[ovs-dev] [PATCH] openvswitch: deprecates support for IPsec tunnel port.

pravin shelar pshelar at ovn.org
Sat Sep 24 18:37:35 UTC 2016


On Fri, Sep 23, 2016 at 11:27 PM, Ansis Atteka <ansisatteka at gmail.com> wrote:
>
>
> On 21 September 2016 at 03:26, Pravin B Shelar <pshelar at ovn.org> wrote:
>>
>> OVS IPsec tunnel support has issues:
>> 1. It only works for GRE.
>> 2. only works on Debian.
>> 3. It does not allow user to match on packet-mark
>>    on packet received on tunnel ports.
>>
>> This patch deprecates support for IPsec tunnel port.
>>
>> Signed-off-by: Pravin B Shelar <pshelar at ovn.org>
>> ---
>> After discussing this patch with Jesse, I have decided to
>> just deprecate this feature and not provide any option
>> to allow external IPsec tunnel management.  The reason is
>> that this the option would again cause compatibility
>> issues when IPsec tunnel port support is removed. Considering
>> this feature is not much used it is better to just
>> deprecate it for OVS 2.6.
>> ---
>>  NEWS                 | 1 +
>>  debian/changelog     | 1 +
>>  debian/control       | 1 +
>>  lib/netdev-vport.c   | 2 ++
>>  vswitchd/vswitch.xml | 3 +++
>>  5 files changed, 8 insertions(+)
>>
>> diff --git a/NEWS b/NEWS
>> index 21ab538..9363e91 100644
>> --- a/NEWS
>> +++ b/NEWS
>> @@ -149,6 +149,7 @@ v2.6.0 - xx xxx xxxx
>>       * Flow based tunnel match and action can be used for IPv6 address
>> using
>>         tun_ipv6_src, tun_ipv6_dst fields.
>>       * Added support for IPv6 tunnels, for details checkout FAQ.
>> +     * Deprecated support for IPsec tunnels ports.
>>     - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port
>> and
>>       watch with tcpdump
>>     - Introduce --no-self-confinement flag that allows daemons to work
>> with
>> diff --git a/debian/changelog b/debian/changelog
>> index d73e636..13aae36 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -108,6 +108,7 @@ openvswitch (2.6.0-1) unstable; urgency=low
>>       * Flow based tunnel match and action can be used for IPv6 address
>> using
>>         tun_ipv6_src, tun_ipv6_dst fields.
>>       * Added support for IPv6 tunnels, for details checkout FAQ.
>> +     * Deprecated support for IPsec tunnels ports.
>>     - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port
>> and
>>       watch with tcpdump
>>     - Introduce --no-self-confinement flag that allows daemons to work
>> with
>> diff --git a/debian/control b/debian/control
>> index 6e704f1..da86fe9 100644
>> --- a/debian/control
>> +++ b/debian/control
>> @@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
>>   .
>>   The ovs-monitor-ipsec script provides support for encrypting GRE
>>   tunnels with IPsec.
>> + IPsec tunnels support is deprecated.
>>
>>  Package: openvswitch-pki
>>  Architecture: all
>> diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
>> index 8d22cf5..ac31da6 100755
>> --- a/lib/netdev-vport.c
>> +++ b/lib/netdev-vport.c
>> @@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct
>> smap *args)
>>          static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
>>          static pid_t pid = 0;
>>
>> +        VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
>> +
>>  #ifndef _WIN32
>>          ovs_mutex_lock(&mutex);
>>          if (pid <= 0) {
>> diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
>> index e73023d..6381cc8 100644
>> --- a/vswitchd/vswitch.xml
>> +++ b/vswitchd/vswitch.xml
>> @@ -2008,6 +2008,9 @@
>>            <dd>
>>              An Ethernet over RFC 2890 Generic Routing Encapsulation over
>> IPv4/IPv6
>>              IPsec tunnel.
>> +            IPsec tunnel port are deprecated. The support will be
>> completely
>
>
>
> Here is a small typo that you may want to fix "tunnel port*s* are". Just
> squash it in and push.
>
Thanks for the review. I fixed the patch and pushed it to master and branch 2.6.


> Acked-by: Ansis Atteka <aatteka at ovn.org>
>



More information about the dev mailing list