[ovs-git] [openvswitch/ovs] 926102: IPsec: refactor out some code in OVS_MONITOR_IPSEC...
GitHub
noreply at github.com
Thu Sep 1 16:07:20 UTC 2016
Branch: refs/heads/branch-2.5
Home: https://github.com/openvswitch/ovs
Commit: 9261021c9e2f399a67c281307d223cea2d67e323
https://github.com/openvswitch/ovs/commit/9261021c9e2f399a67c281307d223cea2d67e323
Author: Ansis Atteka <aatteka at ovn.org>
Date: 2016-09-01 (Thu, 01 Sep 2016)
Changed paths:
M tests/ofproto-macros.at
M tests/ovs-monitor-ipsec.at
Log Message:
-----------
IPsec: refactor out some code in OVS_MONITOR_IPSEC_START macro
This OVS_MONITOR_IPSEC_START macro will be helpful in the next
patch where it will be used also from tests/tunnel.at file to test
that skb marking happens correctly. Otherwise, without ovs-monitor-ipsec
running the ovs-vswitchd would refuse to configure ipsec_XXX tunnels.
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Jarno Rajahalme <jarno at ovn.org>
Commit: aa143578495d8207ccdaf509df9ce5bb44d3d594
https://github.com/openvswitch/ovs/commit/aa143578495d8207ccdaf509df9ce5bb44d3d594
Author: Ansis Atteka <aatteka at ovn.org>
Date: 2016-09-01 (Thu, 01 Sep 2016)
Changed paths:
M ofproto/tunnel.c
M tests/tunnel.at
Log Message:
-----------
tunneling: get skb marking to work properly with tunnels
There are two issues that this patch fixes:
1. it was impossible to set skb mark at all through
NXM_NX_PKT_MARK register for tunnel packets; AND
2. ipsec_xxx tunnels would not be marked with the default
IPsec mark (broken by d23df9a87 "lib/odp: Use masked set
actions.").
This patch also adds anti-regression tests to prevent such
breakages in the future.
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
VMware-BZ: #1653178
Acked-by: Jarno Rajahalme <jarno at ovn.org>
Commit: 56f968e1e12a8571b6f914b1638acafcfbffbc54
https://github.com/openvswitch/ovs/commit/56f968e1e12a8571b6f914b1638acafcfbffbc54
Author: Ansis Atteka <aatteka at ovn.org>
Date: 2016-09-01 (Thu, 01 Sep 2016)
Changed paths:
M debian/control
M debian/ovs-monitor-ipsec
M tests/ofproto-macros.at
Log Message:
-----------
ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted
If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.
This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.
This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
OVS_MONITOR_IPSEC_START macro)
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Reported-by: Steffen Birkeland <Steffefb at stud.ntnu.no>
Acked-by: Jesse Gross <jesse at kernel.org>
Compare: https://github.com/openvswitch/ovs/compare/44f12c20e2d1...56f968e1e12a
More information about the git
mailing list