From patchwork Tue Mar 22 14:08:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emeel Hakim X-Patchwork-Id: 1608200 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=gjJULVmd; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KNCz64Yxnz9s09 for ; Wed, 23 Mar 2022 01:09:22 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 3034C417CB; Tue, 22 Mar 2022 14:09:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Mz-iceIHu3Q; Tue, 22 Mar 2022 14:09:19 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id AC354417BA; Tue, 22 Mar 2022 14:09:18 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6EDD3C0012; Tue, 22 Mar 2022 14:09:18 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6D34BC000B for ; Tue, 22 Mar 2022 14:09:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 3F88740B17 for ; Tue, 22 Mar 2022 14:09:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=nvidia.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByRJxNxcAZBV for ; Tue, 22 Mar 2022 14:09:14 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on20612.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eae::612]) by smtp2.osuosl.org (Postfix) with ESMTPS id 2BF8940AFF for ; Tue, 22 Mar 2022 14:09:14 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HO8KeSvxhw616nwDBEwJa39i3Qwy8Gvi+R058iojff1EW/wB0Pr0vYQ1apVkKOMxfzFSwdGrQ+Leovpf1Rk/wqyVWB+OcxBSFpLVqTtZSNYw+aEpAP4qPVnS0Wd+7g9pzGj0mCJhHuP1MIYkbolo1xvTr+2V4lEYuHbGWDbo5zfowR2F0sQD5ivVw4IR/llYb6kahnUfvxgVpMveD6wa/n3UyF+MFG0iE84kY4Q62Vo0U9do+UW69SjV+rJhoi8EnDzu8tVbCrwh/+V9GB/BXRZbZeGiYVkKHzwNNNvzUGFxOsgDIgT/YyXC8Jwsgj8H7g/m9dmEUB39QYBE49SS6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aCNjlbE6F4Mtt9k/0LEqPTIIgaQg69ScFZy1eP/KHP0=; b=Nxs2Z0rPwZRpAI3d39vbCqhuKoUVRN58/GkMe3WS5eugd2nZOsWJzg8bYYjgD7tR9xSvTQ3nID+tHWwedRtRhh84bg6GCpxD54QNogoE6ht3vOYd/trL7NT4Cuu72Pc41QIifEAPTzaCuSBAWxgY/S3YhHDKpdx2Y/KLRFky+xV2GtPVvWxPGGIZyxuxDPteOqhtxeZbn5OcCw3ewbe178PIlg9h5/OEQbJj0ZfZ9zZhc2eHLne4e7X2CE0W7xVOSVe+CVe8m+CpuEFIqDsDNG28awKN5lUy4LieWqDYJfUwVLYW5590dhV6PwMYLK9oFI/n/TuwY7PasSfXiMJwKQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.238) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aCNjlbE6F4Mtt9k/0LEqPTIIgaQg69ScFZy1eP/KHP0=; b=gjJULVmd+3PSymeEVvzAJCSMfLrbs//PfYmCCKvlv/w2R1cPju+CtHbhILKx6Fmewssv8NK7dG0crcqfvGUXz9C6uhzsFiiAOtz2uuPep8EvwxClYtHTzFU1V2Xze741/kRHJPGtu/3jur44LvMKWSuDKrFolvoeQgZPWJlvzma0+pep+lRSKsv4x9uXzXbV+w4OdV/LSqY1UWBZMY3sNGCADrcGNqzQPS0Xwqzbz0HKr/UbkzC0POCdwp4cNfeWASAKnK467u39sIkDrK+stIgmjWI4LPSFdS5CNsepSGq9RFGE5nqVX1AdVBtOhIIGUIcgcDUOYSx67npFRNzdDA== Received: from DM5PR07CA0138.namprd07.prod.outlook.com (2603:10b6:3:13e::28) by MWHPR12MB1774.namprd12.prod.outlook.com (2603:10b6:300:112::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Tue, 22 Mar 2022 14:09:09 +0000 Received: from DM6NAM11FT012.eop-nam11.prod.protection.outlook.com (2603:10b6:3:13e:cafe::c4) by DM5PR07CA0138.outlook.office365.com (2603:10b6:3:13e::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.22 via Frontend Transport; Tue, 22 Mar 2022 14:09:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.238) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.238 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.238; helo=mail.nvidia.com; Received: from mail.nvidia.com (12.22.5.238) by DM6NAM11FT012.mail.protection.outlook.com (10.13.173.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5081.14 via Frontend Transport; Tue, 22 Mar 2022 14:09:09 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by DRHQMAIL105.nvidia.com (10.27.9.14) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 22 Mar 2022 14:09:06 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Tue, 22 Mar 2022 07:09:04 -0700 Received: from vdi.