[ovs-dev] [PATCH] openvswitch: deprecates support for IPsec tunnel port.

Pravin B Shelar pshelar at ovn.org
Wed Sep 21 00:26:09 UTC 2016


OVS IPsec tunnel support has issues:
1. It only works for GRE.
2. only works on Debian.
3. It does not allow user to match on packet-mark
   on packet received on tunnel ports.

This patch deprecates support for IPsec tunnel port.

Signed-off-by: Pravin B Shelar <pshelar at ovn.org>
---
After discussing this patch with Jesse, I have decided to
just deprecate this feature and not provide any option
to allow external IPsec tunnel management.  The reason is
that this the option would again cause compatibility
issues when IPsec tunnel port support is removed. Considering
this feature is not much used it is better to just
deprecate it for OVS 2.6.
---
 NEWS                 | 1 +
 debian/changelog     | 1 +
 debian/control       | 1 +
 lib/netdev-vport.c   | 2 ++
 vswitchd/vswitch.xml | 3 +++
 5 files changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index 21ab538..9363e91 100644
--- a/NEWS
+++ b/NEWS
@@ -149,6 +149,7 @@ v2.6.0 - xx xxx xxxx
      * Flow based tunnel match and action can be used for IPv6 address using
        tun_ipv6_src, tun_ipv6_dst fields.
      * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
    - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with
diff --git a/debian/changelog b/debian/changelog
index d73e636..13aae36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -108,6 +108,7 @@ openvswitch (2.6.0-1) unstable; urgency=low
      * Flow based tunnel match and action can be used for IPv6 address using
        tun_ipv6_src, tun_ipv6_dst fields.
      * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
    - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with
diff --git a/debian/control b/debian/control
index 6e704f1..da86fe9 100644
--- a/debian/control
+++ b/debian/control
@@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
  .
  The ovs-monitor-ipsec script provides support for encrypting GRE
  tunnels with IPsec.
+ IPsec tunnels support is deprecated.
 
 Package: openvswitch-pki
 Architecture: all
diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index 8d22cf5..ac31da6 100755
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
         static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
         static pid_t pid = 0;
 
+        VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
+
 #ifndef _WIN32
         ovs_mutex_lock(&mutex);
         if (pid <= 0) {
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index e73023d..6381cc8 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -2008,6 +2008,9 @@
           <dd>
             An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6
             IPsec tunnel.
+            IPsec tunnel port are deprecated. The support will be completely
+            removed in next version.
+
           </dd>
 
           <dt><code>vxlan</code></dt>
-- 
1.9.1




More information about the dev mailing list