| Message ID | 1472497053-3211-1-git-send-email-aatteka@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
On Mon, Aug 29, 2016 at 11:57 AM, Ansis Atteka <aatteka@ovn.org> wrote: > If ipsec_gre tunnel configuration is changed in OVSDB, > then GRE packets may sometimes exit unencrypted until > per-tunnel IPsec policies are installed by ovs-monitor-ipsec > daemon. > > This patch fixes this issue by installing single, low > priority IPsec block policy that drops all GRE packets > coming out from ipsec_gre tunnels that do not have yet > their own IPsec policies installed. > > This patch depends on to two other recently committed > patches: > 1. 574ff4aa (tunneling: get skb marking to work > properly with tunnels) > 2. ca3574d5 (IPsec: refactor out some code in > OVS_MONITOR_IPSEC_START macro) > > Signed-off-by: Ansis Atteka <aatteka@ovn.org> > Reported-by: Steffen Birkeland <Steffefb@stud.ntnu.no> Acked-by: Jesse Gross <jesse@kernel.org>
On 30 August 2016 at 02:21, Jesse Gross <jesse@kernel.org> wrote: > On Mon, Aug 29, 2016 at 11:57 AM, Ansis Atteka <aatteka@ovn.org> wrote: > > If ipsec_gre tunnel configuration is changed in OVSDB, > > then GRE packets may sometimes exit unencrypted until > > per-tunnel IPsec policies are installed by ovs-monitor-ipsec > > daemon. > > > > This patch fixes this issue by installing single, low > > priority IPsec block policy that drops all GRE packets > > coming out from ipsec_gre tunnels that do not have yet > > their own IPsec policies installed. > > > > This patch depends on to two other recently committed > > patches: > > 1. 574ff4aa (tunneling: get skb marking to work > > properly with tunnels) > > 2. ca3574d5 (IPsec: refactor out some code in > > OVS_MONITOR_IPSEC_START macro) > > > > Signed-off-by: Ansis Atteka <aatteka@ovn.org> > > Reported-by: Steffen Birkeland <Steffefb@stud.ntnu.no> > > Acked-by: Jesse Gross <jesse@kernel.org> > Thanks for review. I pushed this patch along with the two other patches mentioned in the commit message all the way to OVS 2.5.
diff --git a/debian/control b/debian/control index 480ff5c..6e704f1 100644 --- a/debian/control +++ b/debian/control @@ -181,6 +181,7 @@ Description: OVN Docker drivers Package: openvswitch-ipsec Architecture: linux-any Depends: ipsec-tools (>=0.8~alpha20101208), + iproute2, openvswitch-common (= ${binary:Version}), openvswitch-switch (= ${binary:Version}), python, diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec index 091896d..e6617b0 100755 --- a/debian/ovs-monitor-ipsec +++ b/debian/ovs-monitor-ipsec @@ -45,7 +45,9 @@ import six vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") root_prefix = '' # Prefix for absolute file names, for testing. SETKEY = "/usr/sbin/setkey" +IP = "/sbin/ip" exiting = False +IPSEC_MARK = "1" def unixctl_exit(conn, unused_argv, unused_aux): @@ -281,6 +283,12 @@ class IPsec(object): p.stdin.write(cmds) return p.communicate()[0] + def call_ip_xfrm(self, cmds): + exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds) + if exitcode != 0: + vlog.err("couldn't install IPsec policy that prevents " + "traffic from exiting unencrypted") + def get_spi(self, local_ip, remote_ip, proto="esp"): # Run the setkey dump command to retrieve the SAD. Then, parse # the output looking for SPI buried in the output. Note that @@ -322,6 +330,10 @@ class IPsec(object): def spd_flush(self): self.call_setkey("spdflush;\n") + self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst", + "0.0.0.0/0", "proto", "gre", "dir", "out", + "mark", IPSEC_MARK, "mask", IPSEC_MARK, + "action", "block", "priority", "4294967295"]); def spd_add(self, local_ip, remote_ip): cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" % @@ -413,6 +425,8 @@ def main(): schema_helper.register_columns("SSL", ["certificate", "private_key"]) idl = ovs.db.idl.Idl(remote, schema_helper) + ipsec = IPsec() + ovs.daemon.daemonize() ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None) @@ -420,8 +434,6 @@ def main(): if error: ovs.util.ovs_fatal(error, "could not create unixctl server", vlog) - ipsec = IPsec() - interfaces = {} seqno = idl.change_seqno # Sequence number when we last processed the db while True: diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index 2709efb..79dedf4 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -480,6 +480,7 @@ on_exit 'kill `cat pid ovs-monitor-ipsec.pid`' mkdir etc etc/init.d etc/racoon etc/racoon/certs mkdir usr usr/sbin +mkdir sbin AT_DATA([etc/init.d/racoon], [dnl #! /bin/sh @@ -498,6 +499,12 @@ done ]) chmod +x usr/sbin/setkey +AT_DATA([sbin/ip], [dnl +#! /bin/sh +exit 0 +]) +chmod +x sbin/ip + touch etc/racoon/certs/ovs-stale.pem ###
If ipsec_gre tunnel configuration is changed in OVSDB, then GRE packets may sometimes exit unencrypted until per-tunnel IPsec policies are installed by ovs-monitor-ipsec daemon. This patch fixes this issue by installing single, low priority IPsec block policy that drops all GRE packets coming out from ipsec_gre tunnels that do not have yet their own IPsec policies installed. This patch depends on to two other recently committed patches: 1. 574ff4aa (tunneling: get skb marking to work properly with tunnels) 2. ca3574d5 (IPsec: refactor out some code in OVS_MONITOR_IPSEC_START macro) Signed-off-by: Ansis Atteka <aatteka@ovn.org> Reported-by: Steffen Birkeland <Steffefb@stud.ntnu.no> --- debian/control | 1 + debian/ovs-monitor-ipsec | 16 ++++++++++++++-- tests/ofproto-macros.at | 7 +++++++ 3 files changed, 22 insertions(+), 2 deletions(-)