[ovs-git] [openvswitch/ovs] 58b414: ipsec: Fix IPv6 default route support for Libreswan.

Mark Gray noreply at github.com
Thu Apr 1 18:28:26 UTC 2021


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 58b4146e0baab4780ac77d80dd066ce6caffd586
      https://github.com/openvswitch/ovs/commit/58b4146e0baab4780ac77d80dd066ce6caffd586
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-04-01 (Thu, 01 Apr 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ipsec: Fix IPv6 default route support for Libreswan.

When configuring IPsec, "ovs-monitor-ipsec" honours
the 'local_ip' option in the 'Interface' table by configuring
the 'left' side of the Libreswan connection with 'local_ip'.
If 'local_ip' is not specified, "ovs-monitor-ipsec" sets
'left' to '%defaultroute' which is interpreted as the IP
address of the default gateway interface.

However, when 'remote_ip' is an IPv6 address, Libreswan
still interprets '%defaultroute' as the IPv4 address on the
default gateway interface (see:
https://github.com/libreswan/libreswan/issues/416) giving
an "address family inconsistency" error.

This patch resolves this issue by specifying the
connection as IPv6 when the 'remote_ip' is IPv6 and
'local_ip' has not been set.

Fixes: 22c5eafb6efa ("ipsec: reintroduce IPsec support for tunneling")
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Acked-by: Aaron Conole <aconole at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 4ce8bb159e9cb328ace7ae862026d4220c8bcd3f
      https://github.com/openvswitch/ovs/commit/4ce8bb159e9cb328ace7ae862026d4220c8bcd3f
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-04-01 (Thu, 01 Apr 2021)

  Changed paths:
    M tests/system-common-macros.at

  Log Message:
  -----------
  system-common-macros: clean up veth device on test failure.

'on_exit' should be run directly after creation
of veth device.

Fixes: 119db2cb18a7 ("kmod-macros: Move some code to traffic-common-macros.")
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: d6afbc00d5b37a62a5544d65c3cc6e689422c273
      https://github.com/openvswitch/ovs/commit/d6afbc00d5b37a62a5544d65c3cc6e689422c273
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-04-01 (Thu, 01 Apr 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ipsec: Allow custom file locations.

"ovs_monitor_ipsec" assumes certain file locations for a number
of Libreswan objects. This patch allows these locations to be
configurable at startup in the Libreswan case.

This additional flexibility enables system testing for
OVS IPsec.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Acked-by: Aaron Conole <aconole at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 8fc62df8b135f8d2975ff794ecc15297312c8e93
      https://github.com/openvswitch/ovs/commit/8fc62df8b135f8d2975ff794ecc15297312c8e93
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-04-01 (Thu, 01 Apr 2021)

  Changed paths:
    M tests/automake.mk
    A tests/system-ipsec.at
    M tests/system-kmod-testsuite.at

  Log Message:
  -----------
  ipsec: Introduce IPsec system tests for Libreswan.

This patch adds system tests for OVS IPsec using Libreswan.
If Libreswan is not present on the system, the tests will
be skipped.

These tests set up an underlay switch with bridge 'br0'
to carry encrypted traffic between two emulated "nodes".
Each "node" is a separate network namespace ('left' and
'right') and runs an instance of the Libreswan "pluto"
daemon, ovs-monitor-ipsec, ovs-vswitch and ovsdb-server.

Each test sets up IPsec between the two emulated "nodes"
using various configurations (currently tunnel
type, IPv6/IPv6, authentication method, local_ip). After
configuration, connectivity between the two nodes is
tested and the underlay traffic is also inspected to
ensure the traffic is encrypted.

All IPsec system tests can be run by using the ipsec
keyword:

sudo make check-kernel TESTSUITEFLAGS='-k ipsec'

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: f8be30acf2eb60d567bb7386b98f5cb58ddb9119
      https://github.com/openvswitch/ovs/commit/f8be30acf2eb60d567bb7386b98f5cb58ddb9119
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-04-01 (Thu, 01 Apr 2021)

  Changed paths:
    M ipsec/ovs-monitor-ipsec.in

  Log Message:
  -----------
  ipsec: Update ordering of imports.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Flavio Leitner <fbl at sysclose.org>
Acked-by: Aaron Conole <aconole at redhat.com>
Acked-by: Eelco Chaudron <echaudro at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/ac85cdb38c1f...f8be30acf2eb


More information about the git mailing list