dev] [PATCH] ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted
Ansis Atteka
ansisatteka at gmail.com
Thu Sep 1 16:13:48 UTC 2016
On 30 August 2016 at 02:21, Jesse Gross <jesse at kernel.org> wrote:
> On Mon, Aug 29, 2016 at 11:57 AM, Ansis Atteka <aatteka at ovn.org> wrote:
> > If ipsec_gre tunnel configuration is changed in OVSDB,
> > then GRE packets may sometimes exit unencrypted until
> > per-tunnel IPsec policies are installed by ovs-monitor-ipsec
> > daemon.
> >
> > This patch fixes this issue by installing single, low
> > priority IPsec block policy that drops all GRE packets
> > coming out from ipsec_gre tunnels that do not have yet
> > their own IPsec policies installed.
> >
> > This patch depends on to two other recently committed
> > patches:
> > 1. 574ff4aa (tunneling: get skb marking to work
> > properly with tunnels)
> > 2. ca3574d5 (IPsec: refactor out some code in
> > OVS_MONITOR_IPSEC_START macro)
> >
> > Signed-off-by: Ansis Atteka <aatteka at ovn.org>
> > Reported-by: Steffen Birkeland <Steffefb at stud.ntnu.no>
>
> Acked-by: Jesse Gross <jesse at kernel.org>
>
Thanks for review. I pushed this patch along with the two other patches
mentioned in the commit message all the way to OVS 2.5.
More information about the dev
mailing list