[ovs-git] [openvswitch/ovs] 19cd0a: ipsec: Do not allow ipsec_gre tunnel traffic to ex...

GitHub noreply at github.com
Tue Aug 30 22:01:20 UTC 2016


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 19cd0a87827ea0aebaca42c677f216dc687d5997
      https://github.com/openvswitch/ovs/commit/19cd0a87827ea0aebaca42c677f216dc687d5997
  Author: Ansis Atteka <aatteka at ovn.org>
  Date:   2016-08-30 (Tue, 30 Aug 2016)

  Changed paths:
    M debian/control
    M debian/ovs-monitor-ipsec
    M tests/ofproto-macros.at

  Log Message:
  -----------
  ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted

If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.

This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.

This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
   properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
   OVS_MONITOR_IPSEC_START macro)

Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Reported-by: Steffen Birkeland <Steffefb at stud.ntnu.no>
Acked-by: Jesse Gross <jesse at kernel.org>




More information about the git mailing list