From patchwork Mon Dec 21 10:10:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Gray X-Patchwork-Id: 1418946 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=EmbfafKU; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CzwG31qKZz9sVS for ; Mon, 21 Dec 2020 21:10:35 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9714687C1D; Mon, 21 Dec 2020 10:10:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzam5lEF5GUP; Mon, 21 Dec 2020 10:10:31 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 7106E878B4; Mon, 21 Dec 2020 10:10:31 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 410A9C1825; Mon, 21 Dec 2020 10:10:31 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id A4EC1C0893 for ; Mon, 21 Dec 2020 10:10:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9155F878B4 for ; Mon, 21 Dec 2020 10:10:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gInezzWzR9gy for ; Mon, 21 Dec 2020 10:10:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by hemlock.osuosl.org (Postfix) with ESMTPS id 9DDAB878AE for ; Mon, 21 Dec 2020 10:10:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608545427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yp2we3KyxpR7xwxsqcSDOXAkph7LkKSkGGhe61x1dpI=; b=EmbfafKUzn2c/+x/HC4E3G5oIhXIJbhtPr9WboGFR1YjAwjW2oHEI+zuz7EMefpq5JEJ5c AdZYxgO5Rf/l/3jGEii7kN/fGjQPRHXA+hZOZYeZ4OT6H3iAZ9m36y5No7gdSfO513FiBx uxdPZlC0tdtXxVSVg68X8jcfziFxpSM= Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-587-PD5kosv-OHK3N4QLlw69fA-1; Mon, 21 Dec 2020 05:10:25 -0500 X-MC-Unique: PD5kosv-OHK3N4QLlw69fA-1 Received: by mail-il1-f198.google.com with SMTP id c13so8835762ilg.22 for ; Mon, 21 Dec 2020 02:10:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=yp2we3KyxpR7xwxsqcSDOXAkph7LkKSkGGhe61x1dpI=; b=r7W45Vku9jVUQNe22bAA6UiMTSB2zJr3EO8w6DDarQYV2GqLpY3JPadTV7nXT/VoxD O6RL+uDiHqfiuWvHNh/K5vn/olSxRTPhMLC3Sv/gWGm1YLG0qcz2myhvk9ICuEGpYqqf 5jHX4Vlcs7P1mCv3sjhWwId+oDRHyy5r06kSA8uh2UjcV0rSBrEx7Soh//CodkeA7ic5 /KGu6WgdlY51a7kfGiSmh0V4eUFVGtxmlQ4xzQbZWzfuvU0/EwZQNbY45DU2/TC9eSvG K+t5EYuVgy1iU3qYxWUsWuZjislVbqo3KBqA5ngfaPjGI9L//4zLed/hs0WipUmeMgSC zdkA== X-Gm-Message-State: AOAM5320MD77Ll/IjfaVIRI6jhIeYTHlTv6hSZ4Y4tN30s5XAcIUDRlD JSoT0WagCtbWp5DTmEEUstMFtgEDEWuJ7F6eIUeIr2QzFYiUC+QQaXSfCZqKIr2GClRDoz9FXbe 1Kmd2ucW76i4uVnKyPzdUHsK9SZz/e544862W/XeZ+SlSX00+NcyUAA2rJzn7cAh942NT X-Received: by 2002:a92:aadd:: with SMTP id p90mr15457380ill.51.1608545424057; Mon, 21 Dec 2020 02:10:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJwCkQ4uYVkjqIVlEYGPO2ID6Wufs0kruSa7hTCdys8bbmwaOsXxWPaC6iSGtPb5LwPbmUQkZQ== X-Received: by 2002:a92:aadd:: with SMTP id p90mr15457356ill.51.1608545423740; Mon, 21 Dec 2020 02:10:23 -0800 (PST) Received: from wsfd-netdev77.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id t1sm12539634ile.1.2020.12.21.02.10.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 02:10:22 -0800 (PST) From: Mark Gray To: dev@openvswitch.org Date: Mon, 21 Dec 2020 05:10:21 -0500 Message-Id: <20201221101021.3904963-1-mark.d.gray@redhat.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mark.d.gray@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH] ovs-monitor-ipsec: Add support for tunnel 'local_ip' X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" In the libreswan case, 'ovs-monitor-ipsec' sets 'left' to '%defaultroute' which will use the local address of the default route interface as the source IP address. In multihomed environments, this may not be correct if the user wants to specify what the source IP address is. In OVS, this can be set for tunnel ports using the 'local_ip' option. This patch also uses that option to populate the 'ipsec.conf' configuration. If the 'local_ip' option is not present, it will default to the previous behaviour of using '%defaultroute' Signed-off-by: Mark Gray Acked-by: Eelco Chaudron --- ipsec/ovs-monitor-ipsec.in | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index b84608a55d8a..7b1d94593636 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -416,11 +416,11 @@ conn prevent_unencrypted_vxlan """ auth_tmpl = {"psk": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip authby=secret"""), "pki_remote": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -428,7 +428,7 @@ conn prevent_unencrypted_vxlan rightcert="$remote_name" leftrsasigkey=%cert"""), "pki_ca": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -750,6 +750,7 @@ class IPsecTunnel(object): unixctl_config_tmpl = Template("""\ Tunnel Type: $tunnel_type + Local IP: $local_ip Remote IP: $remote_ip SKB mark: $skb_mark Local cert: $certificate @@ -790,6 +791,7 @@ class IPsecTunnel(object): new_conf = { "ifname": self.name, "tunnel_type": row.type, + "local_ip": options.get("local_ip", "%defaultroute"), "remote_ip": options.get("remote_ip"), "skb_mark": monitor.conf["skb_mark"], "certificate": monitor.conf["pki"]["certificate"],