[ovs-dev] [PATCH 1/2] Documentation: update IPsec tutorial for F32

Mark Gray mark.d.gray at redhat.com
Fri Oct 23 10:13:48 UTC 2020


On 22/10/2020 15:01, Eric Garver wrote:
> On Fri, Oct 02, 2020 at 01:33:57PM -0400, Mark Gray wrote:
>> F32 requires the "python3-openvswitch" package now. Also, the
>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>
>> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
>> ---
>>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>  1 file changed, 12 insertions(+), 15 deletions(-)
>>
>> diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
>> index b4c323513..ea0b6a63f 100644
>> --- a/Documentation/tutorials/ipsec.rst
>> +++ b/Documentation/tutorials/ipsec.rst
>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>  ---------------------------------
>>  
>>  OVS IPsec has .deb and .rpm packages. You should use the right package
>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>  as examples.
>>  
>>  Ubuntu
>> @@ -71,21 +71,18 @@ Ubuntu
>>  Fedora
>>  ~~~~~~
>>  
>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>> +1. Install the related packages. Fedora 32 does not require installation of
>> +   the out-of-tree kernel module::
>>  
>> -2. Install the related packages::
>> -
>> -       $ dnf install python2-openvswitch libreswan \
>> -                     "kernel-devel-uname-r == $(uname -r)"
>> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>> -                openvswitch-openvswitch-ipsec-*.rpm
>> +       $ dnf install python3-openvswitch libreswan \
>> +                     openvswitch openvswitch-ipsec
>>  
>> -3. Install firewall rules to allow ESP and IKE traffic::
>> +2. Install firewall rules to allow ESP and IKE traffic::
>>  
>> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>> +       $ iptables -A INPUT -p esp -j ACCEPT
>> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
> 
> Fedora uses firewalld by default hence the chain
> "IN_FedoraServer_allow". I think adding the rules in iptables will not
> work in f32+ because firewalld uses nftables. iptables will accept, but
> firewalld/nftables will still drop it. Instead of bypassing firewalld
> it's better to open these via firewalld by adding the ipsec service.
> This should work for all Fedora versions and firewalld backends.
> 
>     # firewall-cmd --add-service ipsec
>     # firewall-cmd --permanent --add-service ipsec
> 
> First command affects the runtime, the second command affects the
> permanent configuration.

Hi Eric, this is a much better approach. I will update the documentation
to reflect this. Thanks for your input.

> 
>> -4. Run the openvswitch-ipsec service::
>> +3. Run the openvswitch-ipsec service::
>>  
>>         $ systemctl start openvswitch-ipsec.service
>>  
> [..]
> 



More information about the dev mailing list