[ovs-git] [openvswitch/ovs] 87e731: ipsec: Do not allow ipsec_gre tunnel traffic to ex...
GitHub
noreply at github.com
Thu Sep 1 15:09:37 UTC 2016
Branch: refs/heads/branch-2.6
Home: https://github.com/openvswitch/ovs
Commit: 87e731f0b5ba6c694b7a7ba665a968570f3a0132
https://github.com/openvswitch/ovs/commit/87e731f0b5ba6c694b7a7ba665a968570f3a0132
Author: Ansis Atteka <aatteka at ovn.org>
Date: 2016-09-01 (Thu, 01 Sep 2016)
Changed paths:
M debian/control
M debian/ovs-monitor-ipsec
M tests/ofproto-macros.at
Log Message:
-----------
ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted
If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.
This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.
This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
OVS_MONITOR_IPSEC_START macro)
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Reported-by: Steffen Birkeland <Steffefb at stud.ntnu.no>
Acked-by: Jesse Gross <jesse at kernel.org>
More information about the git
mailing list