| Message ID | 1474850905-73895-1-git-send-email-pshelar@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
On 26 September 2016 at 03:48, Pravin B Shelar <pshelar@ovn.org> wrote: > OVS GRE IPsec tunnel support has multiple issues, Therefore > s/issues,/issues. > it was deprecated in OVS 2.6. > > Following patch removes support GRE IPsec and allow external > s/support/support for s/allow/allows > IPsec tunnel management for any type of tunnel not just GRE. e.g. user can encrpt Geneve or VxLan traffic. > s/encrpt/encrypt > > It can be done by using openflow pipeline to set skb-mark > and using xfrm to implement IPsec tunnels. xfrm can match > on the skb-mark to encrypt selective tunnel traffic. > Some folks may misinterpret the paragraph above that we are recommending them to use XFRM *directly* as an alternative. XFRM is just NetLink interface to linux kernel to install IPsec keys after these keys have been negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or racoon. Instead I would recommend users to use one of the IPsec keying daemons rather than XFRM directly. VMware-BZ: 1710701 > Signed-off-by: Pravin B Shelar <pshelar@ovn.org> > --- > This is targeted for OVS master branch only. > --- > NEWS | 1 + > README.md | 2 +- debian/automake.mk | 7 - > debian/control | 24 -- > debian/openvswitch-ipsec.dirs | 1 - > debian/openvswitch-ipsec.init | 203 ---------------- > debian/openvswitch-ipsec.install | 1 - > debian/ovs-monitor-ipsec | 507 ------------------------------ > --------- > lib/netdev-vport.c | 67 +----- > lib/netdev.h | 1 - > ofproto/ofproto-dpif-ipfix.c | 15 -- > ofproto/ofproto-dpif-sflow.c | 7 - > ofproto/tunnel.c | 13 - > tests/automake.mk | 1 - > tests/ofproto-macros.at | 49 ---- > tests/ovn-controller.at | 2 +- > tests/ovs-monitor-ipsec.at | 271 --------------------- > tests/testsuite.at | 1 - > tests/tunnel-push-pop-ipv6.at | 2 +- > tests/tunnel-push-pop.at | 2 +- > tests/tunnel.at | 87 +------ > utilities/bugtool/ovs-bugtool.in | 2 +- > utilities/ovs-appctl.8.in | 4 +- > vswitchd/vswitch.xml | 57 +---- > 24 files changed, 23 insertions(+), 1304 deletions(-) > delete mode 100644 debian/openvswitch-ipsec.dirs > delete mode 100755 debian/openvswitch-ipsec.init > delete mode 100644 debian/openvswitch-ipsec.install > delete mode 100755 debian/ovs-monitor-ipsec > delete mode 100644 tests/ovs-monitor-ipsec.at Assuming you were able to build all other debian packages with "fakeroot debian/rules binary" after removing and editing those files, then Acked-by: Ansis Atteka <aatteka@ovn.org> Let me know, if you want me to independently verify that as well? > > > diff --git a/NEWS b/NEWS > index 6e284aa..069ab42 100644 > --- a/NEWS > +++ b/NEWS > @@ -25,6 +25,7 @@ Post-v2.6.0 > * TLV mappings for protocols such as Geneve are now segregated on > a per-OpenFlow bridge basis rather than globally. (The interface > has not changed.) > + * Removed support for IPsec tunnels. > > v2.6.0 - xx xxx xxxx > --------------------- > diff --git a/README.md b/README.md > index cf53437..53b0faf 100644 > --- a/README.md > +++ b/README.md > @@ -30,7 +30,7 @@ vSwitch supports the following features: > * NIC bonding with or without LACP on upstream switch > * NetFlow, sFlow(R), and mirroring for increased visibility > * QoS (Quality of Service) configuration, plus policing > -* Geneve, GRE, GRE over IPSEC, VXLAN, and LISP tunneling > +* Geneve, GRE, VXLAN, STT, and LISP tunneling > * 802.1ag connectivity fault management > * OpenFlow 1.0 plus numerous extensions > * Transactional configuration database with C and Python bindings > diff --git a/debian/automake.mk b/debian/automake.mk > index 73b4d00..2da7055 100644 > --- a/debian/automake.mk > +++ b/debian/automake.mk > @@ -19,9 +19,6 @@ EXTRA_DIST += \ > debian/openvswitch-datapath-source.dirs \ > debian/openvswitch-datapath-source.install \ > debian/openvswitch-dev.install \ > - debian/openvswitch-ipsec.dirs \ > - debian/openvswitch-ipsec.init \ > - debian/openvswitch-ipsec.install \ > debian/openvswitch-pki.dirs \ > debian/openvswitch-pki.postinst \ > debian/openvswitch-pki.postrm \ > @@ -71,7 +68,6 @@ EXTRA_DIST += \ > debian/ovn-host.postinst \ > debian/ovn-host.postrm \ > debian/ovn-host.template \ > - debian/ovs-monitor-ipsec \ > debian/python-openvswitch.dirs \ > debian/python-openvswitch.install \ > debian/rules \ > @@ -79,9 +75,6 @@ EXTRA_DIST += \ > debian/ifupdown.sh \ > debian/source/format > > -FLAKE8_PYFILES += \ > - debian/ovs-monitor-ipsec > - > check-debian-changelog-version: > @DEB_VERSION=`echo '$(VERSION)' | sed 's/pre/~pre/'`; > \ > if $(FGREP) '($(DEB_VERSION)' $(srcdir)/debian/changelog > >/dev/null; \ > diff --git a/debian/control b/debian/control > index da86fe9..813721a 100644 > --- a/debian/control > +++ b/debian/control > @@ -178,30 +178,6 @@ Description: OVN Docker drivers > . > ovn-docker provides the docker drivers for OVN. > > -Package: openvswitch-ipsec > -Architecture: linux-any > -Depends: ipsec-tools (>=0.8~alpha20101208), > - iproute2, > - openvswitch-common (= ${binary:Version}), > - openvswitch-switch (= ${binary:Version}), > - python, > - python-openvswitch (= ${source:Version}), > - racoon (>=0.8~alpha20101208), > - ${misc:Depends}, > - ${shlibs:Depends} > -Description: Open vSwitch GRE-over-IPsec support > - Open vSwitch is a production quality, multilayer, software-based, > - Ethernet virtual switch. It is designed to enable massive network > - automation through programmatic extension, while still supporting > - standard management interfaces and protocols (e.g. NetFlow, IPFIX, > - sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed > - to support distribution across multiple physical servers similar to > - VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. > - . > - The ovs-monitor-ipsec script provides support for encrypting GRE > - tunnels with IPsec. > - IPsec tunnels support is deprecated. > - > Package: openvswitch-pki > Architecture: all > Depends: openvswitch-common (<< ${source:Version}.1~), > diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs > deleted file mode 100644 > index 02130d0..0000000 > --- a/debian/openvswitch-ipsec.dirs > +++ /dev/null > @@ -1 +0,0 @@ > -usr/share/openvswitch/scripts > diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init > deleted file mode 100755 > index a39dd40..0000000 > --- a/debian/openvswitch-ipsec.init > +++ /dev/null > @@ -1,203 +0,0 @@ > -#!/bin/sh > -# > -# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org> > -# > -# This is free software; you may redistribute it and/or modify > -# it under the terms of the GNU General Public License as > -# published by the Free Software Foundation; either version 2, > -# or (at your option) any later version. > -# > -# This is distributed in the hope that it will be useful, but > -# WITHOUT ANY WARRANTY; without even the implied warranty of > -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > -# GNU General Public License for more details. > -# > -# You should have received a copy of the GNU General Public License with > -# the Debian operating system, in /usr/share/common-licenses/GPL; if > -# not, write to the Free Software Foundation, Inc., 59 Temple Place, > -# Suite 330, Boston, MA 02111-1307 USA > -# > -### BEGIN INIT INFO > -# Provides: openvswitch-ipsec > -# Required-Start: $network $local_fs $remote_fs openvswitch-switch > -# Required-Stop: $remote_fs > -# Default-Start: 2 3 4 5 > -# Default-Stop: 0 1 6 > -# Short-Description: Open vSwitch GRE-over-IPsec daemon > -# Description: The ovs-monitor-ipsec script provides support for > encrypting GRE > -# tunnels with IPsec. > -### END INIT INFO > - > -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin > - > -DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's > location > -NAME=ovs-monitor-ipsec # Introduce the short server's name here > -LOGDIR=/var/log/openvswitch # Log directory to use > - > -PIDFILE=/var/run/openvswitch/$NAME.pid > - > -test -x $DAEMON || exit 0 > - > -. /lib/lsb/init-functions > - > -DODTIME=10 # Time to wait for the server to die, in seconds > - # If this value is set too low you might not > - # let some servers to die gracefully and > - # 'restart' will not work > - > -set -e > - > -running_pid() { > -# Check if a given process pid's cmdline matches a given name > - pid=$1 > - name=$2 > - [ -z "$pid" ] && return 1 > - [ ! -d /proc/$pid ] && return 1 > - cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2` > - # Is this the expected server > - [ "$cmd" != "$name" ] && return 1 > - return 0 > -} > - > -running() { > -# Check if the process is running looking at /proc > -# (works for all users) > - > - # No pidfile, probably no daemon present > - [ ! -f "$PIDFILE" ] && return 1 > - pid=`cat $PIDFILE` > - running_pid $pid $DAEMON || return 1 > - return 0 > -} > - > -uninstall_mark_rule() { > - iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0 > -} > - > -install_mark_rule() { > - if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> > /dev/null); then > - iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1 > - fi > -} > - > -start_server() { > - if [ ! -d /var/run/openvswitch ]; then > - install -d -m 755 -o root -g root /var/run/openvswitch > - fi > - > - install_mark_rule "-p esp" > - install_mark_rule "-p udp --dport 4500" > - /usr/share/openvswitch/scripts/ovs-monitor-ipsec \ > - --pidfile=$PIDFILE --log-file --detach --monitor \ > - unix:/var/run/openvswitch/db.sock > - > - return 0 > -} > - > -stop_server() { > - if [ -e $PIDFILE ]; then > - kill `cat $PIDFILE` > - fi > - uninstall_mark_rule "-p esp" > - uninstall_mark_rule "-p udp --dport 4500" > - > - return 0 > -} > - > -force_stop() { > -# Force the process to die killing it manually > - [ ! -e "$PIDFILE" ] && return > - if running ; then > - kill -15 $pid > - # Is it really dead? > - sleep "$DODTIME" > - if running ; then > - kill -9 $pid > - sleep "$DODTIME" > - if running ; then > - echo "Cannot kill $NAME (pid=$pid)!" > - exit 1 > - fi > - fi > - fi > - rm -f $PIDFILE > -} > - > - > -case "$1" in > - start) > - log_daemon_msg "Starting $NAME" > - # Check if it's running first > - if running ; then > - log_progress_msg "apparently already running" > - log_end_msg 0 > - exit 0 > - fi > - if start_server && running ; then > - # It's ok, the server started and is running > - log_end_msg 0 > - else > - # Either we could not start it or it is not running > - # after we did > - # NOTE: Some servers might die some time after they start, > - # this code does not try to detect this and might give > - # a false positive (use 'status' for that) > - log_end_msg 1 > - fi > - ;; > - stop) > - log_daemon_msg "Stopping $NAME" > - if running ; then > - # Only stop the server if we see it running > - stop_server > - log_end_msg $? > - else > - # If it's not running don't do anything > - log_progress_msg "apparently not running" > - log_end_msg 0 > - exit 0 > - fi > - ;; > - force-stop) > - # First try to stop gracefully the program > - $0 stop > - if running; then > - # If it's still running try to kill it more forcefully > - log_daemon_msg "Stopping (force) $NAME" > - force_stop > - log_end_msg $? > - fi > - ;; > - restart|force-reload) > - log_daemon_msg "Restarting $NAME" > - stop_server > - # Wait some sensible amount, some server need this > - [ -n "$DODTIME" ] && sleep $DODTIME > - start_server > - running > - log_end_msg $? > - ;; > - status) > - log_daemon_msg "Checking status of $NAME" > - if running ; then > - log_progress_msg "running" > - log_end_msg 0 > - else > - log_progress_msg "apparently not running" > - log_end_msg 1 > - exit 1 > - fi > - ;; > - # Use this if the daemon cannot reload > - reload) > - log_warning_msg "Reloading $NAME daemon: not implemented, as the > daemon" > - log_warning_msg "cannot re-read the config file (use restart)." > - ;; > - *) > - N=/etc/init.d/openvswitch-ipsec > - echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" > >&2 > - exit 1 > - ;; > -esac > - > -exit 0 > diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec. > install > deleted file mode 100644 > index 72cacfa..0000000 > --- a/debian/openvswitch-ipsec.install > +++ /dev/null > @@ -1 +0,0 @@ > -debian/ovs-monitor-ipsec usr/share/openvswitch/scripts > diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec > deleted file mode 100755 > index 6bc26aa..0000000 > --- a/debian/ovs-monitor-ipsec > +++ /dev/null > @@ -1,507 +0,0 @@ > -#! /usr/bin/env python > -# Copyright (c) 2009, 2010, 2011, 2012 Nicira, Inc. > -# > -# Licensed under the Apache License, Version 2.0 (the "License"); > -# you may not use this file except in compliance with the License. > -# You may obtain a copy of the License at: > -# > -# http://www.apache.org/licenses/LICENSE-2.0 > -# > -# Unless required by applicable law or agreed to in writing, software > -# distributed under the License is distributed on an "AS IS" BASIS, > -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > -# See the License for the specific language governing permissions and > -# limitations under the License. > - > - > -# A daemon to monitor attempts to create GRE-over-IPsec tunnels. > -# Uses racoon and setkey to support the configuration. Assumes that > -# OVS has complete control over IPsec configuration for the box. > - > -# xxx To-do: > -# - Doesn't actually check that Interface is connected to bridge > -# - If a certificate is badly formed, Racoon will refuse to start. We > -# should do a better job of verifying certificates are valid before > -# adding an interface to racoon.conf. > - > - > -import argparse > -import glob > -import os > -import subprocess > -import sys > - > -import ovs.dirs > -from ovs.db import error > -import ovs.util > -import ovs.daemon > -import ovs.db.idl > -import ovs.unixctl > -import ovs.unixctl.server > -import ovs.vlog > -from six.moves import range > -import six > - > -vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") > -root_prefix = '' # Prefix for absolute file names, for > testing. > -SETKEY = "/usr/sbin/setkey" > -IP = "/sbin/ip" > -exiting = False > -IPSEC_MARK = "1" > - > - > -def unixctl_exit(conn, unused_argv, unused_aux): > - global exiting > - exiting = True > - conn.reply(None) > - > - > -# Class to configure the racoon daemon, which handles IKE negotiation > -class Racoon(object): > - # Default locations for files > - conf_file = "/etc/racoon/racoon.conf" > - cert_dir = "/etc/racoon/certs" > - psk_file = "/etc/racoon/psk.txt" > - > - # Racoon configuration header we use for IKE > - conf_header = """# Configuration file generated by Open vSwitch > -# > -# Do not modify by hand! > - > -path pre_shared_key "%s"; > -path certificate "%s"; > - > -""" > - > - # Racoon configuration footer we use for IKE > - conf_footer = """sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > - > -""" > - > - # Certificate entry template. > - cert_entry = """remote %s { > - exchange_mode main; > - nat_traversal