[ovs-git] [openvswitch/ovs] 926102: IPsec: refactor out some code in OVS_MONITOR_IPSEC...

GitHub noreply at github.com
Thu Sep 1 16:07:20 UTC 2016


  Branch: refs/heads/branch-2.5
  Home:   https://github.com/openvswitch/ovs
  Commit: 9261021c9e2f399a67c281307d223cea2d67e323
      https://github.com/openvswitch/ovs/commit/9261021c9e2f399a67c281307d223cea2d67e323
  Author: Ansis Atteka <aatteka at ovn.org>
  Date:   2016-09-01 (Thu, 01 Sep 2016)

  Changed paths:
    M tests/ofproto-macros.at
    M tests/ovs-monitor-ipsec.at

  Log Message:
  -----------
  IPsec: refactor out some code in OVS_MONITOR_IPSEC_START macro

This OVS_MONITOR_IPSEC_START macro will be helpful in the next
patch where it will be used also from tests/tunnel.at file to test
that skb marking happens correctly.  Otherwise, without ovs-monitor-ipsec
running the ovs-vswitchd would refuse to configure ipsec_XXX tunnels.

Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Jarno Rajahalme <jarno at ovn.org>


  Commit: aa143578495d8207ccdaf509df9ce5bb44d3d594
      https://github.com/openvswitch/ovs/commit/aa143578495d8207ccdaf509df9ce5bb44d3d594
  Author: Ansis Atteka <aatteka at ovn.org>
  Date:   2016-09-01 (Thu, 01 Sep 2016)

  Changed paths:
    M ofproto/tunnel.c
    M tests/tunnel.at

  Log Message:
  -----------
  tunneling: get skb marking to work properly with tunnels

There are two issues that this patch fixes:
1. it was impossible to set skb mark at all through
   NXM_NX_PKT_MARK register for tunnel packets; AND
2. ipsec_xxx tunnels would not be marked with the default
   IPsec mark (broken by d23df9a87 "lib/odp: Use masked set
   actions.").

This patch also adds anti-regression tests to prevent such
breakages in the future.

Signed-off-by: Ansis Atteka <aatteka at ovn.org>
VMware-BZ: #1653178
Acked-by: Jarno Rajahalme <jarno at ovn.org>


  Commit: 56f968e1e12a8571b6f914b1638acafcfbffbc54
      https://github.com/openvswitch/ovs/commit/56f968e1e12a8571b6f914b1638acafcfbffbc54
  Author: Ansis Atteka <aatteka at ovn.org>
  Date:   2016-09-01 (Thu, 01 Sep 2016)

  Changed paths:
    M debian/control
    M debian/ovs-monitor-ipsec
    M tests/ofproto-macros.at

  Log Message:
  -----------
  ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted

If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.

This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.

This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
   properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
   OVS_MONITOR_IPSEC_START macro)

Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Reported-by: Steffen Birkeland <Steffefb at stud.ntnu.no>
Acked-by: Jesse Gross <jesse at kernel.org>


Compare: https://github.com/openvswitch/ovs/compare/44f12c20e2d1...56f968e1e12a


More information about the git mailing list