[ovs-git] [openvswitch/ovs] 87e731: ipsec: Do not allow ipsec_gre tunnel traffic to ex...

GitHub noreply at github.com
Thu Sep 1 15:09:37 UTC 2016


  Branch: refs/heads/branch-2.6
  Home:   https://github.com/openvswitch/ovs
  Commit: 87e731f0b5ba6c694b7a7ba665a968570f3a0132
      https://github.com/openvswitch/ovs/commit/87e731f0b5ba6c694b7a7ba665a968570f3a0132
  Author: Ansis Atteka <aatteka at ovn.org>
  Date:   2016-09-01 (Thu, 01 Sep 2016)

  Changed paths:
    M debian/control
    M debian/ovs-monitor-ipsec
    M tests/ofproto-macros.at

  Log Message:
  -----------
  ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted

If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.

This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.

This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
   properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
   OVS_MONITOR_IPSEC_START macro)

Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Reported-by: Steffen Birkeland <Steffefb at stud.ntnu.no>
Acked-by: Jesse Gross <jesse at kernel.org>




More information about the git mailing list