on; > - ike_frag on; > - certificate_type x509 "%s" "%s"; > - my_identifier asn1dn; > - peers_identifier asn1dn; > - peers_certfile x509 "%s"; > - verify_identifier on; > - proposal { > - encryption_algorithm aes; > - hash_algorithm sha1; > - authentication_method rsasig; > - dh_group 2; > - } > -} > - > -""" > - > - # Pre-shared key template. > - psk_entry = """remote %s { > - exchange_mode main; > - nat_traversal on; > - proposal { > - encryption_algorithm aes; > - hash_algorithm sha1; > - authentication_method pre_shared_key; > - dh_group 2; > - } > -} > - > -""" > - > - def __init__(self): > - self.psk_hosts = {} > - self.cert_hosts = {} > - > - if not os.path.isdir(root_prefix + self.cert_dir): > - os.mkdir(self.cert_dir) > - > - # Clean out stale peer certs from previous runs > - for ovs_cert in glob.glob("%s%s/ovs-*.pem" > - % (root_prefix, self.cert_dir)): > - try: > - os.remove(ovs_cert) > - except OSError: > - vlog.warn("couldn't remove %s" % ovs_cert) > - > - # Replace racoon's conf file with our template > - self.commit() > - > - def reload(self): > - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", > - "reload"]) > - if exitcode != 0: > - # Racoon is finicky about its configuration file and will > - # refuse to start if it sees something it doesn't like > - # (e.g., a certificate file doesn't exist). Try restarting > - # the process before giving up. > - vlog.warn("attempting to restart racoon") > - exitcode = subprocess.call([root_prefix + > "/etc/init.d/racoon", > - "restart"]) > - if exitcode != 0: > - vlog.warn("couldn't reload racoon") > - > - def commit(self): > - # Rewrite the Racoon configuration file > - conf_file = open(root_prefix + self.conf_file, 'w') > - conf_file.write(Racoon.conf_header % (self.psk_file, > self.cert_dir)) > - > - for host, vals in six.iteritems(self.cert_hosts): > - conf_file.write(Racoon.cert_entry % (host, > vals["certificate"], > - vals["private_key"], vals["peer_cert_file"])) > - > - for host in self.psk_hosts: > - conf_file.write(Racoon.psk_entry % host) > - > - conf_file.write(Racoon.conf_footer) > - conf_file.close() > - > - # Rewrite the pre-shared keys file; it must only be readable by > root. > - orig_umask = os.umask(0o077) > - psk_file = open(root_prefix + Racoon.psk_file, 'w') > - os.umask(orig_umask) > - > - psk_file.write("# Generated by Open vSwitch...do not modify by > hand!") > - psk_file.write("\n\n") > - for host, vals in six.iteritems(self.psk_hosts): > - psk_file.write("%s %s\n" % (host, vals["psk"])) > - psk_file.close() > - > - self.reload() > - > - def _add_psk(self, host, psk): > - if host in self.cert_hosts: > - raise error.Error("host %s already defined for cert" % host) > - > - self.psk_hosts[host] = psk > - self.commit() > - > - def _verify_certs(self, vals): > - # Racoon will refuse to start if the certificate files don't > - # exist, so verify that they're there. > - if not os.path.isfile(root_prefix + vals["certificate"]): > - raise error.Error("'certificate' file does not exist: %s" > - % vals["certificate"]) > - elif not os.path.isfile(root_prefix + vals["private_key"]): > - raise error.Error("'private_key' file does not exist: %s" > - % vals["private_key"]) > - > - # Racoon won't start if a given certificate or private key isn't > - # valid. This is a weak test, but will detect the most flagrant > - # errors. > - if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1: > - raise error.Error("'peer_cert' is not in valid PEM format") > - > - cert = open(root_prefix + vals["certificate"]).read() > - if cert.find("-----BEGIN CERTIFICATE-----") == -1: > - raise error.Error("'certificate' is not in valid PEM format") > - > - cert = open(root_prefix + vals["private_key"]).read() > - if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1: > - raise error.Error("'private_key' is not in valid PEM format") > - > - def _add_cert(self, host, vals): > - if host in self.psk_hosts: > - raise error.Error("host %s already defined for psk" % host) > - > - if vals["certificate"] is None: > - raise error.Error("'certificate' not defined for %s" % host) > - elif vals["private_key"] is None: > - # Assume the private key is stored in the same PEM file as > - # the certificate. We make a copy of "vals" so that we don't > - # modify the original "vals", which would cause the script > - # to constantly think that the configuration has changed > - # in the database. > - vals = vals.copy() > - vals["private_key"] = vals["certificate"] > - > - self._verify_certs(vals) > - > - # The peer's certificate comes to us in PEM format as a string. > - # Write that string to a file for Racoon to use. > - f = open(root_prefix + vals["peer_cert_file"], "w") > - f.write(vals["peer_cert"]) > - f.close() > - > - self.cert_hosts[host] = vals > - self.commit() > - > - def _del_cert(self, host): > - peer_cert_file = self.cert_hosts[host]["peer_cert_file"] > - del self.cert_hosts[host] > - self.commit() > - try: > - os.remove(root_prefix + peer_cert_file) > - except OSError: > - pass > - > - def add_entry(self, host, vals): > - if vals["peer_cert"]: > - self._add_cert(host, vals) > - elif vals["psk"]: > - self._add_psk(host, vals) > - > - def del_entry(self, host): > - if host in self.cert_hosts: > - self._del_cert(host) > - elif host in self.psk_hosts: > - del self.psk_hosts[host] > - self.commit() > - > - > -# Class to configure IPsec on a system using racoon for IKE and setkey > -# for maintaining the Security Association Database (SAD) and Security > -# Policy Database (SPD). Only policies for GRE are supported. > -class IPsec(object): > - def __init__(self): > - self.sad_flush() > - self.spd_flush() > - self.racoon = Racoon() > - self.entries = [] > - > - def call_setkey(self, cmds): > - try: > - p = subprocess.Popen([root_prefix + SETKEY, "-c"], > - stdin=subprocess.PIPE, > - stdout=subprocess.PIPE) > - except: > - vlog.err("could not call %s%s" % (root_prefix, SETKEY)) > - sys.exit(1) > - > - # xxx It is safer to pass the string into the communicate() > - # xxx method, but it didn't work for slightly longer commands. > - # xxx An alternative may need to be found. > - p.stdin.write(cmds) > - return p.communicate()[0] > - > - def call_ip_xfrm(self, cmds): > - exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds) > - if exitcode != 0: > - vlog.err("couldn't install IPsec policy that prevents " > - "traffic from exiting unencrypted") > - > - def get_spi(self, local_ip, remote_ip, proto="esp"): > - # Run the setkey dump command to retrieve the SAD. Then, parse > - # the output looking for SPI buried in the output. Note that > - # multiple SAD entries can exist for the same "flow", since an > - # older entry could be in a "dying" state. > - spi_list = [] > - host_line = "%s %s" % (local_ip, remote_ip) > - results = self.call_setkey("dump ;\n").split("\n") > - for i in range(len(results)): > - if results[i].strip() == host_line: > - # The SPI is in the line following the host pair > - spi_line = results[i + 1] > - if (spi_line[1:4] == proto): > - spi = spi_line.split()[2] > - spi_list.append(spi.split('(')[1].rstrip(')')) > - return spi_list > - > - def sad_flush(self): > - self.call_setkey("flush;\n") > - > - def sad_del(self, local_ip, remote_ip): > - # To delete all SAD entries, we should be able to use setkey's > - # "deleteall" command. Unfortunately, it's fundamentally broken > - # on Linux and not documented as such. > - cmds = "" > - > - # Delete local_ip->remote_ip SAD entries > - spi_list = self.get_spi(local_ip, remote_ip) > - for spi in spi_list: > - cmds += "delete %s %s esp %s;\n" % (local_ip, remote_ip, spi) > - > - # Delete remote_ip->local_ip SAD entries > - spi_list = self.get_spi(remote_ip, local_ip) > - for spi in spi_list: > - cmds += "delete %s %s esp %s;\n" % (remote_ip, local_ip, spi) > - > - if cmds: > - self.call_setkey(cmds) > - > - def spd_flush(self): > - self.call_setkey("spdflush;\n") > - self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst", > - "0.0.0.0/0", "proto", "gre", "dir", "out", > - "mark", IPSEC_MARK, "mask", IPSEC_MARK, > - "action", "block", "priority", "4294967295"]) > - > - def spd_add(self, local_ip, remote_ip): > - cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" > % > - (local_ip, remote_ip)) > - cmds += ("spdadd %s %s gre -P in ipsec esp/transport//require;\n" > % > - (remote_ip, local_ip)) > - self.call_setkey(cmds) > - > - def spd_del(self, local_ip, remote_ip): > - cmds = "spddelete %s %s gre -P out;\n" % (local_ip, remote_ip) > - cmds += "spddelete %s %s gre -P in;\n" % (remote_ip, local_ip) > - self.call_setkey(cmds) > - > - def add_entry(self, local_ip, remote_ip, vals): > - if remote_ip in self.entries: > - raise error.Error("host %s already configured for ipsec" > - % remote_ip) > - > - self.racoon.add_entry(remote_ip, vals) > - self.spd_add(local_ip, remote_ip) > - > - self.entries.append(remote_ip) > - > - def del_entry(self, local_ip, remote_ip): > - if remote_ip in self.entries: > - self.racoon.del_entry(remote_ip) > - self.spd_del(local_ip, remote_ip) > - self.sad_del(local_ip, remote_ip) > - > - self.entries.remove(remote_ip) > - > - > -def update_ipsec(ipsec, interfaces, new_interfaces): > - for name, vals in six.iteritems(interfaces): > - if name not in new_interfaces: > - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) > - > - for name, vals in six.iteritems(new_interfaces): > - orig_vals = interfaces.get(name) > - if orig_vals: > - # Configuration for this host already exists. Check if it's > - # changed. We use set difference, since we want to ignore > - # any local additions to "orig_vals" that we've made > - # (e.g. the "peer_cert_file" key). > - if set(vals.items()) - set(orig_vals.items()): > - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) > - else: > - continue > - > - try: > - ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals) > - except error.Error as msg: > - vlog.warn("skipping ipsec config for %s: %s" % (name, msg)) > - > - > -def get_ssl_cert(data): > - for ovs_rec in data["Open_vSwitch"].rows.values(): > - if ovs_rec.ssl: > - ssl = ovs_rec.ssl[0] > - if ssl.certificate and ssl.private_key: > - return (ssl.certificate, ssl.private_key) > - > - return None > - > - > -def main(): > - > - parser = argparse.ArgumentParser() > - parser.add_argument("database", metavar="DATABASE", > - help="A socket on which ovsdb-server is > listening.") > - parser.add_argument("--root-prefix", metavar="DIR", > - help="Use DIR as alternate root directory" > - " (for testing).") > - > - ovs.vlog.add_args(parser) > - ovs.daemon.add_args(parser) > - args = parser.parse_args() > - ovs.vlog.handle_args(args) > - ovs.daemon.handle_args(args) > - > - global root_prefix > - if args.root_prefix: > - root_prefix = args.root_prefix > - > - remote = args.database > - schema_helper = ovs.db.idl.SchemaHelper() > - schema_helper.register_columns("Interface", ["name", "type", > "options"]) > - schema_helper.register_columns("Open_vSwitch", ["ssl"]) > - schema_helper.register_columns("SSL", ["certificate", "private_key"]) > - idl = ovs.db.idl.Idl(remote, schema_helper) > - > - ipsec = IPsec() > - > - ovs.daemon.daemonize() > - > - ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None) > - error, unixctl_server = ovs.unixctl.server.UnixctlServer.create(None) > - if error: > - ovs.util.ovs_fatal(error, "could not create unixctl server", vlog) > - > - interfaces = {} > - seqno = idl.change_seqno # Sequence number when we last processed > the db > - while True: > - unixctl_server.run() > - if exiting: > - break > - > - idl.run() > - if seqno == idl.change_seqno: > - poller = ovs.poller.Poller() > - unixctl_server.wait(poller) > - idl.wait(poller) > - poller.block() > - continue > - seqno = idl.change_seqno > - > - ssl_cert = get_ssl_cert(idl.tables) > - > - new_interfaces = {} > - for rec in six.itervalues(idl.tables["Interface"].rows): > - if rec.type == "ipsec_gre": > - name = rec.name > - options = rec.options > - peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip")) > - entry = { > - "remote_ip": options.get("remote_ip"), > - "local_ip": options.get("local_ip", "0.0.0.0/0"), > - "certificate": options.get("certificate"), > - "private_key": options.get("private_key"), > - "use_ssl_cert": options.get("use_ssl_cert"), > - "peer_cert": options.get("peer_cert"), > - "peer_cert_file": Racoon.cert_dir + "/" + > peer_cert_name, > - "psk": options.get("psk")} > - > - if entry["peer_cert"] and entry["psk"]: > - vlog.warn("both 'peer_cert' and 'psk' defined for %s" > - % name) > - continue > - elif not entry["peer_cert"] and not entry["psk"]: > - vlog.warn("no 'peer_cert' or 'psk' defined for %s" % > name) > - continue > - > - # The "use_ssl_cert" option is deprecated and will > - # likely go away in the near future. > - if entry["use_ssl_cert"] == "true": > - if not ssl_cert: > - vlog.warn("no valid SSL entry for %s" % name) > - continue > - > - entry["certificate"] = ssl_cert[0] > - entry["private_key"] = ssl_cert[1] > - > - new_interfaces[name] = entry > - > - if interfaces != new_interfaces: > - update_ipsec(ipsec, interfaces, new_interfaces) > - interfaces = new_interfaces > - > - unixctl_server.close() > - idl.close() > - > - > -if __name__ == '__main__': > - try: > - main() > - except SystemExit: > - # Let system.exit() calls complete normally > - raise > - except: > - vlog.exception("traceback") > - sys.exit(ovs.daemon.RESTART_EXIT_CODE) > diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c > index ac31da6..02a246a 100644 > --- a/lib/netdev-vport.c > +++ b/lib/netdev-vport.c > @@ -402,14 +402,13 @@ set_tunnel_config(struct netdev *dev_, const struct > smap *args) > struct netdev_vport *dev = netdev_vport_cast(dev_); > const char *name = netdev_get_name(dev_); > const char *type = netdev_get_type(dev_); > - bool ipsec_mech_set, needs_dst_port, has_csum; > + bool needs_dst_port, has_csum; > uint16_t dst_proto = 0, src_proto = 0; > struct netdev_tunnel_config tnl_cfg; > struct smap_node *node; > > has_csum = strstr(type, "gre") || strstr(type, "geneve") || > strstr(type, "stt") || strstr(type, "vxlan"); > - ipsec_mech_set = false; > memset(&tnl_cfg, 0, sizeof tnl_cfg); > > /* Add a default destination port for tunnel ports if none specified. > */ > @@ -430,7 +429,6 @@ set_tunnel_config(struct netdev *dev_, const struct > smap *args) > } > > needs_dst_port = netdev_vport_needs_dst_port(dev_); > - tnl_cfg.ipsec = strstr(type, "ipsec"); > tnl_cfg.dont_fragment = true; > > SMAP_FOR_EACH (node, args) { > @@ -485,33 +483,6 @@ set_tunnel_config(struct netdev *dev_, const struct > smap *args) > if (!strcmp(node->value, "false")) { > tnl_cfg.dont_fragment = false; > } > - } else if (!strcmp(node->key, "peer_cert") && tnl_cfg.ipsec) { > - if (smap_get(args, "certificate")) { > - ipsec_mech_set = true; > - } else { > - const char *use_ssl_cert; > - > - /* If the "use_ssl_cert" is true, then "certificate" and > - * "private_key" will be pulled from the SSL table. The > - * use of this option is strongly discouraged, since it > - * will like be removed when multiple SSL configurations > - * are supported by OVS. > - */ > - use_ssl_cert = smap_get(args, "use_ssl_cert"); > - if (!use_ssl_cert || strcmp(use_ssl_cert, "true")) { > - VLOG_ERR("%s: 'peer_cert' requires 'certificate' > argument", > - name); > - return EINVAL; > - } > - ipsec_mech_set = true; > - } > - } else if (!strcmp(node->key, "psk") && tnl_cfg.ipsec) { > - ipsec_mech_set = true; > - } else if (tnl_cfg.ipsec > - && (!strcmp(node->key, "certificate") > - || !strcmp(node->key, "private_key") > - || !strcmp(node->key, "use_ssl_cert"))) { > - /* Ignore options not used by the netdev. */ > } else if (!strcmp(node->key, "key") || > !strcmp(node->key, "in_key") || > !strcmp(node->key, "out_key")) { > @@ -539,41 +510,6 @@ set_tunnel_config(struct netdev *dev_, const struct > smap *args) > } > } > > - if (tnl_cfg.ipsec) { > - static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER; > - static pid_t pid = 0; > - > - VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name); > - > -#ifndef _WIN32 > - ovs_mutex_lock(&mutex); > - if (pid <= 0) { > - char *file_name = xasprintf("%s/%s", ovs_rundir(), > - "ovs-monitor-ipsec.pid"); > - pid = read_pidfile(file_name); > - free(file_name); > - } > - ovs_mutex_unlock(&mutex); > -#endif > - > - if (pid < 0) { > - VLOG_ERR("%s: IPsec requires the ovs-monitor-ipsec daemon", > - name); > - return EINVAL; > - } > - > - if (smap_get(args, "peer_cert") && smap_get(args, "psk")) { > - VLOG_ERR("%s: cannot define both 'peer_cert' and 'psk'", > name); > - return EINVAL; > - } > - > - if (!ipsec_mech_set) { > - VLOG_ERR("%s: IPsec requires an 'peer_cert' or psk' argument", > - name); > - return EINVAL; > - } > - } > - > if (!ipv6_addr_is_set(&tnl_cfg.ipv6_dst) && !tnl_cfg.ip_dst_flow) { > VLOG_ERR("%s: %s type requires valid 'remote_ip' argument", > name, type); > @@ -898,7 +834,6 @@ netdev_vport_tunnel_register(void) > TUNNEL_CLASS("gre", "gre_sys", netdev_gre_build_header, > netdev_gre_push_header, > netdev_gre_pop_header), > - TUNNEL_CLASS("ipsec_gre", "gre_sys", NULL, NULL, NULL), > TUNNEL_CLASS("vxlan", "vxlan_sys", netdev_vxlan_build_header, > netdev_tnl_push_udp_header, > netdev_vxlan_pop_header), > diff --git a/lib/netdev.h b/lib/netdev.h > index 634c665..bad28c4 100644 > --- a/lib/netdev.h > +++ b/lib/netdev.h > @@ -97,7 +97,6 @@ struct netdev_tunnel_config { > bool tos_inherit; > > bool csum; > - bool ipsec; > bool dont_fragment; > }; > > diff --git a/ofproto/ofproto-dpif-ipfix.c b/ofproto/ofproto-dpif-ipfix.c > index abea492..6b00b77 100644 > --- a/ofproto/ofproto-dpif-ipfix.c > +++ b/ofproto/ofproto-dpif-ipfix.c > @@ -78,7 +78,6 @@ enum dpif_ipfix_tunnel_type { > DPIF_IPFIX_TUNNEL_GRE = 0x02, > DPIF_IPFIX_TUNNEL_LISP = 0x03, > DPIF_IPFIX_TUNNEL_STT = 0x04, > - DPIF_IPFIX_TUNNEL_IPSEC_GRE = 0x05, > DPIF_IPFIX_TUNNEL_GENEVE = 0x07, > NUM_DPIF_IPFIX_TUNNEL > }; > @@ -311,16 +310,12 @@ struct ipfix_data_record_flow_key_icmp { > }); > BUILD_ASSERT_DECL(sizeof(struct ipfix_data_record_flow_key_icmp) == 2); > > -/* For the tunnel type that is on the top of IPSec, the protocol > identifier > - * of the upper tunnel type is used. > - */ > static uint8_t tunnel_protocol[NUM_DPIF_IPFIX_TUNNEL] = { > 0, /* reserved */ > IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_VXLAN */ > IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_GRE */ > IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_LISP*/ > IPPROTO_TCP, /* DPIF_IPFIX_TUNNEL_STT*/ > - IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_IPSEC_GRE */ > 0 , /* reserved */ > IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_GENEVE*/ > }; > @@ -657,10 +652,6 @@ dpif_ipfix_add_tunnel_port(struct dpif_ipfix *di, > struct ofport *ofport, > /* 32-bit key gre */ > dip->tunnel_type = DPIF_IPFIX_TUNNEL_GRE; > dip->tunnel_key_length = 4; > - } else if (strcmp(type, "ipsec_gre") == 0) { > - /* 32-bit key ipsec_gre */ > - dip->tunnel_type = DPIF_IPFIX_TUNNEL_IPSEC_GRE; > - dip->tunnel_key_length = 4; > } else if (strcmp(type, "vxlan") == 0) { > dip->tunnel_type = DPIF_IPFIX_TUNNEL_VXLAN; > dip->tunnel_key_length = 3; > @@ -1728,12 +1719,6 @@ ipfix_cache_entry_init(struct > ipfix_flow_cache_entry *entry, > data_tunnel->tunnel_destination_ipv4_address = > tunnel_key->ip_dst; > /* The tunnel_protocol_identifier is from tunnel_proto array, > which > * contains protocol_identifiers of each tunnel type. > - * For the tunnel type on the top of IPSec, which uses the > protocol > - * identifier of the upper tunnel type is used, the tcp_src and > tcp_dst > - * are decided based on the protocol identifiers. > - * E.g: > - * The protocol identifier of DPIF_IPFIX_TUNNEL_IPSEC_GRE is > IPPROTO_GRE, > - * and both tp_src and tp_dst are zero. > */ > data_tunnel->tunnel_protocol_identifier = > tunnel_protocol[tunnel_port->tunnel_type]; > diff --git a/ofproto/ofproto-dpif-sflow.c b/ofproto/ofproto-dpif-sflow.c > index 11d3a53..9ea8851 100644 > --- a/ofproto/ofproto-dpif-sflow.c > +++ b/ofproto/ofproto-dpif-sflow.c > @@ -61,7 +61,6 @@ enum dpif_sflow_tunnel_type { > DPIF_SFLOW_TUNNEL_VXLAN, > DPIF_SFLOW_TUNNEL_GRE, > DPIF_SFLOW_TUNNEL_LISP, > - DPIF_SFLOW_TUNNEL_IPSEC_GRE, > DPIF_SFLOW_TUNNEL_GENEVE > }; > > @@ -582,8 +581,6 @@ dpif_sflow_tunnel_type(struct ofport *ofport) { > if (type) { > if (strcmp(type, "gre") == 0) { > return DPIF_SFLOW_TUNNEL_GRE; > - } else if (strcmp(type, "ipsec_gre") == 0) { > - return DPIF_SFLOW_TUNNEL_IPSEC_GRE; > } else if (strcmp(type, "vxlan") == 0) { > return DPIF_SFLOW_TUNNEL_VXLAN; > } else if (strcmp(type, "lisp") == 0) { > @@ -606,10 +603,6 @@ dpif_sflow_tunnel_proto(enum dpif_sflow_tunnel_type > tunnel_type) > ipproto = IPPROTO_GRE; > break; > > - case DPIF_SFLOW_TUNNEL_IPSEC_GRE: > - ipproto = IPPROTO_ESP; > - break; > - > case DPIF_SFLOW_TUNNEL_VXLAN: > case DPIF_SFLOW_TUNNEL_LISP: > case DPIF_SFLOW_TUNNEL_GENEVE: > diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c > index 9a69071..97de59e 100644 > --- a/ofproto/tunnel.c > +++ b/ofproto/tunnel.c > @@ -41,15 +41,11 @@ > > VLOG_DEFINE_THIS_MODULE(tunnel); > > -/* skb mark used for IPsec tunnel packets */ > -#define IPSEC_MARK 1 > - > struct tnl_match { > ovs_be64 in_key; > struct in6_addr ipv6_src; > struct in6_addr ipv6_dst; > odp_port_t odp_port; > - uint32_t pkt_mark; > bool in_key_flow; > bool ip_src_flow; > bool ip_dst_flow; > @@ -164,7 +160,6 @@ tnl_port_add__(const struct ofport_dpif *ofport, const > struct netdev *netdev, > tnl_port->match.ipv6_dst = cfg->ipv6_dst; > tnl_port->match.ip_src_flow = cfg->ip_src_flow; > tnl_port->match.ip_dst_flow = cfg->ip_dst_flow; > - tnl_port->match.pkt_mark = cfg->ipsec ? IPSEC_MARK : 0; > tnl_port->match.in_key_flow = cfg->in_key_flow; > tnl_port->match.odp_port = odp_port; > > @@ -357,7 +352,6 @@ tnl_process_ecn(struct flow *flow) > flow->nw_tos |= IP_ECN_CE; > } > > - flow->pkt_mark &= ~IPSEC_MARK; > return true; > } > > @@ -383,8 +377,6 @@ tnl_wc_init(struct flow *flow, struct flow_wildcards > *wc) > wc->masks.tunnel.tp_src = 0; > wc->masks.tunnel.tp_dst = 0; > > - memset(&wc->masks.pkt_mark, 0xff, sizeof wc->masks.pkt_mark); > - > if (is_ip_any(flow) > && IP_ECN_is_ce(flow->tunnel.ip_tos)) { > wc->masks.nw_tos |= IP_ECN_MASK; > @@ -435,9 +427,6 @@ tnl_port_send(const struct ofport_dpif *ofport, struct > flow *flow, > flow->tunnel.ipv6_dst = in6addr_any; > } > } > - flow->pkt_mark |= tnl_port->match.pkt_mark; > - wc->masks.pkt_mark |= tnl_port->match.pkt_mark; > - > if (!cfg->out_key_flow) { > flow->tunnel.tun_id = cfg->out_key; > } > @@ -561,7 +550,6 @@ tnl_find(const struct flow *flow) > OVS_REQ_RDLOCK(rwlock) > match.ipv6_dst = flow_tnl_src(&flow->tunnel); > } > match.odp_port = flow->in_port.odp_port; > - match.pkt_mark = flow->pkt_mark; > match.in_key_flow = in_key_flow; > match.ip_dst_flow = ip_dst_flow; > match.ip_src_flow = ip_src == IP_SRC_FLOW; > @@ -616,7 +604,6 @@ tnl_match_fmt(const struct tnl_match *match, struct ds > *ds) > } > > ds_put_format(ds, ", dp port=%"PRIu32, match->odp_port); > - ds_put_format(ds, ", pkt mark=%"PRIu32, match->pkt_mark); > } > > static void > diff --git a/tests/automake.mk b/tests/automake.mk > index 8ac98bf..a2b7786 100644 > --- a/tests/automake.mk > +++ b/tests/automake.mk > @@ -82,7 +82,6 @@ TESTSUITE_AT = \ > tests/ovsdb-idl.at \ > tests/ovsdb-lock.at \ > tests/ovs-vsctl.at \ > - tests/ovs-monitor-ipsec.at \ > tests/ovs-xapi-sync.at \ > tests/stp.at \ > tests/rstp.at \ > diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at > index 79dedf4..92ab9ab 100644 > --- a/tests/ofproto-macros.at > +++ b/tests/ofproto-macros.at > @@ -468,53 +468,4 @@ m4_define([WAIT_FOR_DUMMY_PORTS], \ > OVS_WAIT_WHILE([ovs-appctl netdev-dummy/conn-state dummy_port \ > | grep 'unknown\|disconnected'])])]) > > -# OVS_MONITOR_IPSEC_START() > -# > -# Starts ovs-monitor-ipsec daemon. Use this macro only after testing > -# that python is present on the system. > -m4_define([OVS_MONITOR_IPSEC_START], > -[ > -cp "$top_srcdir/vswitchd/vswitch.ovsschema" . > - > -on_exit 'kill `cat pid ovs-monitor-ipsec.pid`' > > -mkdir etc etc/init.d etc/racoon etc/racoon/certs > -mkdir usr usr/sbin > -mkdir sbin > - > -AT_DATA([etc/init.d/racoon], [dnl > -#! /bin/sh > -echo "racoon: @S|@@" >&3 > -exit 0 > -]) > -chmod +x etc/init.d/racoon > - > -AT_DATA([usr/sbin/setkey], [dnl > -#! /bin/sh > -exec >&3 > -echo "setkey:" > -while read line; do > - echo "> $line" > -done > -]) > -chmod +x usr/sbin/setkey > - > -AT_DATA([sbin/ip], [dnl > -#! /bin/sh > -exit 0 > -]) > -chmod +x sbin/ip > - > -touch etc/racoon/certs/ovs-stale.pem > - > -### > -### Start ovs-monitor-ipsec and wait for it to delete the stale cert. > -### > -AT_CHECK( > - [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \ > - "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \ > - unix:$OVS_RUNDIR/db.sock 2>log 3>actions &]) > -AT_CAPTURE_FILE([log]) > -AT_CAPTURE_FILE([actions]) > -OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem]) > -]) > diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at > index 372db27..00ee482 100644 > --- a/tests/ovn-controller.at > +++ b/tests/ovn-controller.at > @@ -195,7 +195,7 @@ OVS_WAIT_UNTIL([check_datapath_type ""]) > > # The following will need to be updated as OVS starts to support more > # interface types. > -expected_iface_types="dummy,dummy-internal,dummy-pmd, > geneve,gre,internal,ipsec_gre,lisp,patch,stt,system,tap,vxlan" > +expected_iface_types="dummy,dummy-internal,dummy-pmd, > geneve,gre,internal,lisp,patch,stt,system,tap,vxlan" > chassis_iface_types=$(ovn-sbctl get Chassis ${sysid} > external_ids:iface-types | sed -e 's/\"//g') > echo "chassis_iface_types = ${chassis_iface_types}" > AT_CHECK([test "${expected_iface_types}" = "${chassis_iface_types}"]) > diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at > deleted file mode 100644 > index cae2878..0000000 > --- a/tests/ovs-monitor-ipsec.at > +++ /dev/null > @@ -1,271 +0,0 @@ > -AT_BANNER([ovs-monitor-ipsec]) > - > -AT_SETUP([ovs-monitor-ipsec]) > -AT_SKIP_IF([test $HAVE_PYTHON = no]) > -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) > -AT_SKIP_IF([$non_ascii_cwd]) > - > -trim () { # Removes blank lines and lines starting with # from input. > - sed -e '/^#/d' -e '/^[ ]*$/d' "$@" > -} > - > -OVS_VSWITCHD_START([]) > -OVS_MONITOR_IPSEC_START > - > -### > -### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does > -### > -AT_CHECK([ovs-vsctl \ > - -- add-port br0 gre0 \ > - -- set interface gre0 type=ipsec_gre \ > - options:remote_ip=1.2.3.4 \ > - options:psk=swordfish]) > -OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions > >/dev/null]) > -AT_CHECK([cat actions], [0], [dnl > -setkey: > -> flush; > -setkey: > -> spdflush; > -racoon: reload > -racoon: reload > -setkey: > -> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require; > -> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require; > -]) > -AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish > -]) > -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > -path pre_shared_key "/etc/racoon/psk.txt"; > -path certificate "/etc/racoon/certs"; > -remote 1.2.3.4 { > - exchange_mode main; > - nat_traversal on; > - proposal { > - encryption_algorithm aes; > - hash_algorithm sha1; > - authentication_method pre_shared_key; > - dh_group 2; > - } > -} > -sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > -]) > - > -### > -### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does > -### > -AT_CHECK([ovs-vsctl del-port gre0]) > -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17]) > -AT_CHECK([sed '1,9d' actions], [0], [dnl > -racoon: reload > -setkey: > -> spddelete 0.0.0.0/0 1.2.3.4 gre -P out; > -> spddelete 1.2.3.4 0.0.0.0/0 gre -P in; > -setkey: > -> dump ; > -setkey: > -> dump ; > -]) > -AT_CHECK([trim etc/racoon/psk.txt], [0], []) > -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > -path pre_shared_key "/etc/racoon/psk.txt"; > -path certificate "/etc/racoon/certs"; > -sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > -]) > - > -### > -### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec > does > -### > -AT_DATA([cert.pem], [dnl > ------BEGIN CERTIFICATE----- > -(not a real certificate) > ------END CERTIFICATE----- > -]) > -AT_DATA([key.pem], [dnl > ------BEGIN RSA PRIVATE KEY----- > -(not a real private key) > ------END RSA PRIVATE KEY----- > -]) > -AT_CHECK([ovs-vsctl \ > - -- add-port br0 gre1 \ > - -- set Interface gre1 type=ipsec_gre \ > - options:remote_ip=2.3.4.5 \ > - options:peer_cert='"-----BEGIN CERTIFICATE----- > -(not a real peer certificate) > ------END CERTIFICATE----- > -"' \ > - options:certificate='"/cert.pem"' \ > - options:private_key='"/key.pem"']) > -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) > -AT_CHECK([sed '1,17d' actions], [0], [dnl > -racoon: reload > -setkey: > -> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require; > -> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require; > -]) > -AT_CHECK([trim etc/racoon/psk.txt], [0], []) > -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > -path pre_shared_key "/etc/racoon/psk.txt"; > -path certificate "/etc/racoon/certs"; > -remote 2.3.4.5 { > - exchange_mode main; > - nat_traversal on; > - ike_frag on; > - certificate_type x509 "/cert.pem" "/key.pem"; > - my_identifier asn1dn; > - peers_identifier asn1dn; > - peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem"; > - verify_identifier on; > - proposal { > - encryption_algorithm aes; > - hash_algorithm sha1; > - authentication_method rsasig; > - dh_group 2; > - } > -} > -sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > -]) > -AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl > ------BEGIN CERTIFICATE----- > -(not a real peer certificate) > ------END CERTIFICATE----- > -]) > - > -### > -### Delete the ipsec_gre certificate