Message ID | 20201023183922.332767-2-mark.d.gray@redhat.com |
---|---|
State | Superseded |
Headers | show |
Series | Some fixes for OVS IPsec on Fedora | expand |
On Fri, Oct 23, 2020 at 02:39:21PM -0400, Mark Gray wrote: > F32 requires the "python3-openvswitch" package now. Also, the > iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32. > > Signed-off-by: Mark Gray <mark.d.gray@redhat.com> > --- > Documentation/tutorials/ipsec.rst | 30 ++++++++++++++++-------------- > 1 file changed, 16 insertions(+), 14 deletions(-) > > diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst > index b4c3235132bc..c7f3c43ca6dd 100644 > --- a/Documentation/tutorials/ipsec.rst > +++ b/Documentation/tutorials/ipsec.rst > @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages > --------------------------------- > > OVS IPsec has .deb and .rpm packages. You should use the right package > -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27 > +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32 > as examples. > > Ubuntu > @@ -71,21 +71,23 @@ Ubuntu > Fedora > ~~~~~~ > > -1. Follow :doc:`/intro/install/fedora` to build RPM packages. > +1. Install the related packages. Fedora 32 does not require installation of > + the out-of-tree kernel module:: > > -2. Install the related packages:: > + $ dnf install python3-openvswitch libreswan \ > + openvswitch openvswitch-ipsec > + > +2. Install firewall rules to allow ESP and IKE traffic:: > > - $ dnf install python2-openvswitch libreswan \ > - "kernel-devel-uname-r == $(uname -r)" > - $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \ > - openvswitch-openvswitch-ipsec-*.rpm > + $ systemctl start firewalld > + $ firewall-cmd --add-service ipsec > > -3. Install firewall rules to allow ESP and IKE traffic:: > + Or to make permanent:: > > - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT > - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT > + $ systemctl enable firewalld > + $ firewall-cmd --permanent --add-service ipsec nit: These commands require root. So prompt should be '#'. > -4. Run the openvswitch-ipsec service:: > +3. Run the openvswitch-ipsec service:: > > $ systemctl start openvswitch-ipsec.service > > @@ -97,7 +99,7 @@ Fedora > Configuring IPsec tunnel > ------------------------ > > -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s > +Suppose you want to build an IPsec tunnel between two hosts. Assume `host_1`'s > external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure > `host_1` and `host_2` can ping each other via these external IPs. > > @@ -123,8 +125,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure > > 2. Set up IPsec tunnel. > > - There are three authentication methods. You can choose one to set up your > - IPsec tunnel. > + There are three authentication methods. Choose one method to set up your > + IPsec tunnel and follow the steps below. > > a) Using pre-shared key: > > -- > 2.26.2 Otherwise, LGTM. Acked-by: Eric Garver <eric@garver.life>
On 23/10/2020 20:23, Eric Garver wrote: > On Fri, Oct 23, 2020 at 02:39:21PM -0400, Mark Gray wrote: >> >> - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT >> - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT >> + $ systemctl enable firewalld >> + $ firewall-cmd --permanent --add-service ipsec > > nit: These commands require root. So prompt should be '#'. > Good catch, I will update
On 23/10/2020 20:23, Eric Garver wrote: > On Fri, Oct 23, 2020 at 02:39:21PM -0400, Mark Gray wrote: > > nit: These commands require root. So prompt should be '#'. The whole file was incorrect. I just updated the whole thing. v3 is posted at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-October/376642.html
diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst index b4c3235132bc..c7f3c43ca6dd 100644 --- a/Documentation/tutorials/ipsec.rst +++ b/Documentation/tutorials/ipsec.rst @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages --------------------------------- OVS IPsec has .deb and .rpm packages. You should use the right package -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 27 +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and Fedora 32 as examples. Ubuntu @@ -71,21 +71,23 @@ Ubuntu Fedora ~~~~~~ -1. Follow :doc:`/intro/install/fedora` to build RPM packages. +1. Install the related packages. Fedora 32 does not require installation of + the out-of-tree kernel module:: -2. Install the related packages:: + $ dnf install python3-openvswitch libreswan \ + openvswitch openvswitch-ipsec + +2. Install firewall rules to allow ESP and IKE traffic:: - $ dnf install python2-openvswitch libreswan \ - "kernel-devel-uname-r == $(uname -r)" - $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \ - openvswitch-openvswitch-ipsec-*.rpm + $ systemctl start firewalld + $ firewall-cmd --add-service ipsec -3. Install firewall rules to allow ESP and IKE traffic:: + Or to make permanent:: - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT + $ systemctl enable firewalld + $ firewall-cmd --permanent --add-service ipsec -4. Run the openvswitch-ipsec service:: +3. Run the openvswitch-ipsec service:: $ systemctl start openvswitch-ipsec.service @@ -97,7 +99,7 @@ Fedora Configuring IPsec tunnel ------------------------ -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s +Suppose you want to build an IPsec tunnel between two hosts. Assume `host_1`'s external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure `host_1` and `host_2` can ping each other via these external IPs. @@ -123,8 +125,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure 2. Set up IPsec tunnel. - There are three authentication methods. You can choose one to set up your - IPsec tunnel. + There are three authentication methods. Choose one method to set up your + IPsec tunnel and follow the steps below. a) Using pre-shared key:
F32 requires the "python3-openvswitch" package now. Also, the iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32. Signed-off-by: Mark Gray <mark.d.gray@redhat.com> --- Documentation/tutorials/ipsec.rst | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-)