{"id":2239751,"url":"http://patchwork.ozlabs.org/api/patches/2239751/","web_url":"http://patchwork.ozlabs.org/project/ovn/patch/20260518104337.102446-1-moloings@redhat.com/","project":{"id":68,"url":"http://patchwork.ozlabs.org/api/projects/68/","name":"Open Virtual Network development","link_name":"ovn","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260518104337.102446-1-moloings@redhat.com>","list_archive_url":null,"date":"2026-05-18T10:43:37","name":"[ovs-dev,1/1] IPsec: Add IPsec backend debug options.","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"dd856d5fa2e06971ff3a0ddacde21fd81504d3c1","submitter":{"id":91032,"url":"http://patchwork.ozlabs.org/api/people/91032/","name":"Mairtin O'Loingsigh","email":"moloings@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ovn/patch/20260518104337.102446-1-moloings@redhat.com/mbox/","series":[{"id":504720,"url":"http://patchwork.ozlabs.org/api/series/504720/","web_url":"http://patchwork.ozlabs.org/project/ovn/list/?series=504720","date":"2026-05-18T10:43:37","name":"[ovs-dev,1/1] IPsec: Add IPsec backend debug options.","version":1,"mbox":"http://patchwork.ozlabs.org/series/504720/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2239751/comments/","check":"success","checks":"http://patchwork.ozlabs.org/api/patches/2239751/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=eLhYAP9f;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp4.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=eLhYAP9f","smtp4.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gJvYs5b4Tz1yKM\n\tfor ; Mon, 18 May 2026 20:44:17 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 488704133D;\n\tMon, 18 May 2026 10:44:15 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id tB28u_YGzUsW; Mon, 18 May 2026 10:44:14 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp4.osuosl.org (Postfix) with ESMTPS id 6150C4125E;\n\tMon, 18 May 2026 10:44:14 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 3B044C04EA;\n\tMon, 18 May 2026 10:44:14 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 51674C04E9\n for ; Mon, 18 May 2026 10:44:13 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 441514125E\n for ; Mon, 18 May 2026 10:44:13 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id dzo4w92xtvNH for ;\n Mon, 18 May 2026 10:44:12 +0000 (UTC)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 2887241257\n for ; Mon, 18 May 2026 10:44:11 +0000 (UTC)","from mail-qk1-f198.google.com (mail-qk1-f198.google.com\n [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id\n us-mta-210-qxyllQSiNb-Z9zCX-adxUw-1; Mon, 18 May 2026 06:44:09 -0400","by mail-qk1-f198.google.com with SMTP id\n af79cd13be357-90d2d8dc97bso522333385a.2\n for ; Mon, 18 May 2026 03:44:09 -0700 (PDT)","from moloings-thinkpadp1gen7.rmtie.csb\n ([2001:bb6:2be4:f100:a13c:8a56:eb6f:ed3f])\n by smtp.gmail.com with ESMTPSA id\n af79cd13be357-910baa3c045sm1457930285a.13.2026.05.18.03.44.05\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 18 May 2026 03:44:06 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 6150C4125E","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 2887241257"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=moloings@redhat.