{"id":2244422,"url":"http://patchwork.ozlabs.org/api/patches/2244422/","web_url":"http://patchwork.ozlabs.org/project/ovn/patch/20260526101428.37788-1-moloings@redhat.com/","project":{"id":68,"url":"http://patchwork.ozlabs.org/api/projects/68/","name":"Open Virtual Network development","link_name":"ovn","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260526101428.37788-1-moloings@redhat.com>","list_archive_url":null,"date":"2026-05-26T10:14:28","name":"[ovs-dev,v3] IPsec: Add IPsec backend debug options.","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"f7820cccc921d1b9e905611b892b7e525a087803","submitter":{"id":91032,"url":"http://patchwork.ozlabs.org/api/people/91032/","name":"Mairtin O'Loingsigh","email":"moloings@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ovn/patch/20260526101428.37788-1-moloings@redhat.com/mbox/","series":[{"id":506012,"url":"http://patchwork.ozlabs.org/api/series/506012/","web_url":"http://patchwork.ozlabs.org/project/ovn/list/?series=506012","date":"2026-05-26T10:14:28","name":"[ovs-dev,v3] IPsec: Add IPsec backend debug options.","version":3,"mbox":"http://patchwork.ozlabs.org/series/506012/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2244422/comments/","check":"fail","checks":"http://patchwork.ozlabs.org/api/patches/2244422/checks/","tags":{},"related":[],"headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=V6AOhMIs;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp1.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=V6AOhMIs","smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com","smtp2.osuosl.org; dkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=V6AOhMIs"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gPpX655w2z1y2T\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 26 May 2026 20:14:44 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 0AEF681285;\n\tTue, 26 May 2026 10:14:43 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id m7g5XkLMX48m; Tue, 26 May 2026 10:14:41 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp1.osuosl.org (Postfix) with ESMTPS id DB7E68122A;\n\tTue, 26 May 2026 10:14:40 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id B6550C04EB;\n\tTue, 26 May 2026 10:14:40 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 1BFAFC04E7\n for <dev@openvswitch.org>; Tue, 26 May 2026 10:14:39 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id F16E44083F\n for <dev@openvswitch.org>; Tue, 26 May 2026 10:14:38 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id GV1k0-Td3wVw for <dev@openvswitch.org>;\n Tue, 26 May 2026 10:14:38 +0000 (UTC)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by smtp2.osuosl.org (Postfix) with ESMTPS id CC86640183\n for <dev@openvswitch.org>; Tue, 26 May 2026 10:14:36 +0000 (UTC)","from mail-qv1-f70.google.com (mail-qv1-f70.google.com\n [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id\n us-mta-608-MZabtwl2P4e_oqKJ_Tbp7Q-1; Tue, 26 May 2026 06:14:34 -0400","by mail-qv1-f70.google.com with SMTP id\n 6a1803df08f44-8badccc9194so61365666d6.1\n for <dev@openvswitch.org>; Tue, 26 May 2026 03:14:34 -0700 (PDT)","from moloings-thinkpadp1gen7.rmtie.csb\n ([2001:bb6:2be4:f100:a13c:8a56:eb6f:ed3f])\n by smtp.gmail.com with ESMTPSA id\n 6a1803df08f44-8cc812e2597sm137415246d6.32.2026.05.26.03.14.31\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 26 May 2026 03:14:32 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org DB7E68122A","OpenDKIM Filter v2.11.0 smtp2.osuosl.org CC86640183"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=moloings@redhat.com;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org CC86640183","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1779790475;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=VA4NW5K7JWmq+LxWvfWb0VtK6r61hfthNbuTBVJY7DY=;\n b=V6AOhMIsuFa34W4y+OV2GQORNegbELbMdPnhaR5LuP0vlxZ/2W6lwVtJWrq2AONmXD/i3q\n r7R5kwKJXbEKg/Nb4wvRaksLvjxgm9fzWRcrkRBivKhh5OX2hjkicojRW7yw0kUQJR5Q7F\n rLTNic854Wj9xmJua3uu9iesuSR7UkY=","X-MC-Unique":"MZabtwl2P4e_oqKJ_Tbp7Q-1","X-Mimecast-MFC-AGG-ID":"MZabtwl2P4e_oqKJ_Tbp7Q_1779790474","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1779790474; x=1780395274;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=VA4NW5K7JWmq+LxWvfWb0VtK6r61hfthNbuTBVJY7DY=;\n b=F8KZOOT2Nu1KFC9mY5H2vMCLlfvYP+TjjUA2OB4c90NbhoX5viT6YmN/kdWkba/+BY\n lhwOFQ/LCDVrWg+QoXYGw7YBmALcpmYO6lGawngu0YHiuLiV2oApaMOJEyPpJ+eWpNnr\n