interface. > -### > -AT_CHECK([ovs-vsctl del-port gre1]) > -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) > -AT_CHECK([sed '1,21d' actions], [0], [dnl > -racoon: reload > -setkey: > -> spddelete 0.0.0.0/0 2.3.4.5 gre -P out; > -> spddelete 2.3.4.5 0.0.0.0/0 gre -P in; > -setkey: > -> dump ; > -setkey: > -> dump ; > -]) > -AT_CHECK([trim etc/racoon/psk.txt], [0], []) > -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > -path pre_shared_key "/etc/racoon/psk.txt"; > -path certificate "/etc/racoon/certs"; > -sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > -]) > -AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) > - > -### > -### Add an SSL certificate interface. > -### > -cp cert.pem ssl-cert.pem > -cp key.pem ssl-key.pem > -AT_DATA([ssl-cacert.pem], [dnl > ------BEGIN CERTIFICATE----- > -(not a real CA certificate) > ------END CERTIFICATE----- > -]) > -AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ > - -- add-port br0 gre2 \ > - -- set Interface gre2 type=ipsec_gre \ > - options:remote_ip=3.4.5.6 \ > - options:peer_cert='"-----BEGIN CERTIFICATE----- > -(not a real peer certificate) > ------END CERTIFICATE----- > -"' \ > - options:use_ssl_cert='"true"']) > -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33]) > -AT_CHECK([sed '1,29d' actions], [0], [dnl > -racoon: reload > -setkey: > -> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; > -> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; > -]) > -AT_CHECK([trim etc/racoon/psk.txt], [0], []) > -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > -path pre_shared_key "/etc/racoon/psk.txt"; > -path certificate "/etc/racoon/certs"; > -remote 3.4.5.6 { > - exchange_mode main; > - nat_traversal on; > - ike_frag on; > - certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; > - my_identifier asn1dn; > - peers_identifier asn1dn; > - peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; > - verify_identifier on; > - proposal { > - encryption_algorithm aes; > - hash_algorithm sha1; > - authentication_method rsasig; > - dh_group 2; > - } > -} > -sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > -]) > -AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl > ------BEGIN CERTIFICATE----- > -(not a real peer certificate) > ------END CERTIFICATE----- > -]) > - > -### > -### Delete the SSL certificate interface. > -### > -AT_CHECK([ovs-vsctl del-port gre2]) > -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41]) > -AT_CHECK([sed '1,33d' actions], [0], [dnl > -racoon: reload > -setkey: > -> spddelete 0.0.0.0/0 3.4.5.6 gre -P out; > -> spddelete 3.4.5.6 0.0.0.0/0 gre -P in; > -setkey: > -> dump ; > -setkey: > -> dump ; > -]) > -AT_CHECK([trim etc/racoon/psk.txt], [0], []) > -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > -path pre_shared_key "/etc/racoon/psk.txt"; > -path certificate "/etc/racoon/certs"; > -sainfo anonymous { > - pfs_group 2; > - lifetime time 1 hour; > - encryption_algorithm aes; > - authentication_algorithm hmac_sha1, hmac_md5; > - compression_algorithm deflate; > -} > -]) > -AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) > - > -dnl Skip SSL errors reported by Open vSwitch > -OVS_VSWITCHD_STOP(["/stream_ssl/d"]) > -AT_CLEANUP > diff --git a/tests/testsuite.at b/tests/testsuite.at > index f5f1253..2123bee 100644 > --- a/tests/testsuite.at > +++ b/tests/testsuite.at > @@ -63,7 +63,6 @@ m4_include([tests/bridge.at]) > m4_include([tests/netdev-type.at]) > m4_include([tests/ovsdb.at]) > m4_include([tests/ovs-vsctl.at]) > -m4_include([tests/ovs-monitor-ipsec.at]) > m4_include([tests/ovs-xapi-sync.at]) > m4_include([tests/interface-reconfigure.at]) > m4_include([tests/stp.at]) > diff --git a/tests/tunnel-push-pop-ipv6.at b/tests/tunnel-push-pop-ipv6.at > index c213a85..16dc571 100644 > --- a/tests/tunnel-push-pop-ipv6.at > +++ b/tests/tunnel-push-pop-ipv6.at > @@ -158,7 +158,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port > 5'], [0], [dnl > port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=? > ]) > AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0], > [dnl > -tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001: > cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{ > class=0xffff,type=0,len=4}),flags(-df-csum+key)),skb_mark( > 0),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, > bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) > +tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001: > cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{ > class=0xffff,type=0,len=4}),flags(-df-csum+key)),recirc_ > id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, > used:never, actions:userspace(pid=0,slow_path(controller)) > ]) > > OVS_VSWITCHD_STOP > diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at > index 8245bf1..700ef55 100644 > --- a/tests/tunnel-push-pop.at > +++ b/tests/tunnel-push-pop.at > @@ -163,7 +163,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port > 5'], [0], [dnl > port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=? > ]) > AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0], > [dnl > -tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class= > 0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len= > 4}),flags(-df-csum+key)),skb_mark(0),recirc_id(0),in_port( > 6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, > actions:userspace(pid=0,slow_path(controller)) > +tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class= > 0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len= > 4}),flags(-df-csum+key)),recirc_id(0),in_port(6081), > eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, > actions:userspace(pid=0,slow_path(controller)) > ]) > > OVS_VSWITCHD_STOP > diff --git a/tests/tunnel.at b/tests/tunnel.at > index dbc6a11..647a466 100644 > --- a/tests/tunnel.at > +++ b/tests/tunnel.at > @@ -82,28 +82,28 @@ AT_CHECK([ovs-appctl dpif/show | tail -n +3], [0], [dnl > dnl Tunnel CE and encapsulated packet CE > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_ > port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07), > eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto= > 6,tos=3,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2, > tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no > Datapath actions: 2 > ]) > > dnl Tunnel CE and encapsulated packet ECT(1) > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_ > port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07), > eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto= > 6,tos=1,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2, > tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no > Datapath actions: set(ipv4(tos=0x3/0x3)),2 > ]) > > dnl Tunnel CE and encapsulated packet ECT(2) > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_ > port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07), > eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto= > 6,tos=2,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2, > tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no > Datapath actions: set(ipv4(tos=0x3/0x3)),2 > ]) > > dnl Tunnel CE and encapsulated packet Non-ECT > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy > 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_ > port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07), > eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto= > 6,tos=0,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2, > tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no > Datapath actions: drop > ]) > OVS_VSWITCHD_STOP(["/dropping tunnel packet marked ECN CE but is not ECN > capable/d"]) > @@ -196,75 +196,6 @@ AT_CHECK([tail -1 stdout], [0], > OVS_VSWITCHD_STOP > AT_CLEANUP > > -AT_SETUP([tunnel - encrypted tunnel and not setting skb_mark]) > -AT_SKIP_IF([test $HAVE_PYTHON = no]) > -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) > -AT_SKIP_IF([$non_ascii_cwd]) > -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ > - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ > - options:key=5 ofport_request=1\ > - -- add-port br0 p2 -- set Interface p2 type=dummy \ > - ofport_request=2 ofport_request=2]) > -AT_DATA([flows.txt], [dnl > -actions=output:1 > -]) > -OVS_MONITOR_IPSEC_START > -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre > options:psk=1234567890]) > -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP > -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00: > 00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src= > 192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], > [0], [stdout]) > -AT_CHECK([tail -1 stdout], [0], > - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2. > 2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1/0x1)),1 > -]) > -OVS_VSWITCHD_STOP > -AT_CLEANUP > - > -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 1]) > -AT_SKIP_IF([test $HAVE_PYTHON = no]) > -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) > -AT_SKIP_IF([$non_ascii_cwd]) > -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ > - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ > - options:key=5 ofport_request=1\ > - -- add-port br0 p2 -- set Interface p2 type=dummy \ > - ofport_request=2 ofport_request=2]) > -AT_DATA([flows.txt], [dnl > -actions=load:0x1->NXM_NX_PKT_MARK[[]],output:1 > -]) > -OVS_MONITOR_IPSEC_START > -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre > options:psk=1234567890]) > -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP > -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00: > 00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src= > 192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], > [0], [stdout]) > -AT_CHECK([tail -1 stdout], [0], > - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2. > 2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1)),1 > -]) > -OVS_VSWITCHD_STOP > -AT_CLEANUP > - > -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 2]) > -AT_SKIP_IF([test $HAVE_PYTHON = no]) > -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) > -AT_SKIP_IF([$non_ascii_cwd]) > -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ > - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ > - options:key=5 ofport_request=1\ > - -- add-port br0 p2 -- set Interface p2 type=dummy \ > - ofport_request=2 ofport_request=2]) > -AT_DATA([flows.txt], [dnl > -actions=load:0x2->NXM_NX_PKT_MARK[[]],output:1 > -]) > -OVS_MONITOR_IPSEC_START > -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre > options:psk=1234567890]) > -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP > -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) > -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00: > 00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src= > 192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], > [0], [stdout]) > -AT_CHECK([tail -1 stdout], [0], > - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2. > 2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x3)),1 > -]) > -OVS_VSWITCHD_STOP > -AT_CLEANUP > - > AT_SETUP([tunnel - ToS and TTL inheritance]) > OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ > options:remote_ip=1.1.1.1 options:tos=inherit \ > @@ -559,14 +490,14 @@ AT_CHECK([tail -1 stdout], [0], > dnl Option match > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id= > 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff, > type=0,len=4,0xb}),flags(df|key)),in_port(6081),skb_mark( > 0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/ > 0xf,in_port=1,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2, > tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_ > port=1,nw_frag=no > Datapath actions: 2 > ]) > > dnl Skip unknown option > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id= > 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff, > type=0,len=4,0xb}{class=0xffff,type=2,len=4,0xc}), > flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], > [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/ > 0xf,in_port=1,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2, > tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_ > port=1,nw_frag=no > Datapath actions: 2 > ]) > > @@ -600,7 +531,7 @@ AT_CHECK([ovs-ofctl add-tlv-map br0 > "{class=0xffff,type=3,len=8}->tun_metadata3" > AT_CHECK([ovs-ofctl add-flow br0 tun_metadata3= > 0x1234567890abcdef,actions=2]) > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id= > 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=3,len=8, > 0x1234567890abcdef}),flags(df|key)),in_port(6081),skb_mark( > 0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata3= > 0x1234567890abcdef,in_port=1,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2, > tun_tos=0,tun_flags=+df-csum+key,tun_metadata3= > 0x1234567890abcdef,in_port=1,nw_frag=no > Datapath actions: 2 > ]) > > @@ -635,13 +566,13 @@ NXST_FLOW reply: > > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id= > 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff, > type=0,len=4,0x12345678}),flags(df|key)),in_port(6081), > skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_ > metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2, > tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_ > metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no > Datapath actions: 2 > ]) > > AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id= > 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff, > type=1,len=0}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], > [0], [stdout]) > AT_CHECK([tail -2 stdout], [0], > - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst= > 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_ > metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no > + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2, > tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_ > metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no > Datapath actions: set(tunnel(tun_id=0x0,dst=1.1.1.1,ttl=64,geneve({class= > 0xffff,type=0x1,len=0}),flags(df|key))),6081 > ]) > > diff --git a/utilities/bugtool/ovs-bugtool.in b/utilities/bugtool/ovs- > bugtool.in > index 2ec2f2a..963c50c 100755 > --- a/utilities/bugtool/ovs-bugtool.in > +++ b/utilities/bugtool/ovs-bugtool.in > @@ -630,7 +630,7 @@ exclude those logs from the archive. > > ovs_logs = ([OPENVSWITCH_LOG_DIR + x for x in > ['ovs-vswitchd.log', 'ovsdb-server.log', > - 'ovs-xapi-sync.log', 'ovs-monitor-ipsec.log', 'ovs-ctl.log']]) > + 'ovs-xapi-sync.log', 'ovs-ctl.log']]) > for log in ovs_logs: > prefix_output(CAP_OPENVSWITCH_LOGS, log, > last_mod_time=log_last_mod_time) > diff --git a/utilities/ovs-appctl.8.in b/utilities/ovs-appctl.8.in > index 0eda7f2..645b62b 100644 > --- a/utilities/ovs-appctl.8.in > +++ b/utilities/ovs-appctl.8.in > @@ -254,8 +254,8 @@ The default pattern for console and file output is > \fB%D{%Y-%m-%dT > %H:%M:%SZ}|%05N|%c|%p|%m\fR; for syslog output, \fB%05N|%c|%p|%m\fR. > . > .IP > -Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR, > -\fBovs\-monitor\-ipsec) do not allow control over the log pattern. > +Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR) do not allow > +control over the log pattern. > . > .IP "\fBvlog/set\fR FACILITY:\fIfacility\fR" > Sets the RFC5424 facility of the log message. \fIfacility\fR can be one of > diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml > index 976f3ca..8ff3853 100644 > --- a/vswitchd/vswitch.xml > +++ b/vswitchd/vswitch.xml > @@ -2004,15 +2004,6 @@ > tunnel. > </dd> > > - <dt><code>ipsec_gre</code></dt> > - <dd> > - An Ethernet over RFC 2890 Generic Routing Encapsulation over > IPv4/IPv6 > - IPsec tunnel. > - IPsec tunnel ports are deprecated. The support will be > completely > - removed in next version. > - > - </dd> > - > <dt><code>vxlan</code></dt> > <dd> > <p> > @@ -2075,8 +2066,8 @@ > <group title="Tunnel Options"> > <p> > These options apply to interfaces with <ref column="type"/> of > - <code>geneve</code>, <code>gre</code>, <code>ipsec_gre</code>, > - <code>vxlan</code>, <code>lisp</code> and <code>stt</code>. > + <code>geneve</code>, <code>gre</code>, <code>vxlan</code>, > + <code>lisp</code> and <code>stt</code>. > </p> > > <p> > @@ -2253,9 +2244,9 @@ > > </group> > > - <group title="Tunnel Options: gre, ipsec_gre, geneve, and vxlan"> > + <group title="Tunnel Options: gre, geneve, and vxlan"> > <p> > - <code>gre</code>, <code>ipsec_gre</code>, <code>geneve</code>, > and > + <code>gre</code>, <code>geneve</code>, and > <code>vxlan</code> interfaces support these options. > </p> > > @@ -2277,43 +2268,6 @@ > is compatible with. > </p> > > - <p> > - This option is supported for <code>ipsec_gre</code>, but not > useful > - because GRE checksums are weaker than, and redundant with, > IPsec > - payload authentication. > - </p> > - </column> > - </group> > - > - <group title="Tunnel Options: ipsec_gre only"> > - <p> > - Only <code>ipsec_gre</code> interfaces support these options. > - </p> > - > - <column name="options" key="peer_cert"> > - Required for certificate authentication. A string containing > the > - peer's certificate in PEM format. Additionally the host's > - certificate must be specified with the <code>certificate</code> > - option. > - </column> > - > - <column name="options" key="certificate"> > - Required for certificate authentication. The name of a PEM file > - containing a certificate that will be presented to the peer > during > - authentication. > - </column> > - > - <column name="options" key="private_key"> > - Optional for certificate authentication. The name of a PEM file > - containing the private key associated with > <code>certificate</code>. > - If <code>certificate</code> contains the private key, this > option may > - be omitted. > - </column> > - > - <column name="options" key="psk"> > - Required for pre-shared key authentication. Specifies a > pre-shared > - key for authentication that must be identical on both sides of > the > - tunnel. > </column> > </group> > </group> > @@ -4774,8 +4728,7 @@ > <p>type: unsigned 8-bit integer.</p> > <p>data type semantics: identifier.</p> > <p>description: Identifier of the layer 2 network overlay > network > - encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 > IPsec+GRE, > - 0x07 GENEVE.</p> > + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x07 > GENEVE.</p> > </dd> > <dt>tunnelKey:</dt> > <dd> > -- > 1.9.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev >
On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka <ansisatteka@gmail.com> wrote: > > > On 26 September 2016 at 03:48, Pravin B Shelar <pshelar@ovn.org> wrote: >> >> OVS GRE IPsec tunnel support has multiple issues, Therefore > > s/issues,/issues. >> >> it was deprecated in OVS 2.6. >> >> Following patch removes support GRE IPsec and allow external > > s/support/support for > s/allow/allows >> >> IPsec tunnel management for any type of tunnel not just GRE. >> >> e.g. user can encrpt Geneve or VxLan traffic. > > s/encrpt/encrypt >> >> >> It can be done by using openflow pipeline to set skb-mark >> and using xfrm to implement IPsec tunnels. xfrm can match >> on the skb-mark to encrypt selective tunnel traffic. > > > Some folks may misinterpret the paragraph above that we are recommending > them to use XFRM *directly* as an alternative. XFRM is just NetLink > interface to linux kernel to install IPsec keys after these keys have been > negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or > racoon. > > Instead I would recommend users to use one of the IPsec keying daemons > rather than XFRM directly. > ok, sounds good, I will update commit msg. >> VMware-BZ: 1710701 >> Signed-off-by: Pravin B Shelar <pshelar@ovn.org> >> --- >> This is targeted for OVS master branch only. >> --- >> NEWS | 1 + >> README.md | 2 +- >> >> debian/automake.mk | 7 - >> debian/control | 24 -- >> debian/openvswitch-ipsec.dirs | 1 - >> debian/openvswitch-ipsec.init | 203 ---------------- >> debian/openvswitch-ipsec.install | 1 - >> debian/ovs-monitor-ipsec | 507 >> --------------------------------------- >> lib/netdev-vport.c | 67 +----- >> lib/netdev.h | 1 - >> ofproto/ofproto-dpif-ipfix.c | 15 -- >> ofproto/ofproto-dpif-sflow.c | 7 - >> ofproto/tunnel.c | 13 - >> tests/automake.mk | 1 - >> tests/ofproto-macros.at | 49 ---- >> tests/ovn-controller.at | 2 +- >> tests/ovs-monitor-ipsec.at | 271 --------------------- >> tests/testsuite.at | 1 - >> tests/tunnel-push-pop-ipv6.at | 2 +- >> tests/tunnel-push-pop.at | 2 +- >> tests/tunnel.at | 87 +------ >> utilities/bugtool/ovs-bugtool.in | 2 +- >> utilities/ovs-appctl.8.in | 4 +- >> vswitchd/vswitch.xml | 57 +---- >> 24 files changed, 23 insertions(+), 1304 deletions(-) >> delete mode 100644 debian/openvswitch-ipsec.dirs >> delete mode 100755 debian/openvswitch-ipsec.init >> delete mode 100644 debian/openvswitch-ipsec.install >> delete mode 100755 debian/ovs-monitor-ipsec >> delete mode 100644 tests/ovs-monitor-ipsec.at > > > Assuming you were able to build all other debian packages with "fakeroot > debian/rules binary" after removing and editing those files, then > Acked-by: Ansis Atteka <aatteka@ovn.org> > Thanks for review. > Let me know, if you want me to independently verify that as well? I will test this but it will be nice if you verify it independently.
On Mon, Sep 26, 2016 at 1:15 PM, pravin shelar <pshelar@ovn.org> wrote: > On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka <ansisatteka@gmail.com> wrote: >> >> >> On 26 September 2016 at 03:48, Pravin B Shelar <pshelar@ovn.org> wrote: >>> >>> OVS GRE IPsec tunnel support has multiple issues, Therefore >> >> s/issues,/issues. >>> >>> it was deprecated in OVS 2.6. >>> >>> Following patch removes support GRE IPsec and allow external >> >> s/support/support for >> s/allow/allows >>> >>> IPsec tunnel management for any type of tunnel not just GRE. >>> >>> e.g. user can encrpt Geneve or VxLan traffic. >> >> s/encrpt/encrypt >>> >>> >>> It can be done by using openflow pipeline to set skb-mark >>> and using xfrm to implement IPsec tunnels. xfrm can match >>> on the skb-mark to encrypt selective tunnel traffic. >> >> >> Some folks may misinterpret the paragraph above that we are recommending >> them to use XFRM *directly* as an alternative. XFRM is just NetLink >> interface to linux kernel to install IPsec keys after these keys have been >> negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or >> racoon. >> >> Instead I would recommend users to use one of the IPsec keying daemons >> rather than XFRM directly. >> > ok, sounds good, I will update commit msg. > >>> VMware-BZ: 1710701 >>> Signed-off-by: Pravin B Shelar <pshelar@ovn.org> >>> --- >>> This is targeted for OVS master branch only. >>> --- >>> NEWS | 1 + >>> README.md | 2 +- >>> >>> debian/automake.mk | 7 - >>> debian/control | 24 -- >>> debian/openvswitch-ipsec.dirs | 1 - >>> debian/openvswitch-ipsec.init | 203 ---------------- >>> debian/openvswitch-ipsec.install | 1 - >>> debian/ovs-monitor-ipsec | 507 >>> --------------------------------------- >>> lib/netdev-vport.c | 67 +----- >>> lib/netdev.h | 1 - >>> ofproto/ofproto-dpif-ipfix.c | 15 -- >>> ofproto/ofproto-dpif-sflow.c | 7 - >>> ofproto/tunnel.c | 13 - >>> tests/automake.mk | 1 - >>> tests/ofproto-macros.at | 49 ---- >>> tests/ovn-controller.at | 2 +- >>> tests/ovs-monitor-ipsec.at | 271 --------------------- >>> tests/testsuite.at | 1 - >>> tests/tunnel-push-pop-ipv6.at | 2 +- >>> tests/tunnel-push-pop.at | 2 +- >>> tests/tunnel.at | 87 +------ >>> utilities/bugtool/ovs-bugtool.in | 2 +- >>> utilities/ovs-appctl.8.in | 4 +- >>> vswitchd/vswitch.xml | 57 +---- >>> 24 files changed, 23 insertions(+), 1304 deletions(-) >>> delete mode 100644 debian/openvswitch-ipsec.dirs >>> delete mode 100755 debian/openvswitch-ipsec.init >>> delete mode 100644 debian/openvswitch-ipsec.install >>> delete mode 100755 debian/ovs-monitor-ipsec >>> delete mode 100644 tests/ovs-monitor-ipsec.at >> >> >> Assuming you were able to build all other debian packages with "fakeroot >> debian/rules binary" after removing and editing those files, then >> Acked-by: Ansis Atteka <aatteka@ovn.org> >> > Thanks for review. > >> Let me know, if you want me to independently verify that as well? > > I will test this but it will be nice if you verify it independently. I tested it on Debian, It was pretty straight forward to build Debian packages. I did not see any issue with the patch. so I pushed the patch to master. Thanks.
diff --git a/NEWS b/NEWS index 6e284aa..069ab42 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,7 @@ Post-v2.6.0 * TLV mappings for protocols such as Geneve are now segregated on a per-OpenFlow bridge basis rather than globally. (The interface has not changed.) + * Removed support for IPsec tunnels. v2.6.0 - xx xxx xxxx --------------------- diff --git a/README.md b/README.md index cf53437..53b0faf 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ vSwitch supports the following features: * NIC bonding with or without LACP on upstream switch * NetFlow, sFlow(R), and mirroring for increased visibility * QoS (Quality of Service) configuration, plus policing -* Geneve, GRE, GRE over IPSEC, VXLAN, and LISP tunneling +* Geneve, GRE, VXLAN, STT, and LISP tunneling * 802.1ag connectivity fault management * OpenFlow 1.0 plus numerous extensions * Transactional configuration database with C and Python bindings diff --git a/debian/automake.mk b/debian/automake.mk index 73b4d00..2da7055 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -19,9 +19,6 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ debian/openvswitch-dev.install \ - debian/openvswitch-ipsec.dirs \ - debian/openvswitch-ipsec.init \ - debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ @@ -71,7 +68,6 @@ EXTRA_DIST += \ debian/ovn-host.postinst \ debian/ovn-host.postrm \ debian/ovn-host.template \ - debian/ovs-monitor-ipsec \ debian/python-openvswitch.dirs \ debian/python-openvswitch.install \ debian/rules \ @@ -79,9 +75,6 @@ EXTRA_DIST += \ debian/ifupdown.sh \ debian/source/format -FLAKE8_PYFILES += \ - debian/ovs-monitor-ipsec - check-debian-changelog-version: @DEB_VERSION=`echo '$(VERSION)' | sed 's/pre/~pre/'`; \ if $(FGREP) '($(DEB_VERSION)' $(srcdir)/debian/changelog >/dev/null; \ diff --git a/debian/control b/debian/control index da86fe9..813721a 100644 --- a/debian/control +++ b/debian/control @@ -178,30 +178,6 @@ Description: OVN Docker drivers . ovn-docker provides the docker drivers for OVN. -Package: openvswitch-ipsec -Architecture: linux-any -Depends: ipsec-tools (>=0.8~alpha20101208), - iproute2, - openvswitch-common (= ${binary:Version}), - openvswitch-switch (= ${binary:Version}), - python, - python-openvswitch (= ${source:Version}), - racoon (>=0.8~alpha20101208), - ${misc:Depends}, - ${shlibs:Depends} -Description: Open vSwitch GRE-over-IPsec support - Open vSwitch is a production quality, multilayer, software-based, - Ethernet virtual switch. It is designed to enable massive network - automation through programmatic extension, while still supporting - standard management interfaces and protocols (e.g. NetFlow, IPFIX, - sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed - to support distribution across multiple physical servers similar to - VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. - . - The ovs-monitor-ipsec script provides support for encrypting GRE - tunnels with IPsec. - IPsec tunnels support is deprecated. - Package: openvswitch-pki Architecture: all Depends: openvswitch-common (<< ${source:Version}.1~), diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs deleted file mode 100644 index 02130d0..0000000 --- a/debian/openvswitch-ipsec.dirs +++ /dev/null @@ -1 +0,0 @@ -usr/share/openvswitch/scripts diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init deleted file mode 100755 index a39dd40..0000000 --- a/debian/openvswitch-ipsec.init +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org> -# -# This is free software; you may redistribute it and/or modify -# it under the terms of the GNU General Public License as -# published by the Free Software Foundation; either version 2, -# or (at your option) any later version. -# -# This is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License with -# the Debian operating system, in /usr/share/common-licenses/GPL; if -# not, write to the Free Software Foundation, Inc., 59 Temple Place, -# Suite 330, Boston, MA 02111-1307 USA -# -### BEGIN INIT INFO -# Provides: openvswitch-ipsec -# Required-Start: $network $local_fs $remote_fs openvswitch-switch -# Required-Stop: $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Open vSwitch GRE-over-IPsec daemon -# Description: The ovs-monitor-ipsec script provides support for encrypting GRE -# tunnels with IPsec. -### END INIT INFO - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location -NAME=ovs-monitor-ipsec # Introduce the short server's name here -LOGDIR=/var/log/openvswitch # Log directory to use - -PIDFILE=/var/run/openvswitch/$NAME.pid - -test -x $DAEMON || exit 0 - -. /lib/lsb/init-functions - -DODTIME=10 # Time to wait for the server to die, in seconds - # If this value is set too low you might not - # let some servers to die gracefully and - # 'restart' will not work - -set -e - -running_pid() { -# Check if a given process pid's cmdline matches a given name - pid=$1 - name=$2 - [ -z "$pid" ] && return 1 - [ ! -d /proc/$pid ] && return 1 - cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2` - # Is this the expected server - [ "$cmd" != "$name" ] && return 1 - return 0 -} - -running() { -# Check if the process is running looking at /proc -# (works for all users) - - # No pidfile, probably no daemon present - [ ! -f "$PIDFILE" ] && return 1 - pid=`cat $PIDFILE` - running_pid $pid $DAEMON || return 1 - return 0 -} - -uninstall_mark_rule() { - iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0 -} - -install_mark_rule() { - if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then - iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1 - fi -} - -start_server() { - if [ ! -d /var/run/openvswitch ]; then - install -d -m 755 -o root -g root /var/run/openvswitch - fi - - install_mark_rule "-p esp" - install_mark_rule "-p udp --dport 4500" - /usr/share/openvswitch/scripts/ovs-monitor-ipsec \ - --pidfile=$PIDFILE --log-file --detach --monitor \ - unix:/var/run/openvswitch/db.sock - - return 0 -} - -stop_server() { - if [ -e $PIDFILE ]; then - kill `cat $PIDFILE` - fi - uninstall_mark_rule "-p esp" - uninstall_mark_rule "-p udp --dport 4500" - - return 0 -} - -force_stop() { -# Force the process to die killing it manually - [ ! -e "$PIDFILE" ] && return - if running ; then - kill -15 $pid - # Is it really dead? - sleep "$DODTIME" - if running ; then - kill -9 $pid - sleep "$DODTIME" - if running ; then - echo "Cannot kill $NAME (pid=$pid)!" - exit 1 - fi - fi - fi - rm -f $PIDFILE -} - - -case "$1" in - start) - log_daemon_msg "Starting $NAME" - # Check if it's running first - if running ; then - log_progress_msg "apparently already running" - log_end_msg 0 - exit 0 - fi - if start_server && running ; then - # It's ok, the server started and is running - log_end_msg 0 - else - # Either we could not start it or it is not running - # after we did - # NOTE: Some servers might die some time after they start, - # this code does not try to detect this and might give - # a false positive (use 'status' for that) - log_end_msg 1 - fi - ;; - stop) - log_daemon_msg "Stopping $NAME" - if running ; then - # Only stop the server if we see it running - stop_server - log_end_msg $? - else - # If it's not running don't do anything - log_progress_msg "apparently not running" - log_end_msg 0 - exit 0 - fi - ;; - force-stop) - # First try to stop gracefully the program - $0 stop - if running; then - # If it's still running try to kill it more forcefully - log_daemon_msg "Stopping (force) $NAME" - force_stop - log_end_msg $? - fi - ;; - restart|force-reload) - log_daemon_msg "Restarting $NAME" - stop_server - # Wait some sensible amount, some server need this - [ -n "$DODTIME" ] && sleep $DODTIME - start_server - running - log_end_msg $? - ;; - status) - log_daemon_msg "Checking status of $NAME" - if running ; then - log_progress_msg "running" - log_end_msg 0 - else - log_progress_msg "apparently not running" - log_end_msg 1 - exit 1 - fi - ;; - # Use this if the daemon cannot reload - reload) - log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon" - log_warning_msg "cannot re-read the config file (use restart)." - ;; - *) - N=/etc/init.d/openvswitch-ipsec - echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install deleted file mode 100644 index 72cacfa..0000000 --- a/debian/openvswitch-ipsec.install +++ /dev/null @@ -1 +0,0 @@ -debian/ovs-monitor-ipsec usr/share/openvswitch/scripts diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec deleted file mode 100755 index 6bc26aa..0000000 --- a/debian/ovs-monitor-ipsec +++ /dev/null @@ -1,507 +0,0 @@ -#! /usr/bin/env python -# Copyright (c) 2009, 2010, 2011, 2012 Nicira, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# A daemon to monitor attempts to create GRE-over-IPsec tunnels. -# Uses racoon and setkey to support the configuration. Assumes that -# OVS has complete control over IPsec configuration for the box. - -# xxx To-do: -# - Doesn't actually check that Interface is connected to bridge -# - If a certificate is badly formed, Racoon will refuse to start. We -# should do a better job of verifying certificates are valid before -# adding an interface to racoon.conf. - - -import argparse -import glob -import os -import subprocess -import sys - -import ovs.dirs -from ovs.db import error -import ovs.util -import ovs.daemon -import ovs.db.idl -import ovs.unixctl -import ovs.unixctl.server -import ovs.vlog -from six.moves import range -import six - -vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") -root_prefix = '' # Prefix for absolute file names, for testing. -SETKEY = "/usr/sbin/setkey" -IP = "/sbin/ip" -exiting = False -IPSEC_MARK = "1" - - -def unixctl_exit(conn, unused_argv, unused_aux): - global exiting - exiting = True - conn.reply(None) - - -# Class to configure the racoon daemon, which handles IKE negotiation -class Racoon(object): - # Default locations for files - conf_file = "/etc/racoon/racoon.conf" - cert_dir = "/etc/racoon/certs" - psk_file = "/etc/racoon/psk.txt" - - # Racoon configuration header we use for IKE - conf_header = """# Configuration file generated by Open vSwitch -# -# Do not modify by hand! - -path pre_shared_key "%s"; -path certificate "%s"; - -""" - - # Racoon configuration footer we use for IKE - conf_footer = """sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} - -""" - - # Certificate entry template. - cert_entry = """remote %s { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "%s" "%s"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "%s"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} - -""" - - # Pre-shared key template. - psk_entry = """remote %s { - exchange_mode main; - nat_traversal on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} - -""" - - def __init__(self): - self.psk_hosts = {} - self.cert_hosts = {} - - if not os.path.isdir(root_prefix + self.cert_dir): - os.mkdir(self.cert_dir) - - # Clean out stale peer certs from previous runs - for ovs_cert in glob.glob("%s%s/ovs-*.pem" - % (root_prefix, self.cert_dir)): - try: - os.remove(ovs_cert) - except OSError: - vlog.warn("couldn't remove %s" % ovs_cert) - - # Replace racoon's conf file with our template - self.commit() - - def reload(self): - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", - "reload"]) - if exitcode != 0: - # Racoon is finicky about its configuration file and will - # refuse to start if it sees something it doesn't like - # (e.g., a certificate file doesn't exist). Try restarting - # the process before giving up. - vlog.warn("attempting to restart racoon") - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", - "restart"]) - if exitcode != 0: - vlog.warn("couldn't reload racoon") - - def commit(self): - # Rewrite the Racoon configuration file - conf_file = open(root_prefix + self.conf_file, 'w') - conf_file.write(Racoon.conf_header % (self.psk_file, self.cert_dir)) - - for host, vals in six.iteritems(self.cert_hosts): - conf_file.write(Racoon.cert_entry % (host, vals["certificate"], - vals["private_key"], vals["peer_cert_file"])) - - for host in self.psk_hosts: - conf_file.write(Racoon.psk_entry % host) - - conf_file.write(Racoon.conf_footer) - conf_file.close() - - # Rewrite the pre-shared keys file; it must only be readable by root. - orig_umask = os.umask(0o077) - psk_file = open(root_prefix + Racoon.psk_file, 'w') - os.umask(orig_umask) - - psk_file.write("# Generated by Open vSwitch...do not modify by hand!") - psk_file.write("\n\n") - for host, vals in six.iteritems(self.psk_hosts): - psk_file.write("%s %s\n" % (host, vals["psk"])) - psk_file.close() - - self.reload() - - def _add_psk(self, host, psk): - if host in self.cert_hosts: - raise error.Error("host %s already defined for cert" % host) - - self.psk_hosts[host] = psk - self.commit() - - def _verify_certs(self, vals): - # Racoon will refuse to start if the certificate files don't - # exist, so verify that they're there. - if not os.path.isfile(root_prefix + vals["certificate"]): - raise error.Error("'certificate' file does not exist: %s" - % vals["certificate"]) - elif not os.path.isfile(root_prefix + vals["private_key"]): - raise error.Error("'private_key' file does not exist: %s" - % vals["private_key"]) - - # Racoon won't start if a given certificate or private key isn't - # valid. This is a weak test, but will detect the most flagrant - # errors. - if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1: - raise error.Error("'peer_cert' is not in valid PEM format") - - cert = open(root_prefix + vals["certificate"]).read() - if cert.find("-----BEGIN CERTIFICATE-----") == -1: - raise error.Error("'certificate' is not in valid PEM format") - - cert = open(root_prefix + vals["private_key"]).read() - if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1: - raise error.Error("'private_key' is not in valid PEM format") - - def _add_cert(self, host, vals): - if host in self.psk_hosts: - raise error.Error("host %s already defined for psk" % host) - - if vals["certificate"] is None: - raise error.Error("'certificate' not defined for %s" % host) - elif vals["private_key"] is None: - # Assume the private key is stored in the same PEM file as - # the certificate. We make a copy of "vals" so that we don't - # modify the original "vals", which would cause the script - # to constantly think that the configuration has changed - # in the database. - vals = vals.copy() - vals["private_key"] = vals["certificate"] - - self._verify_certs(vals) - - # The peer's certificate comes to us in PEM format as a string. - # Write that string to a file for Racoon to use. - f = open(root_prefix + vals["peer_cert_file"], "w") - f.write(vals["peer_cert"]) - f.close() - - self.cert_hosts[host] = vals - self.commit() - - def _del_cert(self, host): - peer_cert_file = self.cert_hosts[host]["peer_cert_file"] - del self.cert_hosts[host] - self.commit() - try: - os.remove(root_prefix + peer_cert_file) - except OSError: - pass - - def add_entry(self, host, vals): - if vals["peer_cert"]: - self._add_cert(host, vals) - elif vals["psk"]: - self._add_psk(host, vals) - - def del_entry(self, host): - if host in self.cert_hosts: - self._del_cert(host) - elif host in self.psk_hosts: - del self.psk_hosts[host] - self.commit() - - -# Class to configure IPsec on a system using racoon for IKE and setkey -# for maintaining the Security Association Database (SAD) and Security -# Policy Database (SPD). Only policies for GRE are supported. -class IPsec(object): - def __init__(self): - self.sad_flush() - self.spd_flush() - self.racoon = Racoon() - self.entries = [] - - def call_setkey(self, cmds): - try: - p = subprocess.Popen([root_prefix + SETKEY, "-c"], - stdin=subprocess.PIPE, - stdout=subprocess.PIPE) - except: - vlog.err("could not call %s%s" % (root_prefix, SETKEY)) - sys.exit(1) - - # xxx It is safer to pass the string into the communicate() - # xxx method, but it didn't work for slightly longer commands. - # xxx An alternative may need to be found. - p.stdin.write(cmds) - return p.communicate()[0] - - def call_ip_xfrm(self, cmds): - exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds) - if exitcode != 0: - vlog.err("couldn't install IPsec policy that prevents " - "traffic from exiting unencrypted") - - def get_spi(self, local_ip, remote_ip, proto="esp"): - # Run the setkey dump command to retrieve the SAD. Then, parse - # the output looking for SPI buried in the output. Note that - # multiple SAD entries can exist for the same "flow", since an - # older entry could be in a "dying" state. - spi_list = [] - host_line = "%s %s" % (local_ip, remote_ip) - results = self.call_setkey("dump ;\n").split("\n") - for i in range(len(results)): - if results[i].strip() == host_line: - # The SPI is in the line following the host pair - spi_line = results[i + 1] - if (spi_line[1:4] == proto): - spi = spi_line.split()[2] - spi_list.append(spi.split('(')[1].rstrip(')')) - return spi_list - - def sad_flush(self): - self.call_setkey("flush;\n") - - def sad_del(self, local_ip, remote_ip): - # To delete all SAD entries, we should be able to use setkey's - # "deleteall" command. Unfortunately, it's fundamentally broken - # on Linux and not documented as such. - cmds = "" - - # Delete local_ip->remote_ip SAD entries - spi_list = self.get_spi(local_ip, remote_ip) - for spi in spi_list: - cmds += "delete %s %s esp %s;\n" % (local_ip, remote_ip, spi) - - # Delete remote_ip->local_ip SAD entries - spi_list = self.get_spi(remote_ip, local_ip) - for spi in spi_list: - cmds += "delete %s %s esp %s;\n" % (remote_ip, local_ip, spi) - - if cmds: - self.call_setkey(cmds) - - def spd_flush(self): - self.call_setkey("spdflush;\n") - self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst", - "0.0.0.0/0", "proto", "gre", "dir", "out", - "mark", IPSEC_MARK, "mask", IPSEC_MARK, - "action", "block", "priority", "4294967295"]) - - def spd_add(self, local_ip, remote_ip): - cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" % - (local_ip, remote_ip)) - cmds += ("spdadd %s %s gre -P in ipsec esp/transport//require;\n" % - (remote_ip, local_ip)) - self.call_setkey(cmds) - - def spd_del(self, local_ip, remote_ip): - cmds = "spddelete %s %s gre -P out;\n" % (local_ip, remote_ip) - cmds += "spddelete %s %s gre -P in;\n" % (remote_ip, local_ip) - self.call_setkey(cmds) - - def add_entry(self, local_ip, remote_ip, vals): - if remote_ip in self.entries: - raise error.Error("host %s already configured for ipsec" - % remote_ip) - - self.racoon.add_entry(remote_ip, vals) - self.spd_add(local_ip, remote_ip) - - self.entries.append(remote_ip) - - def del_entry(self, local_ip, remote_ip): - if remote_ip in self.entries: - self.racoon.del_entry(remote_ip) - self.spd_del(local_ip, remote_ip) - self.sad_del(local_ip, remote_ip) - - self.entries.remove(remote_ip) - - -def update_ipsec(ipsec, interfaces, new_interfaces): - for name, vals in six.iteritems(interfaces): - if name not in new_interfaces: - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) - - for name, vals in six.iteritems(new_interfaces): - orig_vals = interfaces.get(name) - if orig_vals: - # Configuration for this host already exists. Check if it's - # changed. We use set difference, since we want to ignore - # any local additions to "orig_vals" that we've made - # (e.g. the "peer_cert_file" key). - if set(vals.items()) - set(orig_vals.items()): - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) - else: - continue - - try: - ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals) - except error.Error as msg: - vlog.warn("skipping ipsec config for %s: %s" % (name, msg)) - - -def get_ssl_cert(data): - for ovs_rec in data["Open_vSwitch"].rows.values(): - if ovs_rec.ssl: - ssl = ovs_rec.ssl[0] - if ssl.certificate and ssl.private_key: - return (ssl.certificate, ssl.private_key) - - return None - - -def main(): - - parser = argparse.ArgumentParser() - parser.add_argument("database", metavar="DATABASE", - help="A socket on which ovsdb-server is listening.") - parser.add_argument("--root-prefix", metavar="DIR", - help="Use DIR as alternate root directory" - " (for testing).") - - ovs.vlog.add_args(parser) - ovs.daemon.add_args(parser) - args = parser.parse_args() - ovs.vlog.handle_args(args) - ovs.daemon.handle_args(args) - - global root_prefix - if args.root_prefix: - root_prefix = args.root_prefix - - remote = args.database - schema_helper = ovs.db.idl.SchemaHelper() - schema_helper.register_columns("Interface", ["name", "type", "options"]) - schema_helper.register_columns("Open_vSwitch", ["ssl"]) - schema_helper.register_columns("SSL", ["certificate", "private_key"]) - idl = ovs.db.idl.Idl(remote, schema_helper) - - ipsec = IPsec() - - ovs.daemon.daemonize() - - ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None) - error, unixctl_server = ovs.unixctl.server.UnixctlServer.create(None) - if error: - ovs.util.ovs_fatal(error, "could not create unixctl server", vlog) - - interfaces = {} - seqno = idl.change_seqno # Sequence number when we last processed the db - while True: - unixctl_server.run() - if exiting: - break - - idl.run() - if seqno == idl.change_seqno: - poller = ovs.poller.Poller() - unixctl_server.wait(poller) - idl.wait(poller) - poller.block() - continue - seqno = idl.change_seqno - - ssl_cert = get_ssl_cert(idl.tables) - - new_interfaces = {} - for rec in six.itervalues(idl.tables["Interface"].rows): - if rec.type == "ipsec_gre": - name = rec.name - options = rec.options - peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip")) - entry = { - "remote_ip": options.get("remote_ip"), - "local_ip": options.get("local_ip", "0.0.0.0/0"), - "certificate": options.get("certificate"), - "private_key": options.get("private_key"), - "use_ssl_cert": options.get("use_ssl_cert"), - "peer_cert": options.get("peer_cert"), - "peer_cert_file": Racoon.cert_dir + "/" + peer_cert_name, - "psk": options.get("psk")} - - if entry["peer_cert"] and entry["psk"]: - vlog.warn("both 'peer_cert' and 'psk' defined for %s" - % name) - continue - elif not entry["peer_cert"] and not entry["psk"]: - vlog.warn("no 'peer_cert' or 'psk' defined for %s" % name) - continue - - # The "use_ssl_cert" option is deprecated and will - # likely go away in the near future. - if entry["use_ssl_cert"] == "true": - if not ssl_cert: - vlog.warn("no valid SSL entry for %s" % name) - continue - - entry["certificate"] = ssl_cert[0] - entry["private_key"] = ssl_cert[1] - - new_interfaces[name] = entry - - if interfaces != new_interfaces: - update_ipsec(ipsec, interfaces, new_interfaces) - interfaces = new_interfaces - - unixctl_server.close() - idl.close() - - -if __name__ == '__main__': - try: - main() - except SystemExit: - # Let system.exit() calls complete normally - raise - except: - vlog.exception("traceback") - sys.exit(ovs.daemon.RESTART_EXIT_CODE) diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c index ac31da6..02a246a 100644 --- a/lib/netdev-vport.c +++ b/lib/netdev-vport.c @@ -402,14 +402,13 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) struct netdev_vport *dev = netdev_vport_cast(dev_); const char *name = netdev_get_name(dev_); const char *type = netdev_get_type(dev_); - bool ipsec_mech_set, needs_dst_port, has_csum; + bool needs_dst_port, has_csum; uint16_t dst_proto = 0, src_proto = 0; struct netdev_tunnel_config tnl_cfg; struct smap_node *node; has_csum = strstr(type, "gre") || strstr(type, "geneve") || strstr(type, "stt") || strstr(type, "vxlan"); - ipsec_mech_set = false; memset(&tnl_cfg, 0, sizeof tnl_cfg); /* Add a default destination port for tunnel ports if none specified. */ @@ -430,7 +429,6 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) } needs_dst_port = netdev_vport_needs_dst_port(dev_); - tnl_cfg.ipsec = strstr(type, "ipsec"); tnl_cfg.dont_fragment = true; SMAP_FOR_EACH (node, args) { @@ -485,33 +483,6 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) if (!strcmp(node->value, "false")) { tnl_cfg.dont_fragment = false; } - } else if (!strcmp(node->key, "peer_cert") && tnl_cfg.ipsec) { - if (smap_get(args, "certificate")) { - ipsec_mech_set = true; - } else { - const char *use_ssl_cert; - - /* If the "use_ssl_cert" is true, then "certificate" and - * "private_key" will be pulled from the SSL table. The - * use of this option is strongly discouraged, since it - * will like be removed when multiple SSL configurations - * are supported by OVS. - */ - use_ssl_cert = smap_get(args, "use_ssl_cert"); - if (!use_ssl_cert || strcmp(use_ssl_cert, "true")) { - VLOG_ERR("%s: 'peer_cert' requires 'certificate' argument", - name); - return EINVAL; - } - ipsec_mech_set = true; - } - } else if (!strcmp(node->key, "psk") && tnl_cfg.ipsec) { - ipsec_mech_set = true; - } else if (tnl_cfg.ipsec - && (!strcmp(node->key, "certificate") - || !strcmp(node->key, "private_key") - || !strcmp(node->key, "use_ssl_cert"))) { - /* Ignore options not used by the netdev. */ } else if (!strcmp(node->key, "key") || !strcmp(node->key, "in_key") || !strcmp(node->key, "out_key")) { @@ -539,41 +510,6 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) } } - if (tnl_cfg.ipsec) { - static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER; - static pid_t pid = 0; - - VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name); - -#ifndef _WIN32 - ovs_mutex_lock(&mutex); - if (pid <= 0) { - char *file_name = xasprintf("%s/%s", ovs_rundir(), - "ovs-monitor-ipsec.pid"); - pid = read_pidfile(file_name); - free(file_name); - } - ovs_mutex_unlock(&mutex); -#endif - - if (pid < 0) { - VLOG_ERR("%s: IPsec requires the ovs-monitor-ipsec daemon", - name); - return EINVAL; - } - - if (smap_get(args, "peer_cert") && smap_get(args, "psk")) { - VLOG_ERR("%s: cannot define both 'peer_cert' and 'psk'", name); - return EINVAL; - } - - if (!ipsec_mech_set) { - VLOG_ERR("%s: IPsec requires an 'peer_cert' or psk' argument", - name); - return EINVAL; - } - } - if (!ipv6_addr_is_set(&tnl_cfg.ipv6_dst) && !tnl_cfg.ip_dst_flow) { VLOG_ERR("%s: %s type requires valid 'remote_ip' argument", name, type); @@ -898,7 +834,6 @@ netdev_vport_tunnel_register(void) TUNNEL_CLASS("gre", "gre_sys", netdev_gre_build_header, netdev_gre_push_header, netdev_gre_pop_header), - TUNNEL_CLASS("ipsec_gre", "gre_sys", NULL, NULL, NULL), TUNNEL_CLASS("vxlan", "vxlan_sys", netdev_vxlan_build_header, netdev_tnl_push_udp_header, netdev_vxlan_pop_header), diff --git a/lib/netdev.h b/lib/netdev.h index 634c665..bad28c4 100644 --- a/lib/netdev.h +++ b/lib/netdev.h @@ -97,7 +97,6 @@ struct netdev_tunnel_config { bool tos_inherit; bool csum; - bool ipsec; bool dont_fragment; }; diff --git a/ofproto/ofproto-dpif-ipfix.c b/ofproto/ofproto-dpif-ipfix.c index abea492..6b00b77 100644 --- a/ofproto/ofproto-dpif-ipfix.c +++ b/ofproto/ofproto-dpif-ipfix.c @@ -78,7 +78,6 @@ enum dpif_ipfix_tunnel_type { DPIF_IPFIX_TUNNEL_GRE = 0x02, DPIF_IPFIX_TUNNEL_LISP = 0x03, DPIF_IPFIX_TUNNEL_STT = 0x04, - DPIF_IPFIX_TUNNEL_IPSEC_GRE = 0x05, DPIF_IPFIX_TUNNEL_GENEVE = 0x07, NUM_DPIF_IPFIX_TUNNEL }; @@ -311,16 +310,12 @@ struct ipfix_data_record_flow_key_icmp { }); BUILD_ASSERT_DECL(sizeof(struct ipfix_data_record_flow_key_icmp) == 2); -/* For the tunnel type that is on the top of IPSec, the protocol identifier - * of the upper tunnel type is used. - */ static uint8_t tunnel_protocol[NUM_DPIF_IPFIX_TUNNEL] = { 0, /* reserved */ IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_VXLAN */ IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_GRE */ IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_LISP*/ IPPROTO_TCP, /* DPIF_IPFIX_TUNNEL_STT*/ - IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_IPSEC_GRE */ 0 , /* reserved */ IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_GENEVE*/ }; @@ -657,10 +652,6 @@ dpif_ipfix_add_tunnel_port(struct dpif_ipfix *di, struct ofport *ofport, /* 32-bit key gre */ dip->tunnel_type = DPIF_IPFIX_TUNNEL_GRE; dip->tunnel_key_length = 4; - } else if (strcmp(type, "ipsec_gre") == 0) { - /* 32-bit key ipsec_gre */ - dip->tunnel_type = DPIF_IPFIX_TUNNEL_IPSEC_GRE; - dip->tunnel_key_length = 4; } else if (strcmp(type, "vxlan") == 0) { dip->tunnel_type = DPIF_IPFIX_TUNNEL_VXLAN; dip->tunnel_key_length = 3; @@ -1728,12 +1719,6 @@ ipfix_cache_entry_init(struct ipfix_flow_cache_entry *entry, data_tunnel->tunnel_destination_ipv4_address = tunnel_key->ip_dst; /* The tunnel_protocol_identifier is from tunnel_proto array, which * contains protocol_identifiers of each tunnel type. - * For the tunnel type on the top of IPSec, which uses the protocol - * identifier of the upper tunnel type is used, the tcp_src and tcp_dst - * are decided based on the protocol identifiers. - * E.g: - * The protocol identifier of DPIF_IPFIX_TUNNEL_IPSEC_GRE is IPPROTO_GRE, - * and both tp_src and tp_dst are zero. */ data_tunnel->tunnel_protocol_identifier = tunnel_protocol[tunnel_port->tunnel_type]; diff --git a/ofproto/ofproto-dpif-sflow.c b/ofproto/ofproto-dpif-sflow.c index 11d3a53..9ea8851 100644 --- a/ofproto/ofproto-dpif-sflow.c +++ b/ofproto/ofproto-dpif-sflow.c @@ -61,7 +61,6 @@ enum dpif_sflow_tunnel_type { DPIF_SFLOW_TUNNEL_VXLAN, DPIF_SFLOW_TUNNEL_GRE, DPIF_SFLOW_TUNNEL_LISP, - DPIF_SFLOW_TUNNEL_IPSEC_GRE, DPIF_SFLOW_TUNNEL_GENEVE }; @@ -582,8 +581,6 @@ dpif_sflow_tunnel_type(struct ofport *ofport) { if (type) { if (strcmp(type, "gre") == 0) { return DPIF_SFLOW_TUNNEL_GRE; - } else if (strcmp(type, "ipsec_gre") == 0) { - return DPIF_SFLOW_TUNNEL_IPSEC_GRE; } else if (strcmp(type, "vxlan") == 0) { return DPIF_SFLOW_TUNNEL_VXLAN; } else if (strcmp(type, "lisp") == 0) { @@ -606,10 +603,6 @@ dpif_sflow_tunnel_proto(enum dpif_sflow_tunnel_type tunnel_type) ipproto = IPPROTO_GRE; break; - case DPIF_SFLOW_TUNNEL_IPSEC_GRE: - ipproto = IPPROTO_ESP; - break; - case DPIF_SFLOW_TUNNEL_VXLAN: case DPIF_SFLOW_TUNNEL_LISP: case DPIF_SFLOW_TUNNEL_GENEVE: diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 9a69071..97de59e 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -41,15 +41,11 @@ VLOG_DEFINE_THIS_MODULE(tunnel); -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - struct tnl_match { ovs_be64 in_key; struct in6_addr ipv6_src; struct in6_addr ipv6_dst; odp_port_t odp_port; - uint32_t pkt_mark; bool in_key_flow; bool ip_src_flow; bool ip_dst_flow; @@ -164,7 +160,6 @@ tnl_port_add__(const struct ofport_dpif *ofport, const struct netdev *netdev, tnl_port->match.ipv6_dst = cfg->ipv6_dst; tnl_port->match.ip_src_flow = cfg->ip_src_flow; tnl_port->match.ip_dst_flow = cfg->ip_dst_flow; - tnl_port->match.pkt_mark = cfg->ipsec ? IPSEC_MARK : 0; tnl_port->match.in_key_flow = cfg->in_key_flow; tnl_port->match.odp_port = odp_port; @@ -357,7 +352,6 @@ tnl_process_ecn(struct flow *flow) flow->nw_tos |= IP_ECN_CE; } - flow->pkt_mark &= ~IPSEC_MARK; return true; } @@ -383,8 +377,6 @@ tnl_wc_init(struct flow *flow, struct flow_wildcards *wc) wc->masks.tunnel.tp_src = 0; wc->masks.tunnel.tp_dst = 0; - memset(&wc->masks.pkt_mark, 0xff, sizeof wc->masks.pkt_mark); - if (is_ip_any(flow) && IP_ECN_is_ce(flow->tunnel.ip_tos)) { wc->masks.nw_tos |= IP_ECN_MASK; @@ -435,9 +427,6 @@ tnl_port_send(const struct ofport_dpif *ofport, struct flow *flow, flow->tunnel.ipv6_dst = in6addr_any; } } - flow->pkt_mark |= tnl_port->match.pkt_mark; - wc->masks.pkt_mark |= tnl_port->match.pkt_mark; - if (!cfg->out_key_flow) { flow->tunnel.tun_id = cfg->out_key; } @@ -561,7 +550,6 @@ tnl_find(const struct flow *flow) OVS_REQ_RDLOCK(rwlock) match.ipv6_dst = flow_tnl_src(&flow->tunnel); } match.odp_port = flow->in_port.odp_port; - match.pkt_mark = flow->pkt_mark; match.in_key_flow = in_key_flow; match.ip_dst_flow = ip_dst_flow; match.ip_src_flow = ip_src == IP_SRC_FLOW; @@ -616,7 +604,6 @@ tnl_match_fmt(const struct tnl_match *match, struct ds *ds) } ds_put_format(ds, ", dp port=%"PRIu32, match->odp_port); - ds_put_format(ds, ", pkt mark=%"PRIu32, match->pkt_mark); } static void diff --git a/tests/automake.mk b/tests/automake.mk index 8ac98bf..a2b7786 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -82,7 +82,6 @@ TESTSUITE_AT = \ tests/ovsdb-idl.at \ tests/ovsdb-lock.at \ tests/ovs-vsctl.at \ - tests/ovs-monitor-ipsec.at \ tests/ovs-xapi-sync.at \ tests/stp.at \ tests/rstp.at \ diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index 79dedf4..92ab9ab 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -468,53 +468,4 @@ m4_define([WAIT_FOR_DUMMY_PORTS], \ OVS_WAIT_WHILE([ovs-appctl netdev-dummy/conn-state dummy_port \ | grep 'unknown\|disconnected'])])]) -# OVS_MONITOR_IPSEC_START() -# -# Starts ovs-monitor-ipsec daemon. Use this macro only after testing -# that python is present on the system. -m4_define([OVS_MONITOR_IPSEC_START], -[ -cp "$top_srcdir/vswitchd/vswitch.ovsschema" . - -on_exit 'kill `cat pid ovs-monitor-ipsec.pid`' -mkdir etc etc/init.d etc/racoon etc/racoon/certs -mkdir usr usr/sbin -mkdir sbin - -AT_DATA([etc/init.d/racoon], [dnl -#! /bin/sh -echo "racoon: @S|@@" >&3 -exit 0 -]) -chmod +x etc/init.d/racoon - -AT_DATA([usr/sbin/setkey], [dnl -#! /bin/sh -exec >&3 -echo "setkey:" -while read line; do - echo "> $line" -done -]) -chmod +x usr/sbin/setkey - -AT_DATA([sbin/ip], [dnl -#! /bin/sh -exit 0 -]) -chmod +x sbin/ip - -touch etc/racoon/certs/ovs-stale.pem - -### -### Start ovs-monitor-ipsec and wait for it to delete the stale cert. -### -AT_CHECK( - [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \ - "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \ - unix:$OVS_RUNDIR/db.sock 2>log 3>actions &]) -AT_CAPTURE_FILE([log]) -AT_CAPTURE_FILE([actions]) -OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem]) -]) diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 372db27..00ee482 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -195,7 +195,7 @@ OVS_WAIT_UNTIL([check_datapath_type ""]) # The following will need to be updated as OVS starts to support more # interface types. -expected_iface_types="dummy,dummy-internal,dummy-pmd,geneve,gre,internal,ipsec_gre,lisp,patch,stt,system,tap,vxlan" +expected_iface_types="dummy,dummy-internal,dummy-pmd,geneve,gre,internal,lisp,patch,stt,system,tap,vxlan" chassis_iface_types=$(ovn-sbctl get Chassis ${sysid} external_ids:iface-types | sed -e 's/\"//g') echo "chassis_iface_types = ${chassis_iface_types}" AT_CHECK([test "${expected_iface_types}" = "${chassis_iface_types}"]) diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at deleted file mode 100644 index cae2878..0000000 --- a/tests/ovs-monitor-ipsec.at +++ /dev/null @@ -1,271 +0,0 @@ -AT_BANNER([ovs-monitor-ipsec]) - -AT_SETUP([ovs-monitor-ipsec]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) - -trim () { # Removes blank lines and lines starting with # from input. - sed -e '/^#/d' -e '/^[ ]*$/d' "$@" -} - -OVS_VSWITCHD_START([]) -OVS_MONITOR_IPSEC_START - -### -### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does -### -AT_CHECK([ovs-vsctl \ - -- add-port br0 gre0 \ - -- set interface gre0 type=ipsec_gre \ - options:remote_ip=1.2.3.4 \ - options:psk=swordfish]) -OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null]) -AT_CHECK([cat actions], [0], [dnl -setkey: -> flush; -setkey: -> spdflush; -racoon: reload -racoon: reload -setkey: -> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require; -> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish -]) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -remote 1.2.3.4 { - exchange_mode main; - nat_traversal