[ovs-dev] [PATCH 1/2] Documentation: update IPsec tutorial for F32

Eric Garver eric at garver.life
Thu Oct 22 14:01:19 UTC 2020


On Fri, Oct 02, 2020 at 01:33:57PM -0400, Mark Gray wrote:
> F32 requires the "python3-openvswitch" package now. Also, the
> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
> 
> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
> ---
>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>  1 file changed, 12 insertions(+), 15 deletions(-)
> 
> diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
> index b4c323513..ea0b6a63f 100644
> --- a/Documentation/tutorials/ipsec.rst
> +++ b/Documentation/tutorials/ipsec.rst
> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>  ---------------------------------
>  
>  OVS IPsec has .deb and .rpm packages. You should use the right package
> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>  as examples.
>  
>  Ubuntu
> @@ -71,21 +71,18 @@ Ubuntu
>  Fedora
>  ~~~~~~
>  
> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
> +1. Install the related packages. Fedora 32 does not require installation of
> +   the out-of-tree kernel module::
>  
> -2. Install the related packages::
> -
> -       $ dnf install python2-openvswitch libreswan \
> -                     "kernel-devel-uname-r == $(uname -r)"
> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
> -                openvswitch-openvswitch-ipsec-*.rpm
> +       $ dnf install python3-openvswitch libreswan \
> +                     openvswitch openvswitch-ipsec
>  
> -3. Install firewall rules to allow ESP and IKE traffic::
> +2. Install firewall rules to allow ESP and IKE traffic::
>  
> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
> +       $ iptables -A INPUT -p esp -j ACCEPT
> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT

Fedora uses firewalld by default hence the chain
"IN_FedoraServer_allow". I think adding the rules in iptables will not
work in f32+ because firewalld uses nftables. iptables will accept, but
firewalld/nftables will still drop it. Instead of bypassing firewalld
it's better to open these via firewalld by adding the ipsec service.
This should work for all Fedora versions and firewalld backends.

    # firewall-cmd --add-service ipsec
    # firewall-cmd --permanent --add-service ipsec

First command affects the runtime, the second command affects the
permanent configuration.

> -4. Run the openvswitch-ipsec service::
> +3. Run the openvswitch-ipsec service::
>  
>         $ systemctl start openvswitch-ipsec.service
>  
[..]



More information about the dev mailing list