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 2887241257","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1779101050;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=Z6ODq2Y/l+fWdLTvbuqOlzBoqhX+tKZroqINrHr8iZM=;\n b=eLhYAP9fvrllQv96ujdRr3AU7CwdSKtloKzCJVRTemypqNDgik5LjizCIiTui0MJD66EKi\n UcMPVv8h2kxiiNaizd7J6Q9XuXcltupIxsrsrZ44egOSr1CxuKTWwkYY4tSIY1KvPTp1+l\n EOfvOFtDt2Dxj2qC+rK1Ru7+FVrZNPM=","X-MC-Unique":"qxyllQSiNb-Z9zCX-adxUw-1","X-Mimecast-MFC-AGG-ID":"qxyllQSiNb-Z9zCX-adxUw_1779101048","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1779101048; x=1779705848;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Z6ODq2Y/l+fWdLTvbuqOlzBoqhX+tKZroqINrHr8iZM=;\n b=abZIJmqoITT4QV/oEv88NjHWRZ7F4Q6HdfTrJJZT7iaSgYmXvAsI95msDamf6wMyVs\n uHN0k2o9WTozAGVDiOAlxMsBkM7uP9rsAcGgE3w9G6o5uEqxFnf+78SafDmRGh6T+L2U\n Ac278g4Et/i6+Lr9iMriZaxhb5pLH1mIjVtCe7IqRsNq4BVEAT9eL1Zu5RlvBsQJ9Ad5\n npAzb6xu7iG4ZiRIFtawPL+MEYsFoqOePIGaSWWnCCGCUzXzQ/hy87nQnrSy1Yj5vqpa\n g4sdJU5xWHUjyOCSX5x9YnVegdQZZnK5huCxRLv85zyYyuzkihYsHG/JPq9cFzJ4fCTk\n nYOw==","X-Gm-Message-State":"AOJu0YyUKavON4/zutjlFq6etKsqJWSodC068YakuVcTUMrHbm+UBw+L\n t1r7tw5038Zf0DAQ6vZqClLS/qG5ObGpDDEljMWVpIalZ4TsXLPeb+fo95dep3PNb30GECT1PXw\n uYGUAxcPIs4MVlx3Mztd2CHBFCo9k5mS28pJ9MAG9zjdWZCUiFzJTqQFc0tSmz70YMuVhSqzmOq\n s9PuFL/Z44wld4GVYjK3od53aXJSGbn6Btth5BPw==","X-Gm-Gg":"Acq92OHj7oSnhZsa9zTs6gvCxVzsy4Mz4gQmqODWFAPaPPBY/qfTQzKs78vlIRprYxc\n YjQoaaGRjoOuSQisWOpzF+UWcmqhKHBM4u+97MkhSJtjFzhwoEjxgmZkr6Is/MpnfefML9D++zZ\n pYZwRpqrKfPmhv37UPvlfiUP8IF5lQzkbrbzFDRlmp+YM+VVlHnCqAW+1MhdTEe4eSOBEz0CkYm\n DuW2y40Xx3qu8dKz+DLPI+pnRFmmiCmFjNKlVLeZYH/OKgTdgMxRaxrYLDfOPtNnu4vg9HDgs6h\n idSm/gDyJWxoI5c5wbZ6XG9wcnFTxEoVB8Whw9JxvvuHHLcVR2RofaKj15nwXJmUmZasOsxL551\n B5CF6v4c/NIYtpeHguNIIrLgPDYc8CJgOHwcYgpSVVja+EcEu//MlfQcddQdWIrYWnnqSewxHzJ\n TvY8n89aq8","X-Received":["by 2002:a05:620a:a187:10b0:912:bb4b:a8ec with SMTP id\n af79cd13be357-912bb4bab44mr1144298185a.31.1779101047553;\n Mon, 18 May 2026 03:44:07 -0700 (PDT)","by 2002:a05:620a:a187:10b0:912:bb4b:a8ec with SMTP id\n af79cd13be357-912bb4bab44mr1144294685a.31.1779101046879;\n Mon, 18 May 2026 03:44:06 -0700 (PDT)"],"To":"dev@openvswitch.org","Date":"Mon, 18 May 2026 11:43:37 +0100","Message-ID":"<20260518104337.102446-1-moloings@redhat.com>","X-Mailer":"git-send-email 2.54.0","MIME-Version":"1.0","X-Mimecast-Spam-Score":"0","X-Mimecast-MFC-PROC-ID":"p2sLxbNEPAejyYqPhugl5hNnSUHwD88kjf-NSaBEH1c_1779101048","X-Mimecast-Originator":"redhat.com","Subject":"[ovs-dev] [PATCH ovn 1/1] IPsec: Add IPsec backend debug options.","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Mairtin O'Loingsigh via dev ","Reply-To":"Mairtin O'Loingsigh ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" "},"content":"Add ability to pass any nb_global option with the ipsec prefix to sb, which\nwill get used by ovs-monitor-ipsec to configure IPsec backend. For\nexample\n\novn-nbctl set nb_global . options:ipsec_replay-window=128\novn-nbctl set nb_global . options:ipsec_dpd-delay=30s\novn-nbctl set nb_global . options:ipsec_dpd-timeout=120s\novn-nbctl set nb_global . options:ipsec_salifetime=8h\n\nReported-at: https://redhat.atlassian.net/browse/FDP-3029\nSigned-off-by: Mairtin O'Loingsigh \n---\n Documentation/tutorials/ovn-ipsec.rst | 5 +++++\n NEWS | 1 +\n controller/encaps.c | 13 +++++++++++++\n tests/ovn-ipsec.at | 12 ++++++++++++\n 4 files changed, 31 insertions(+)","diff":"diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst\nindex aebd3e848..f9b58b9ba 100644\n--- a/Documentation/tutorials/ovn-ipsec.rst\n+++ b/Documentation/tutorials/ovn-ipsec.rst\n@@ -166,6 +166,11 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE\n daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to\n ``/var/log/openvswitch/ovs-monitor-ipsec.log``.