| Message ID | 20260518104337.102446-1-moloings@redhat.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev,1/1] IPsec: Add IPsec backend debug options. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
| ovsrobot/github-robot-_Build_and_Test | fail | github build: failed |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On Mon, May 18, 2026 at 09:28:16AM -0400, 0-day Robot wrote: > From: robot@bytheb.org > > Test-Label: github-robot: Build and Test > Test-Status: fail > http://patchwork.ozlabs.org/api/patches/2239751/ > > _github build: failed_ > Build URL: https://github.com/ovsrobot/ovn/actions/runs/26029686531 > Recheck-request: github-robot-_Build_and_Test
Hi Mairtin, The options documentation for the NB_Global table in ovn-nb.xml should be updated to document this change. Indicate that options preceded by "ipsec_" will be passed to OVS. If you can point to a specific document in OVS that documents the valid IPsec options, then that would be good, too. See below for some additional notes. On Mon, May 18, 2026 at 6:44 AM Mairtin O'Loingsigh via dev <ovs-dev@openvswitch.org> wrote: > > Add ability to pass any nb_global option with the ipsec prefix to sb, which > will get used by ovs-monitor-ipsec to configure IPsec backend. For > example > > ovn-nbctl set nb_global . options:ipsec_replay-window=128 > ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > Reported-at: https://redhat.atlassian.net/browse/FDP-3029 > Signed-off-by: Mairtin O'Loingsigh <moloings@redhat.com> > --- > Documentation/tutorials/ovn-ipsec.rst | 5 +++++ > NEWS | 1 + > controller/encaps.c | 13 +++++++++++++ > tests/ovn-ipsec.at | 12 ++++++++++++ > 4 files changed, 31 insertions(+) > > diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst > index aebd3e848..f9b58b9ba 100644 > --- a/Documentation/tutorials/ovn-ipsec.rst > +++ b/Documentation/tutorials/ovn-ipsec.rst > @@ -166,6 +166,11 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE > daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to > ``/var/log/openvswitch/ovs-monitor-ipsec.log``. > > +Any "ipsec_*" option such as the one below can be set and to configure the Remove "and" from this sentence > +underlying IPsec backend, which can simplify debug. > + > + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 > + > Bug Reporting > ------------- > > diff --git a/NEWS b/NEWS > index 9839d19b9..256e7eb17 100644 > --- a/NEWS > +++ b/NEWS > @@ -1,5 +1,6 @@ > Post v26.03.0 > ------------- > + - Added ability to set any 'ipsec_*' which will be passed IPsec backend. I would mention the NB_Global table in this news item. Also: s/passed IPsec backend/passed to the IPsec backend/ > - Documented missing ovn-nbctl commands: "mirror-rule-add", > "mirror-rule-del", "lr-nat-update-ext-ip", > "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", > diff --git a/controller/encaps.c b/controller/encaps.c > index 081fbe671..2a483c237 100644 > --- a/controller/encaps.c > +++ b/controller/encaps.c > @@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc, > if (forceencaps) { > smap_add(&options, "ipsec_forceencaps", "yes"); > } > + > + struct smap_node *node; > + SMAP_FOR_EACH (node, &sbg->options) { > + char ipsec_prefix[] = "ipsec_"; nit: Make this "static". Or even better, "static const". > + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) && > + strcmp("ipsec_encapsulation", node->key) && > + strcmp("ipsec_forceencaps", node->key)) { > + const char *ipsec_option = smap_get(&sbg->options, node->key); > + if (ipsec_option) { > + smap_add(&options, node->key, ipsec_option); > + } > + } > + } > } > > if (is_ramp_tunnel(&chassis_rec->other_config)) { > diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at > index 961fc643f..05fbced28 100644 > --- a/tests/ovn-ipsec.at > +++ b/tests/ovn-ipsec.at > @@ -45,6 +45,10 @@ ovs-vsctl \ > # Enable IPsec > check ovn-nbctl set nb_global . ipsec=true > check ovn-nbctl set nb_global . options:ipsec_encapsulation=true > +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 > +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > check ovn-nbctl --wait=hv sync > > @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) > OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'` = x192.168.0.2]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) > > AT_CLEANUP > -- > 2.54.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On Thu, May 21, 2026 at 03:55:30PM -0400, Mark Michelson wrote: > Hi Mairtin, > > The options documentation for the NB_Global table in ovn-nb.xml should > be updated to document this change. Indicate that options preceded by > "ipsec_" will be passed to OVS. If you can point to a specific > document in OVS that documents the valid IPsec options, then that > would be good, too. > > See below for some additional notes. > > On Mon, May 18, 2026 at 6:44 AM Mairtin O'Loingsigh via dev > <ovs-dev@openvswitch.org> wrote: > > > > Add ability to pass any nb_global option with the ipsec prefix to sb, which > > will get used by ovs-monitor-ipsec to configure IPsec backend. For > > example > > > > ovn-nbctl set nb_global . options:ipsec_replay-window=128 > > ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > > ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > > ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > > > Reported-at: https://redhat.atlassian.net/browse/FDP-3029 > > Signed-off-by: Mairtin O'Loingsigh <moloings@redhat.com> > > --- > > Documentation/tutorials/ovn-ipsec.rst | 5 +++++ > > NEWS | 1 + > > controller/encaps.c | 13 +++++++++++++ > > tests/ovn-ipsec.at | 12 ++++++++++++ > > 4 files changed, 31 insertions(+) > > > > diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst > > index aebd3e848..f9b58b9ba 100644 > > --- a/Documentation/tutorials/ovn-ipsec.rst > > +++ b/Documentation/tutorials/ovn-ipsec.rst > > @@ -166,6 +166,11 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE > > daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to > > ``/var/log/openvswitch/ovs-monitor-ipsec.log``. > > > > +Any "ipsec_*" option such as the one below can be set and to configure the > > Remove "and" from this sentence Ack > > > +underlying IPsec backend, which can simplify debug. > > + > > + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 > > + > > Bug Reporting > > ------------- > > > > diff --git a/NEWS b/NEWS > > index 9839d19b9..256e7eb17 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -1,5 +1,6 @@ > > Post v26.03.0 > > ------------- > > + - Added ability to set any 'ipsec_*' which will be passed IPsec backend. > Ack. Ill add NB_Global reverence to news. > I would mention the NB_Global table in this news item. Also: > > s/passed IPsec backend/passed to the IPsec backend/ > > > - Documented missing ovn-nbctl commands: "mirror-rule-add", > > "mirror-rule-del", "lr-nat-update-ext-ip", > > "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", > > diff --git a/controller/encaps.c b/controller/encaps.c > > index 081fbe671..2a483c237 100644 > > --- a/controller/encaps.c > > +++ b/controller/encaps.c > > @@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc, > > if (forceencaps) { > > smap_add(&options, "ipsec_forceencaps", "yes"); > > } > > + > > + struct smap_node *node; > > + SMAP_FOR_EACH (node, &sbg->options) { > > + char ipsec_prefix[] = "ipsec_"; > > nit: Make this "static". Or even better, "static const". Ack, Ill update prefix to static const. > > > + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) && > > + strcmp("ipsec_encapsulation", node->key) && > > + strcmp("ipsec_forceencaps", node->key)) { > > + const char *ipsec_option = smap_get(&sbg->options, node->key); > > + if (ipsec_option) { > > + smap_add(&options, node->key, ipsec_option); > > + } > > + } > > + } > > } > > > > if (is_ramp_tunnel(&chassis_rec->other_config)) { > > diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at > > index 961fc643f..05fbced28 100644 > > --- a/tests/ovn-ipsec.at > > +++ b/tests/ovn-ipsec.at > > @@ -45,6 +45,10 @@ ovs-vsctl \ > > # Enable IPsec > > check ovn-nbctl set nb_global . ipsec=true > > check ovn-nbctl set nb_global . options:ipsec_encapsulation=true > > +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 > > +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > > +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > > +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > > > check ovn-nbctl --wait=hv sync > > > > @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) > > OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'` = x192.168.0.2]) > > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) > > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) > > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) > > > > AT_CLEANUP > > -- > > 2.54.0 > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > Thanks for the review Mark. Ill make the suggested changes and submit v2. Regards, Mairtin
diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index aebd3e848..f9b58b9ba 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -166,6 +166,11 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to ``/var/log/openvswitch/ovs-monitor-ipsec.log``. +Any "ipsec_*" option such as the one below can be set and to configure the +underlying IPsec backend, which can simplify debug. + + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 + Bug Reporting ------------- diff --git a/NEWS b/NEWS index 9839d19b9..256e7eb17 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,6 @@ Post v26.03.0 ------------- + - Added ability to set any 'ipsec_*' which will be passed IPsec backend. - Documented missing ovn-nbctl commands: "mirror-rule-add", "mirror-rule-del", "lr-nat-update-ext-ip", "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", diff --git a/controller/encaps.c b/controller/encaps.c index 081fbe671..2a483c237 100644 --- a/controller/encaps.c +++ b/controller/encaps.c @@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc, if (forceencaps) { smap_add(&options, "ipsec_forceencaps", "yes"); } + + struct smap_node *node; + SMAP_FOR_EACH (node, &sbg->options) { + char ipsec_prefix[] = "ipsec_"; + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) && + strcmp("ipsec_encapsulation", node->key) && + strcmp("ipsec_forceencaps", node->key)) { + const char *ipsec_option = smap_get(&sbg->options, node->key); + if (ipsec_option) { + smap_add(&options, node->key, ipsec_option); + } + } + } } if (is_ramp_tunnel(&chassis_rec->other_config)) { diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at index 961fc643f..05fbced28 100644 --- a/tests/ovn-ipsec.at +++ b/tests/ovn-ipsec.at @@ -45,6 +45,10 @@ ovs-vsctl \ # Enable IPsec check ovn-nbctl set nb_global . ipsec=true check ovn-nbctl set nb_global . options:ipsec_encapsulation=true +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h check ovn-nbctl --wait=hv sync @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'` = x192.168.0.2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) AT_CLEANUP
Add ability to pass any nb_global option with the ipsec prefix to sb, which will get used by ovs-monitor-ipsec to configure IPsec backend. For example ovn-nbctl set nb_global . options:ipsec_replay-window=128 ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s ovn-nbctl set nb_global . options:ipsec_salifetime=8h Reported-at: https://redhat.atlassian.net/browse/FDP-3029 Signed-off-by: Mairtin O'Loingsigh <moloings@redhat.com> --- Documentation/tutorials/ovn-ipsec.rst | 5 +++++ NEWS | 1 + controller/encaps.c | 13 +++++++++++++ tests/ovn-ipsec.at | 12 ++++++++++++ 4 files changed, 31 insertions(+)