[ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.

pravin shelar pshelar at ovn.org
Tue Sep 27 18:07:42 UTC 2016 

On Mon, Sep 26, 2016 at 1:15 PM, pravin shelar <pshelar at ovn.org> wrote:
> On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka <ansisatteka at gmail.com> wrote:
>>
>>
>> On 26 September 2016 at 03:48, Pravin B Shelar <pshelar at ovn.org> wrote:
>>>
>>> OVS GRE IPsec tunnel support has multiple issues, Therefore
>>
>> s/issues,/issues.
>>>
>>> it was deprecated in OVS 2.6.
>>>
>>> Following patch removes support GRE IPsec and allow external
>>
>> s/support/support for
>> s/allow/allows
>>>
>>> IPsec tunnel management for any type of tunnel not just GRE.
>>>
>>> e.g. user can encrpt Geneve or VxLan traffic.
>>
>> s/encrpt/encrypt
>>>
>>>
>>> It can be done by using openflow pipeline to set skb-mark
>>> and using xfrm to implement IPsec tunnels. xfrm can match
>>> on the skb-mark to encrypt selective tunnel traffic.
>>
>>
>> Some folks may misinterpret the paragraph above that we are recommending
>> them to use XFRM *directly* as an alternative. XFRM is just NetLink
>> interface to linux kernel to install IPsec keys after these keys have been
>> negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or
>> racoon.
>>
>> Instead I would recommend users to use one of the IPsec keying daemons
>> rather than XFRM directly.
>>
> ok, sounds good, I will update commit msg.
>
>>> VMware-BZ: 1710701
>>> Signed-off-by: Pravin B Shelar <pshelar at ovn.org>
>>> ---
>>> This is targeted for OVS master branch only.
>>> ---
>>>  NEWS                             |   1 +
>>>  README.md                        |   2 +-
>>>
>>>  debian/automake.mk               |   7 -
>>>  debian/control                   |  24 --
>>>  debian/openvswitch-ipsec.dirs    |   1 -
>>>  debian/openvswitch-ipsec.init    | 203 ----------------
>>>  debian/openvswitch-ipsec.install |   1 -
>>>  debian/ovs-monitor-ipsec         | 507
>>> ---------------------------------------
>>>  lib/netdev-vport.c               |  67 +-----
>>>  lib/netdev.h                     |   1 -
>>>  ofproto/ofproto-dpif-ipfix.c     |  15 --
>>>  ofproto/ofproto-dpif-sflow.c     |   7 -
>>>  ofproto/tunnel.c                 |  13 -
>>>  tests/automake.mk                |   1 -
>>>  tests/ofproto-macros.at          |  49 ----
>>>  tests/ovn-controller.at          |   2 +-
>>>  tests/ovs-monitor-ipsec.at       | 271 ---------------------
>>>  tests/testsuite.at               |   1 -
>>>  tests/tunnel-push-pop-ipv6.at    |   2 +-
>>>  tests/tunnel-push-pop.at         |   2 +-
>>>  tests/tunnel.at                  |  87 +------
>>>  utilities/bugtool/ovs-bugtool.in |   2 +-
>>>  utilities/ovs-appctl.8.in        |   4 +-
>>>  vswitchd/vswitch.xml             |  57 +----
>>>  24 files changed, 23 insertions(+), 1304 deletions(-)
>>>  delete mode 100644 debian/openvswitch-ipsec.dirs
>>>  delete mode 100755 debian/openvswitch-ipsec.init
>>>  delete mode 100644 debian/openvswitch-ipsec.install
>>>  delete mode 100755 debian/ovs-monitor-ipsec
>>>  delete mode 100644 tests/ovs-monitor-ipsec.at
>>
>>
>> Assuming you were able to build all other debian packages with "fakeroot
>> debian/rules binary" after removing and editing those files, then
>> Acked-by: Ansis Atteka <aatteka at ovn.org>
>>
> Thanks for review.
>
>> Let me know, if you want me to independently verify that as well?
>
> I will test this but it will be nice if you verify it independently.

I tested it on Debian, It was pretty straight forward to build Debian
packages. I did not see any issue with the patch. so I pushed the
patch to master.

Thanks.

More information about the dev mailing list