Message ID | 20201221101021.3904963-1-mark.d.gray@redhat.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [ovs-dev] ovs-monitor-ipsec: Add support for tunnel 'local_ip' | expand |
On 21 Dec 2020, at 11:10, Mark Gray wrote: > In the libreswan case, 'ovs-monitor-ipsec' sets > 'left' to '%defaultroute' which will use the local address > of the default route interface as the source IP address. In > multihomed environments, this may not be correct if the user > wants to specify what the source IP address is. In OVS, this > can be set for tunnel ports using the 'local_ip' option. This > patch also uses that option to populate the 'ipsec.conf' > configuration. If the 'local_ip' option is not present, it > will default to the previous behaviour of using '%defaultroute' > > Signed-off-by: Mark Gray <mark.d.gray@redhat.com> > Change looks good, and verified in my setup. Maybe you also want to change the Documentation/tutorials/ipsec.rst to include the new output. Acked-by: Eelco Chaudron <echaudro@redhat.com>
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index b84608a55d8a..7b1d94593636 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -416,11 +416,11 @@ conn prevent_unencrypted_vxlan """ auth_tmpl = {"psk": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip authby=secret"""), "pki_remote": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -428,7 +428,7 @@ conn prevent_unencrypted_vxlan rightcert="$remote_name" leftrsasigkey=%cert"""), "pki_ca": Template("""\ - left=%defaultroute + left=$local_ip right=$remote_ip leftid=@$local_name rightid=@$remote_name @@ -750,6 +750,7 @@ class IPsecTunnel(object): unixctl_config_tmpl = Template("""\ Tunnel Type: $tunnel_type + Local IP: $local_ip Remote IP: $remote_ip SKB mark: $skb_mark Local cert: $certificate @@ -790,6 +791,7 @@ class IPsecTunnel(object): new_conf = { "ifname": self.name, "tunnel_type": row.type, + "local_ip": options.get("local_ip", "%defaultroute"), "remote_ip": options.get("remote_ip"), "skb_mark": monitor.conf["skb_mark"], "certificate": monitor.conf["pki"]["certificate"],
In the libreswan case, 'ovs-monitor-ipsec' sets 'left' to '%defaultroute' which will use the local address of the default route interface as the source IP address. In multihomed environments, this may not be correct if the user wants to specify what the source IP address is. In OVS, this can be set for tunnel ports using the 'local_ip' option. This patch also uses that option to populate the 'ipsec.conf' configuration. If the 'local_ip' option is not present, it will default to the previous behaviour of using '%defaultroute' Signed-off-by: Mark Gray <mark.d.gray@redhat.com> --- ipsec/ovs-monitor-ipsec.in | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)