[ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
pravin shelar
pshelar at ovn.org
Tue Sep 27 18:07:42 UTC 2016
On Mon, Sep 26, 2016 at 1:15 PM, pravin shelar <pshelar at ovn.org> wrote:
> On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka <ansisatteka at gmail.com> wrote:
>>
>>
>> On 26 September 2016 at 03:48, Pravin B Shelar <pshelar at ovn.org> wrote:
>>>
>>> OVS GRE IPsec tunnel support has multiple issues, Therefore
>>
>> s/issues,/issues.
>>>
>>> it was deprecated in OVS 2.6.
>>>
>>> Following patch removes support GRE IPsec and allow external
>>
>> s/support/support for
>> s/allow/allows
>>>
>>> IPsec tunnel management for any type of tunnel not just GRE.
>>>
>>> e.g. user can encrpt Geneve or VxLan traffic.
>>
>> s/encrpt/encrypt
>>>
>>>
>>> It can be done by using openflow pipeline to set skb-mark
>>> and using xfrm to implement IPsec tunnels. xfrm can match
>>> on the skb-mark to encrypt selective tunnel traffic.
>>
>>
>> Some folks may misinterpret the paragraph above that we are recommending
>> them to use XFRM *directly* as an alternative. XFRM is just NetLink
>> interface to linux kernel to install IPsec keys after these keys have been
>> negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or
>> racoon.
>>
>> Instead I would recommend users to use one of the IPsec keying daemons
>> rather than XFRM directly.
>>
> ok, sounds good, I will update commit msg.
>
>>> VMware-BZ: 1710701
>>> Signed-off-by: Pravin B Shelar <pshelar at ovn.org>
>>> ---
>>> This is targeted for OVS master branch only.
>>> ---
>>> NEWS | 1 +
>>> README.md | 2 +-
>>>
>>> debian/automake.mk | 7 -
>>> debian/control | 24 --
>>> debian/openvswitch-ipsec.dirs | 1 -
>>> debian/openvswitch-ipsec.init | 203 ----------------
>>> debian/openvswitch-ipsec.install | 1 -
>>> debian/ovs-monitor-ipsec | 507
>>> ---------------------------------------
>>> lib/netdev-vport.c | 67 +-----
>>> lib/netdev.h | 1 -
>>> ofproto/ofproto-dpif-ipfix.c | 15 --
>>> ofproto/ofproto-dpif-sflow.c | 7 -
>>> ofproto/tunnel.c | 13 -
>>> tests/automake.mk | 1 -
>>> tests/ofproto-macros.at | 49 ----
>>> tests/ovn-controller.at | 2 +-
>>> tests/ovs-monitor-ipsec.at | 271 ---------------------
>>> tests/testsuite.at | 1 -
>>> tests/tunnel-push-pop-ipv6.at | 2 +-
>>> tests/tunnel-push-pop.at | 2 +-
>>> tests/tunnel.at | 87 +------
>>> utilities/bugtool/ovs-bugtool.in | 2 +-
>>> utilities/ovs-appctl.8.in | 4 +-
>>> vswitchd/vswitch.xml | 57 +----
>>> 24 files changed, 23 insertions(+), 1304 deletions(-)
>>> delete mode 100644 debian/openvswitch-ipsec.dirs
>>> delete mode 100755 debian/openvswitch-ipsec.init
>>> delete mode 100644 debian/openvswitch-ipsec.install
>>> delete mode 100755 debian/ovs-monitor-ipsec
>>> delete mode 100644 tests/ovs-monitor-ipsec.at
>>
>>
>> Assuming you were able to build all other debian packages with "fakeroot
>> debian/rules binary" after removing and editing those files, then
>> Acked-by: Ansis Atteka <aatteka at ovn.org>
>>
> Thanks for review.
>
>> Let me know, if you want me to independently verify that as well?
>
> I will test this but it will be nice if you verify it independently.
I tested it on Debian, It was pretty straight forward to build Debian
packages. I did not see any issue with the patch. so I pushed the
patch to master.
Thanks.
More information about the dev
mailing list