Dl78UfEsMvLAqlg9UjwbW/5VkHVfZhUzlpR1XfqMv4A/9wSn3cgj3Dm69uXYLqSogztc\n mRBXoFiYSawuEl2/R1diglDLVrAcOcydmrC6WK42NX7QWp2mUzqHPymEFP7iJDgccxs/\n nNofLUJqT5BoTjycmVVnD8ufjlE+cVrvoMfzEIRv/HLyjjDvGWAq/V1Lu/aCTFlvOABX\n FqIA==","X-Gm-Message-State":"AOJu0YxJj4R8n/Ni9LSYOXcmm/gww+Re8RtBBz67KhJcJWXXwt2FpH1D\n Y2qmlcwDO3OE+l4EhBb5hVjVcbucUlxgoRJRuNXiIK5UZAyvfSndEtumygKOI7czTHwHDP6Pn2i\n gRXRXxVvwGpAFo+qNOLDIgATaLnBeZFIqRPaq7WXtq41umu2AyTaU47l4iEk9Ma7LjdvjkauWpO\n ydSxY6bHV6lro2uaAKbI7MjuTH6aaGiQyoB/4P9g==","X-Gm-Gg":"Acq92OFQtAe2wa3a1fo6EAw2xNGvxutX7Jz4evcbmgajtZ0Olklz8zAH287kEHxEJyN\n Q4A4+J/CvUmnEfZVIuEjkub1r0fVN/u4NrRtXrwpYprN/wwgRjh65umrpU3jyFEFTJO0FGLzGhm\n P2lM0MaW1pIQ8MFeWTxWxGi94EAXsdVYabySCjtu+b+f5PlFfZJrcb+Nr6GOwkEW1liPu+jblPS\n 58401Y1Xoa8Tg6IIeIPJ5ORhMzvuCbtzHxhHVgA1T7MLmtJg9Xy7zBVKs98/1HPRXtqwWBX2pBF\n 08sSN+04gixCxo+50C8hWm1emc59jl3A4FYZmSxlSdnwlzEqfP2iaEf6WKtZktKqVDgH5riMTK4\n TdBb4nYQMud2+6rp/5zY7zks8Embu7WM0p2EcJVdXOD30pnpQ+0XIzb6Amegz3+pQASUaFkgwBJ\n CAPFTbSVhu","X-Received":["by 2002:a05:6214:d6e:b0:8ac:7d70:f0da with SMTP id\n 6a1803df08f44-8cc7b5acadamr286910556d6.14.1779790473801;\n Tue, 26 May 2026 03:14:33 -0700 (PDT)","by 2002:a05:6214:d6e:b0:8ac:7d70:f0da with SMTP id\n 6a1803df08f44-8cc7b5acadamr286909896d6.14.1779790473013;\n Tue, 26 May 2026 03:14:33 -0700 (PDT)"],"To":"dev@openvswitch.org","Cc":"i.maximets@ovn.org","Date":"Tue, 26 May 2026 11:14:28 +0100","Message-ID":"<20260526101428.37788-1-moloings@redhat.com>","X-Mailer":"git-send-email 2.54.0","MIME-Version":"1.0","X-Mimecast-Spam-Score":"0","X-Mimecast-MFC-PROC-ID":"lhy3IGhMre11uF6jOx0gEpQ7q5D68pNMVjh_AMdtAzA_1779790474","X-Mimecast-Originator":"redhat.com","Subject":"[ovs-dev] [PATCH ovn v3] IPsec: Add IPsec backend debug options.","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","From":"Mairtin O'Loingsigh via dev <ovs-dev@openvswitch.org>","Reply-To":"Mairtin O'Loingsigh <moloings@redhat.com>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" <ovs-dev-bounces@openvswitch.org>"},"content":"Add ability to pass any nb_global option with the ipsec prefix to sb, which\novs-monitor-ipsec will use to configure IPsec backend. For example\n\novn-nbctl set nb_global . options:ipsec_replay-window=128\novn-nbctl set nb_global . options:ipsec_dpd-delay=30s\novn-nbctl set nb_global . options:ipsec_dpd-timeout=120s\novn-nbctl set nb_global . options:ipsec_salifetime=8h\n\nReported-at: https://redhat.atlassian.net/browse/FDP-3029\nSigned-off-by: Mairtin O'Loingsigh <moloings@redhat.com>\n---\nChanges since v2:\n  - Update ovn-ipsec.rst with the following\n    * encapsulation/forceencaps are boolean and only accept true/yes.\n    * Other ipsec_* options pass through directly.\n  - ipsec_encapsulation=yes works like =true.\n  - Uses node->value not smap_get().\n  - Move ipsec_* Column inside \"Security Configurations\" group.\n  - Fix spelling typos.\n  - Add ipsec.conf reference with <code> style.\nChanges since v1:\n  - Make prefix string static const.\n  - Fix documentation.\n  - Update news entry to reference NB_Global.\n\n Documentation/tutorials/ovn-ipsec.rst |  7 +++++++\n NEWS                                  |  2 ++\n controller/encaps.c                   | 28 +++++++++++++++++----------\n ovn-nb.xml                            |  7 +++++++\n tests/ovn-ipsec.at                    | 12 ++++++++++++\n 5 files changed, 46 insertions(+), 10 deletions(-)","diff":"diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst\nindex aebd3e848..249d3230a 100644\n--- a/Documentation/tutorials/ovn-ipsec.rst\n+++ b/Documentation/tutorials/ovn-ipsec.rst\n@@ -166,6 +166,13 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE\n daemon to locate issues.  ``ovs-monitor-ipsec`` outputs log messages to\n ``/var/log/openvswitch/ovs-monitor-ipsec.log``.\n \n+The ipsec_encapsulation and ipsec_forceencaps options are boolean\n+and only accept true or yes. Additional \"ipsec_*\" options such as\n+the one below can be set to pass configuration directly to the underlying\n+IPsec backend.\n+\n+    $ ovn-nbctl set nb_global . options:ipsec_replay-window=128\n+\n Bug Reporting\n -------------\n \ndiff --git a/NEWS b/NEWS\nindex e34a219ad..c7cec2c33 100644\n--- a/NEWS\n+++ b/NEWS\n@@ -1,5 +1,7 @@\n Post v26.03.0\n -------------\n+   - Added ability to set any \"ipsec_*\" NB_Global option to configure the\n+     IPsec backend.