on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) - -### -### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does -### -AT_CHECK([ovs-vsctl del-port gre0]) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17]) -AT_CHECK([sed '1,9d' actions], [0], [dnl -racoon: reload -setkey: -> spddelete 0.0.0.0/0 1.2.3.4 gre -P out; -> spddelete 1.2.3.4 0.0.0.0/0 gre -P in; -setkey: -> dump ; -setkey: -> dump ; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) - -### -### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does -### -AT_DATA([cert.pem], [dnl ------BEGIN CERTIFICATE----- -(not a real certificate) ------END CERTIFICATE----- -]) -AT_DATA([key.pem], [dnl ------BEGIN RSA PRIVATE KEY----- -(not a real private key) ------END RSA PRIVATE KEY----- -]) -AT_CHECK([ovs-vsctl \ - -- add-port br0 gre1 \ - -- set Interface gre1 type=ipsec_gre \ - options:remote_ip=2.3.4.5 \ - options:peer_cert='"-----BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -"' \ - options:certificate='"/cert.pem"' \ - options:private_key='"/key.pem"']) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) -AT_CHECK([sed '1,17d' actions], [0], [dnl -racoon: reload -setkey: -> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require; -> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -remote 2.3.4.5 { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "/cert.pem" "/key.pem"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl ------BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -]) - -### -### Delete the ipsec_gre certificate interface. -### -AT_CHECK([ovs-vsctl del-port gre1]) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) -AT_CHECK([sed '1,21d' actions], [0], [dnl -racoon: reload -setkey: -> spddelete 0.0.0.0/0 2.3.4.5 gre -P out; -> spddelete 2.3.4.5 0.0.0.0/0 gre -P in; -setkey: -> dump ; -setkey: -> dump ; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) - -### -### Add an SSL certificate interface. -### -cp cert.pem ssl-cert.pem -cp key.pem ssl-key.pem -AT_DATA([ssl-cacert.pem], [dnl ------BEGIN CERTIFICATE----- -(not a real CA certificate) ------END CERTIFICATE----- -]) -AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ - -- add-port br0 gre2 \ - -- set Interface gre2 type=ipsec_gre \ - options:remote_ip=3.4.5.6 \ - options:peer_cert='"-----BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -"' \ - options:use_ssl_cert='"true"']) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33]) -AT_CHECK([sed '1,29d' actions], [0], [dnl -racoon: reload -setkey: -> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; -> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -remote 3.4.5.6 { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl ------BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -]) - -### -### Delete the SSL certificate interface. -### -AT_CHECK([ovs-vsctl del-port gre2]) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41]) -AT_CHECK([sed '1,33d' actions], [0], [dnl -racoon: reload -setkey: -> spddelete 0.0.0.0/0 3.4.5.6 gre -P out; -> spddelete 3.4.5.6 0.0.0.0/0 gre -P in; -setkey: -> dump ; -setkey: -> dump ; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) - -dnl Skip SSL errors reported by Open vSwitch -OVS_VSWITCHD_STOP(["/stream_ssl/d"]) -AT_CLEANUP diff --git a/tests/testsuite.at b/tests/testsuite.at index f5f1253..2123bee 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -63,7 +63,6 @@ m4_include([tests/bridge.at]) m4_include([tests/netdev-type.at]) m4_include([tests/ovsdb.at]) m4_include([tests/ovs-vsctl.at]) -m4_include([tests/ovs-monitor-ipsec.at]) m4_include([tests/ovs-xapi-sync.at]) m4_include([tests/interface-reconfigure.at]) m4_include([tests/stp.at]) diff --git a/tests/tunnel-push-pop-ipv6.at b/tests/tunnel-push-pop-ipv6.at index c213a85..16dc571 100644 --- a/tests/tunnel-push-pop-ipv6.at +++ b/tests/tunnel-push-pop-ipv6.at @@ -158,7 +158,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port 5'], [0], [dnl port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=? ]) AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0], [dnl -tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001:cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),skb_mark(0),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) +tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001:cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) ]) OVS_VSWITCHD_STOP diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at index 8245bf1..700ef55 100644 --- a/tests/tunnel-push-pop.at +++ b/tests/tunnel-push-pop.at @@ -163,7 +163,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port 5'], [0], [dnl port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=? ]) AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0], [dnl -tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),skb_mark(0),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) +tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) ]) OVS_VSWITCHD_STOP diff --git a/tests/tunnel.at b/tests/tunnel.at index dbc6a11..647a466 100644 --- a/tests/tunnel.at +++ b/tests/tunnel.at @@ -82,28 +82,28 @@ AT_CHECK([ovs-appctl dpif/show | tail -n +3], [0], [dnl dnl Tunnel CE and encapsulated packet CE AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=3,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no Datapath actions: 2 ]) dnl Tunnel CE and encapsulated packet ECT(1) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=1,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no Datapath actions: set(ipv4(tos=0x3/0x3)),2 ]) dnl Tunnel CE and encapsulated packet ECT(2) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=2,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no Datapath actions: set(ipv4(tos=0x3/0x3)),2 ]) dnl Tunnel CE and encapsulated packet Non-ECT AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=0,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no Datapath actions: drop ]) OVS_VSWITCHD_STOP(["/dropping tunnel packet marked ECN CE but is not ECN capable/d"]) @@ -196,75 +196,6 @@ AT_CHECK([tail -1 stdout], [0], OVS_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([tunnel - encrypted tunnel and not setting skb_mark]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ - options:key=5 ofport_request=1\ - -- add-port br0 p2 -- set Interface p2 type=dummy \ - ofport_request=2 ofport_request=2]) -AT_DATA([flows.txt], [dnl -actions=output:1 -]) -OVS_MONITOR_IPSEC_START -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre options:psk=1234567890]) -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) -AT_CHECK([tail -1 stdout], [0], - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1/0x1)),1 -]) -OVS_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 1]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ - options:key=5 ofport_request=1\ - -- add-port br0 p2 -- set Interface p2 type=dummy \ - ofport_request=2 ofport_request=2]) -AT_DATA([flows.txt], [dnl -actions=load:0x1->NXM_NX_PKT_MARK[[]],output:1 -]) -OVS_MONITOR_IPSEC_START -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre options:psk=1234567890]) -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) -AT_CHECK([tail -1 stdout], [0], - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1)),1 -]) -OVS_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 2]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ - options:key=5 ofport_request=1\ - -- add-port br0 p2 -- set Interface p2 type=dummy \ - ofport_request=2 ofport_request=2]) -AT_DATA([flows.txt], [dnl -actions=load:0x2->NXM_NX_PKT_MARK[[]],output:1 -]) -OVS_MONITOR_IPSEC_START -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre options:psk=1234567890]) -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) -AT_CHECK([tail -1 stdout], [0], - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x3)),1 -]) -OVS_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([tunnel - ToS and TTL inheritance]) OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ options:remote_ip=1.1.1.1 options:tos=inherit \ @@ -559,14 +490,14 @@ AT_CHECK([tail -1 stdout], [0], dnl Option match AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=0,len=4,0xb}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no Datapath actions: 2 ]) dnl Skip unknown option AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=0,len=4,0xb}{class=0xffff,type=2,len=4,0xc}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no Datapath actions: 2 ]) @@ -600,7 +531,7 @@ AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=3,len=8}->tun_metadata3" AT_CHECK([ovs-ofctl add-flow br0 tun_metadata3=0x1234567890abcdef,actions=2]) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=3,len=8,0x1234567890abcdef}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata3=0x1234567890abcdef,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata3=0x1234567890abcdef,in_port=1,nw_frag=no Datapath actions: 2 ]) @@ -635,13 +566,13 @@ NXST_FLOW reply: AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=0,len=4,0x12345678}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no Datapath actions: 2 ]) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=1,len=0}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no Datapath actions: set(tunnel(tun_id=0x0,dst=1.1.1.1,ttl=64,geneve({class=0xffff,type=0x1,len=0}),flags(df|key))),6081 ]) diff --git a/utilities/bugtool/ovs-bugtool.in b/utilities/bugtool/ovs-bugtool.in index 2ec2f2a..963c50c 100755 --- a/utilities/bugtool/ovs-bugtool.in +++ b/utilities/bugtool/ovs-bugtool.in @@ -630,7 +630,7 @@ exclude those logs from the archive. ovs_logs = ([OPENVSWITCH_LOG_DIR + x for x in ['ovs-vswitchd.log', 'ovsdb-server.log', - 'ovs-xapi-sync.log', 'ovs-monitor-ipsec.log', 'ovs-ctl.log']]) + 'ovs-xapi-sync.log', 'ovs-ctl.log']]) for log in ovs_logs: prefix_output(CAP_OPENVSWITCH_LOGS, log, last_mod_time=log_last_mod_time) diff --git a/utilities/ovs-appctl.8.in b/utilities/ovs-appctl.8.in index 0eda7f2..645b62b 100644 --- a/utilities/ovs-appctl.8.in +++ b/utilities/ovs-appctl.8.in @@ -254,8 +254,8 @@ The default pattern for console and file output is \fB%D{%Y-%m-%dT %H:%M:%SZ}|%05N|%c|%p|%m\fR; for syslog output, \fB%05N|%c|%p|%m\fR. . .IP -Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR, -\fBovs\-monitor\-ipsec) do not allow control over the log pattern. +Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR) do not allow +control over the log pattern. . .IP "\fBvlog/set\fR FACILITY:\fIfacility\fR" Sets the RFC5424 facility of the log message. \fIfacility\fR can be one of diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 976f3ca..8ff3853 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -2004,15 +2004,6 @@ tunnel. </dd> - <dt><code>ipsec_gre</code></dt> - <dd> - An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6 - IPsec tunnel. - IPsec tunnel ports are deprecated. The support will be completely - removed in next version. - - </dd> - <dt><code>vxlan</code></dt> <dd> <p> @@ -2075,8 +2066,8 @@ <group title="Tunnel Options"> <p> These options apply to interfaces with <ref column="type"/> of - <code>geneve</code>, <code>gre</code>, <code>ipsec_gre</code>, - <code>vxlan</code>, <code>lisp</code> and <code>stt</code>. + <code>geneve</code>, <code>gre</code>, <code>vxlan</code>, + <code>lisp</code> and <code>stt</code>. </p> <p> @@ -2253,9 +2244,9 @@ </group> - <group title="Tunnel Options: gre, ipsec_gre, geneve, and vxlan"> + <group title="Tunnel Options: gre, geneve, and vxlan"> <p> - <code>gre</code>, <code>ipsec_gre</code>, <code>geneve</code>, and + <code>gre</code>, <code>geneve</code>, and <code>vxlan</code> interfaces support these options. </p> @@ -2277,43 +2268,6 @@ is compatible with. </p> - <p> - This option is supported for <code>ipsec_gre</code>, but not useful - because GRE checksums are weaker than, and redundant with, IPsec - payload authentication. - </p> - </column> - </group> - - <group title="Tunnel Options: ipsec_gre only"> - <p> - Only <code>ipsec_gre</code> interfaces support these options. - </p> - - <column name="options" key="peer_cert"> - Required for certificate authentication. A string containing the - peer's certificate in PEM format. Additionally the host's - certificate must be specified with the <code>certificate</code> - option. - </column> - - <column name="options" key="certificate"> - Required for certificate authentication. The name of a PEM file - containing a certificate that will be presented to the peer during - authentication. - </column> - - <column name="options" key="private_key"> - Optional for certificate authentication. The name of a PEM file - containing the private key associated with <code>certificate</code>. - If <code>certificate</code> contains the private key, this option may - be omitted. - </column> - - <column name="options" key="psk"> - Required for pre-shared key authentication. Specifies a pre-shared - key for authentication that must be identical on both sides of the - tunnel. </column> </group> </group> @@ -4774,8 +4728,7 @@ <p>type: unsigned 8-bit integer.</p> <p>data type semantics: identifier.</p> <p>description: Identifier of the layer 2 network overlay network - encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 IPsec+GRE, - 0x07 GENEVE.</p> + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x07 GENEVE.</p> </dd> <dt>tunnelKey:</dt> <dd>
OVS GRE IPsec tunnel support has multiple issues, Therefore it was deprecated in OVS 2.6. Following patch removes support GRE IPsec and allow external IPsec tunnel management for any type of tunnel not just GRE. e.g. user can encrpt Geneve or VxLan traffic. It can be done by using openflow pipeline to set skb-mark and using xfrm to implement IPsec tunnels. xfrm can match on the skb-mark to encrypt selective tunnel traffic. VMware-BZ: 1710701 Signed-off-by: Pravin B Shelar <pshelar@ovn.org> --- This is targeted for OVS master branch only. --- NEWS | 1 + README.md | 2 +- debian/automake.mk | 7 - debian/control | 24 -- debian/openvswitch-ipsec.dirs | 1 - debian/openvswitch-ipsec.init | 203 ---------------- debian/openvswitch-ipsec.install | 1 - debian/ovs-monitor-ipsec | 507 --------------------------------------- lib/netdev-vport.c | 67 +----- lib/netdev.h | 1 - ofproto/ofproto-dpif-ipfix.c | 15 -- ofproto/ofproto-dpif-sflow.c | 7 - ofproto/tunnel.c | 13 - tests/automake.mk | 1 - tests/ofproto-macros.at | 49 ---- tests/ovn-controller.at | 2 +- tests/ovs-monitor-ipsec.at | 271 --------------------- tests/testsuite.at | 1 - tests/tunnel-push-pop-ipv6.at | 2 +- tests/tunnel-push-pop.at | 2 +- tests/tunnel.at | 87 +------ utilities/bugtool/ovs-bugtool.in | 2 +- utilities/ovs-appctl.8.in | 4 +- vswitchd/vswitch.xml | 57 +---- 24 files changed, 23 insertions(+), 1304 deletions(-) delete mode 100644 debian/openvswitch-ipsec.dirs delete mode 100755 debian/openvswitch-ipsec.init delete mode 100644 debian/openvswitch-ipsec.install delete mode 100755 debian/ovs-monitor-ipsec delete mode 100644 tests/ovs-monitor-ipsec.at