\n \n+Any \"ipsec_*\" option such as the one below can be set and to configure the\n+underlying IPsec backend, which can simplify debug.\n+\n+ $ ovn-nbctl set nb_global . options:ipsec_replay-window=128\n+\n Bug Reporting\n -------------\n \ndiff --git a/NEWS b/NEWS\nindex 9839d19b9..256e7eb17 100644\n--- a/NEWS\n+++ b/NEWS\n@@ -1,5 +1,6 @@\n Post v26.03.0\n -------------\n+ - Added ability to set any 'ipsec_*' which will be passed IPsec backend.\n - Documented missing ovn-nbctl commands: \"mirror-rule-add\",\n \"mirror-rule-del\", \"lr-nat-update-ext-ip\",\n \"ha-chassis-group-set-chassis-prio\", \"lsp-add-router-port\",\ndiff --git a/controller/encaps.c b/controller/encaps.c\nindex 081fbe671..2a483c237 100644\n--- a/controller/encaps.c\n+++ b/controller/encaps.c\n@@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc,\n if (forceencaps) {\n smap_add(&options, \"ipsec_forceencaps\", \"yes\");\n }\n+\n+ struct smap_node *node;\n+ SMAP_FOR_EACH (node, &sbg->options) {\n+ char ipsec_prefix[] = \"ipsec_\";\n+ if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) &&\n+ strcmp(\"ipsec_encapsulation\", node->key) &&\n+ strcmp(\"ipsec_forceencaps\", node->key)) {\n+ const char *ipsec_option = smap_get(&sbg->options, node->key);\n+ if (ipsec_option) {\n+ smap_add(&options, node->key, ipsec_option);\n+ }\n+ }\n+ }\n }\n \n if (is_ramp_tunnel(&chassis_rec->other_config)) {\ndiff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at\nindex 961fc643f..05fbced28 100644\n--- a/tests/ovn-ipsec.at\n+++ b/tests/ovn-ipsec.at\n@@ -45,6 +45,10 @@ ovs-vsctl \\\n # Enable IPsec\n check ovn-nbctl set nb_global . ipsec=true\n check ovn-nbctl set nb_global . options:ipsec_encapsulation=true\n+check ovn-nbctl set nb_global . options:ipsec_replay-window=100\n+check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s\n+check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s\n+check ovn-nbctl set nb_global . options:ipsec_salifetime=8h\n \n check ovn-nbctl --wait=hv sync\n \n@@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i\n AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '\"\\n'], [0], [192.168.0.2])\n AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\\n'], [0], [hv1])\n AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\\n'], [0], [yes])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\\n'], [0], [\"100\"])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\\n'], [0], [\"30s\"])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\\n'], [0], [\"120s\"])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\\n'], [0], [\"8h\"])\n OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '\"\\n'` = x192.168.0.2])\n AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '\"\\n'], [0], [192.168.0.1])\n AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\\n'], [0], [hv2])\n AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\\n'], [0], [yes])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\\n'], [0], [\"100\"])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\\n'], [0], [\"30s\"])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\\n'], [0], [\"120s\"])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\\n'], [0], [\"8h\"])\n \n AT_CLEANUP\n","prefixes":["ovs-dev","1/1"]}