\n    - Documented missing ovn-nbctl commands: \"mirror-rule-add\",\n      \"mirror-rule-del\", \"lr-nat-update-ext-ip\",\n      \"ha-chassis-group-set-chassis-prio\", \"lsp-add-router-port\",\ndiff --git a/controller/encaps.c b/controller/encaps.c\nindex 081fbe671..048e85c38 100644\n--- a/controller/encaps.c\n+++ b/controller/encaps.c\n@@ -265,16 +265,24 @@ tunnel_add(struct tunnel_ctx *tc,\n         /* Force NAT-T traversal via configuration */\n         /* Two ipsec backends are supported: libreswan and strongswan */\n         /* libreswan param: encapsulation; strongswan param: forceencaps */\n-        bool encapsulation;\n-        bool forceencaps;\n-        encapsulation = smap_get_bool(&sbg->options, \"ipsec_encapsulation\",\n-                                      false);\n-        forceencaps = smap_get_bool(&sbg->options, \"ipsec_forceencaps\", false);\n-        if (encapsulation) {\n-            smap_add(&options, \"ipsec_encapsulation\", \"yes\");\n-        }\n-        if (forceencaps) {\n-            smap_add(&options, \"ipsec_forceencaps\", \"yes\");\n+\n+        struct smap_node *node;\n+        SMAP_FOR_EACH (node, &sbg->options) {\n+            static const char ipsec_prefix[] = \"ipsec_\";\n+            if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix))) {\n+                if (!strcmp(node->key, \"ipsec_encapsulation\") ||\n+                    !strcmp(node->key, \"ipsec_forceencaps\")) {\n+                    if (!strcasecmp(node->value, \"true\") ||\n+                        !strcasecmp(node->value, \"yes\")) {\n+                        smap_add(&options, node->key, \"yes\");\n+                    }\n+                    continue;\n+                }\n+\n+                if (node->value) {\n+                    smap_add(&options, node->key, node->value);\n+                }\n+            }\n         }\n     }\n \ndiff --git a/ovn-nb.xml b/ovn-nb.xml\nindex 442657018..38c6a84a2 100644\n--- a/ovn-nb.xml\n+++ b/ovn-nb.xml\n@@ -601,6 +601,13 @@\n         Tunnel encryption configuration. If this column is set to be true, all\n         OVN tunnels will be encrypted with IPsec.\n       </column>\n+\n+      <column name=\"options\" key=\"ipsec_*\">\n+        IPsec configuration parameters are passed to IPsec backend by prefixing\n+        libreswan/strongswan options with ipsec_. Please reference\n+        <code>ipsec.conf</code>(5) for a comprehensive set of instructions on\n+        IPsec configuration.\n+      </column>\n     </group>\n \n     <group title=\"Read-only Options\">\ndiff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at\nindex 961fc643f..05fbced28 100644\n--- a/tests/ovn-ipsec.at\n+++ b/tests/ovn-ipsec.at\n@@ -45,6 +45,10 @@ ovs-vsctl \\\n # Enable IPsec\n check ovn-nbctl set nb_global . ipsec=true\n check ovn-nbctl set nb_global . options:ipsec_encapsulation=true\n+check ovn-nbctl set nb_global . options:ipsec_replay-window=100\n+check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s\n+check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s\n+check ovn-nbctl set nb_global . options:ipsec_salifetime=8h\n \n check ovn-nbctl --wait=hv sync\n \n@@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i\n AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '\"\\n'], [0], [192.168.0.2])\n AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\\n'], [0], [hv1])\n AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\\n'], [0], [yes])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\\n'], [0], [\"100\"])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\\n'], [0], [\"30s\"])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\\n'], [0], [\"120s\"])\n+AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\\n'], [0], [\"8h\"])\n OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '\"\\n'` = x192.168.0.2])\n AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '\"\\n'], [0], [192.168.0.1])\n AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\\n'], [0], [hv2])\n AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\\n'], [0], [yes])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\\n'], [0], [\"100\"])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\\n'], [0], [\"30s\"])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\\n'], [0], [\"120s\"])\n+AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\\n'], [0], [\"8h\"])\n \n AT_CLEANUP\n","prefixes":["ovs-dev","v3"]}