[ovs-dev] [PATCH 1/2] Documentation: update IPsec tutorial for F32

Kevin Traynor ktraynor at redhat.com
Fri Oct 23 18:01:59 UTC 2020 

On 23/10/2020 15:24, Mark Gray wrote:
> On 21/10/2020 16:07, Stokes, Ian wrote:
>>> F32 requires the "python3-openvswitch" package now. Also, the
>>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32.
>>>
>>
>> Hi Mark, thanks for the patch, some minor comments below.
>>
>>> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
>>> ---
>>>  Documentation/tutorials/ipsec.rst | 27 ++++++++++++---------------
>>>  1 file changed, 12 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/Documentation/tutorials/ipsec.rst
>>> b/Documentation/tutorials/ipsec.rst
>>> index b4c323513..ea0b6a63f 100644
>>> --- a/Documentation/tutorials/ipsec.rst
>>> +++ b/Documentation/tutorials/ipsec.rst
>>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages
>>>  ---------------------------------
>>>
>>>  OVS IPsec has .deb and .rpm packages. You should use the right package
>>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27
>>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32
>>>  as examples.
>>
>> Given that the instructions change between Fedora versions, is it worth adding a note that for Fedora versions older than Fedora 32, users should consult the previous OVS release tutorial?
> 
> This is just a tutorial so I am not making any statement about
> availability of the IPsec feature in different distros only that, as of
> F32, the instructions are correct.
> 

Fedora 31 will be EOL next month. For Fedora in particular, I don't
think there's any point in writing anything for older releases.

> The main difference is regarding the iptables instructions below. I
> think Eric has cleared that up and I will update the documentation to
> reflect as that seems to be the most generic way to enable the firewall
> across multiple Fedora releases.
> 
> 
>>
>> The alternative would be to maintain another section here for fedora 27 but that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As such a note might suffice.
>>
>>>
>>>  Ubuntu
>>> @@ -71,21 +71,18 @@ Ubuntu
>>>  Fedora
>>>  ~~~~~~
>>>
>>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages.
>>> +1. Install the related packages. Fedora 32 does not require installation of
>>> +   the out-of-tree kernel module::
>>>
>>> -2. Install the related packages::
>>> -
>>> -       $ dnf install python2-openvswitch libreswan \
>>> -                     "kernel-devel-uname-r == $(uname -r)"
>>> -       $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \
>>> -                openvswitch-openvswitch-ipsec-*.rpm
>>> +       $ dnf install python3-openvswitch libreswan \
>>> +                     openvswitch openvswitch-ipsec
>>>
>>> -3. Install firewall rules to allow ESP and IKE traffic::
>>> +2. Install firewall rules to allow ESP and IKE traffic::
>>>
>>> -       $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT
>>> -       $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT
>>> +       $ iptables -A INPUT -p esp -j ACCEPT
>>> +       $ iptables -A INPUT -p udp --dport 500 -j ACCEPT
>>
>> Same as above, again maybe a line at the beginning the tutorial would help point people in the right direction depending on the version they are using?
> 
> Will update as per Eric's comments
>>  
>>>
>>> -4. Run the openvswitch-ipsec service::
>>> +3. Run the openvswitch-ipsec service::
>>>
>>>         $ systemctl start openvswitch-ipsec.service
>>>
>>> @@ -97,7 +94,7 @@ Fedora
>>>  Configuring IPsec tunnel
>>>  ------------------------
>>>
>>> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s
>>> +Suppose you want to build an IPsec tunnel between two hosts. Assume
>>> `host_1`'s
>>>  external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
>>>  `host_1` and `host_2` can ping each other via these external IPs.
>>>
>>> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is
>>> 2.2.2.2. Make sure
>>>
>>>  2. Set up IPsec tunnel.
>>>
>>> -   There are three authentication methods. You can choose one to set up your
>>> -   IPsec tunnel.
>>> +   There are three authentication methods.  Choose one method to set up your
>>> +   IPsec tunnel and follow the steps below.
>>>
>>>     a) Using pre-shared key:
>>>
>>
>> Other than that LGTM. Did you have any thoughts on requirements for backporting it? 
> 
> No need for the documentation - 2/2 is a bug though so probably should be.
>>
>> Regards
>> Ian
>>> --
>>> 2.26.2
>>>
>>> _______________________________________________
>>> dev mailing list
>>> dev at openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

More information about the dev mailing list