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.22 via Frontend Transport; Tue, 22 Mar 2022 07:09:02 -0700 To: Date: Tue, 22 Mar 2022 16:08:37 +0200 Message-ID: <20220322140838.28772-2-ehakim@nvidia.com> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20220322140838.28772-1-ehakim@nvidia.com> References: <20220322140838.28772-1-ehakim@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c0f79455-aae1-4e78-15cc-08da0c0d8892 X-MS-TrafficTypeDiagnostic: MWHPR12MB1774:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /4whLUXjYe7kM3nTFkLgRg7WLTlzhpnHyM6vmMgosPSTJyp7h22nOxXTCEB0uLBosnuFKmf24HExCM8hC1iriLFB3lkJth1sgYsXx0AP6U+5PRVkxOoRU8DKl03PNb7LVhraLp+4M2rRAnZIFyf459CNb0S45bY19jbCGMF4p1SgUKupzsqE2/gyIgWHZl6xfPmA3ws6MwkwKKgou3KVexWUmePJjU51Qj9bKMr38rtPD4CRFYfOX5wkiFxDI7dBjIRsEzm3LfOqG4ZubPaP41PuAPCR0lyf/9s0+wTy+Ed63KX0ZruHkyNPYW6jAVn7xh/+dTd0NCeiY/UcjU4JKJQ3ZRuTjN3ysLQSVLCyohWxl/i4Y8pRIkFyBGUO5NnXPhKfDB44aP/BR25hcgtrjIc8e1X0GR7JXA6wP1imOgrfwjeJc/j0hg+ci7Mm3m4pI2+L0RXJk55b82y59emElNIrwK964/5TEdO503zpv1QksHKym62jxBV5cSHd9IP2+6shPClMy1mx41MiBDcC/Jks99Va/oWzoCfuu2XhdydQWWUWNgE1F3PiarEGLLOMMyzCNQJH7pS2o53FCAnx8q5z/VcmCswUonE8umxX8BUFo5lrmvC6iGD6A57Np1hWzOGkPylGrD0SvAiIOaY5LzaiXI25bVbrAtJqg24VZlaymvjwhXMa7GG8cZrTXO5f01As1JcDitQC0Sun+XcZlg== X-Forefront-Antispam-Report: CIP:12.22.5.238; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:mail.nvidia.com; PTR:InfoNoRecords; CAT:NONE; SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(6666004)(8936002)(82310400004)(40460700003)(86362001)(26005)(186003)(2616005)(2906002)(5660300002)(1076003)(7696005)(107886003)(30864003)(81166007)(356005)(83380400001)(36860700001)(336012)(426003)(66574015)(47076005)(4326008)(8676002)(54906003)(70206006)(6916009)(70586007)(316002)(36756003)(508600001)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2022 14:09:09.0479 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c0f79455-aae1-4e78-15cc-08da0c0d8892 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[12.22.5.238]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT012.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR12MB1774 Cc: raeds@nvidia.com Subject: [ovs-dev] [PATCH v2 1/2] ovs-monitor-ipsec: Migration from ipsec.conf to swanctl.conf X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Emeel Hakim via dev From: Emeel Hakim Reply-To: Emeel Hakim Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" As strongswan moved to the modern vici-based interface,this patch modifies ovs-monitor-ipsec to use strongswan's vici-based configuration instead of the legacy stroke-based configuration. Reviewed-by: Raed Salem Signed-off-by: Emeel Hakim --- ipsec/ovs-monitor-ipsec.in | 466 ++++++++++++++++++++++++++----------- 1 file changed, 325 insertions(+), 141 deletions(-) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index c9f3cc5a1..8c72563e1 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -32,52 +32,6 @@ import ovs.vlog FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n" -transp_tmpl = {"gre": Template("""\ -conn $ifname-$version -$auth_section - leftprotoport=gre - rightprotoport=gre - -"""), "gre64": Template("""\ -conn $ifname-$version -$auth_section - leftprotoport=gre - rightprotoport=gre - -"""), "geneve": Template("""\ -conn $ifname-in-$version -$auth_section - leftprotoport=udp/6081 - rightprotoport=udp - -conn $ifname-out-$version -$auth_section - leftprotoport=udp - rightprotoport=udp/6081 - -"""), "stt": Template("""\ -conn $ifname-in-$version -$auth_section - leftprotoport=tcp/7471 - rightprotoport=tcp - -conn $ifname-out-$version -$auth_section - leftprotoport=tcp - rightprotoport=tcp/7471 - -"""), "vxlan": Template("""\ -conn $ifname-in-$version -$auth_section - leftprotoport=udp/4789 - rightprotoport=udp - -conn $ifname-out-$version -$auth_section - leftprotoport=udp - rightprotoport=udp/4789 - -""")} vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") exiting = False monitor = None @@ -160,72 +114,249 @@ charon { } """ % (FILE_HEADER) - CONF_HEADER = """%s -config setup - uniqueids=yes + SWANCTL_CONF_HEADER = """%s +conn-defaults { + unique = replace + reauth_time = 0 + version = 2 + proposals = aes128-sha256-x25519 +} -conn %%default - keyingtries=%%forever - type=transport - keyexchange=ikev2 - auto=route - ike=aes256gcm16-sha256-modp2048 - esp=aes256gcm16-modp2048 +child-defaults { + esp_proposals = aes256gcm16-modp2048-esn + mode = transport + policies_fwd_out = yes + start_action = start +} """ % (FILE_HEADER) - CA_SECTION = """ca ca_auth - cacert=%s + CA_SECTION = """authorities { + ca_auth { + cacert=%s + } +} """ - SHUNT_POLICY = """conn prevent_unencrypted_gre - type=drop - leftprotoport=gre - mark={0} + SHUNT_POLICY = """connections {{ + shunts {{ + children {{ + prevent_unencrypted_gre {{ + local_ts = 0.0.0.0/0 [gre] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_gre_ipv6 {{ + local_ts = ::/0 [gre] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_geneve {{ + local_ts = 0.0.0.0/0 [udp/6081] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_geneve_ipv6 {{ + local_ts = ::/0 [udp/6081] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_stt {{ + local_ts = 0.0.0.0/0 [tcp/7471] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_stt_ipv6 {{ + local_ts = ::/0 [tcp/7471] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_vxlan {{ + local_ts = 0.0.0.0/0 [udp/4789] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + prevent_unencrypted_vxlan_ipv6 {{ + local_ts = ::/0 [udp/4789] + mark_in = {0} + mark_out = {0} + mode = drop + start_action = trap + }} + }} + }} +}} +""" + auth_tmpl = {"psk": Template("""\ +local { + auth = psk + id = $local_ip + } + remote { + auth = psk + id = $remote_ip + }"""), + "pki_remote": Template("""\ +local { + auth = pubkey + id = $local_name + certs = $certificate + } + remote { + auth = pubkey + id = $remote_name + certs = $remote_cert + }"""), + "pki_ca": Template("""\ +local { + auth = pubkey + id = $local_name + certs = $certificate + } + remote { + auth = pubkey + id = $remote_name + }""")} + + SECRETS_SECTION = """secrets { + ike-$ifname { + id = $local_ip + secret = $psk + } +} -conn prevent_unencrypted_geneve - type=drop - leftprotoport=udp/6081 - mark={0} +""" + transp_tmpl = {"gre": Template("""\ +connections { + $ifname-$version : conn-defaults{ + local_addrs = $local_addrs + remote_addrs = $remote_ip + + $auth_section + + children { + $ifname-$version : child-defaults { + local_ts = $local_ip/$subnet [gre] + remote_ts = $remote_ip/$subnet [gre] + } + } + } +} -conn prevent_unencrypted_stt - type=drop - leftprotoport=tcp/7471 - mark={0} +"""), "gre64": Template("""\ +connections { + $ifname-$version : conn-defaults{ + local_addrs = $local_addrs + remote_addrs = $remote_ip + + $auth_section + + children { + $ifname-$version : child-defaults { + local_ts = $local_ip/$subnet [gre] + remote_ts = $remote_ip/$subnet [gre] + } + } + } +} -conn prevent_unencrypted_vxlan - type=drop - leftprotoport=udp/4789 - mark={0} +"""), "geneve": Template("""\ +connections { + $ifname-$version : conn-defaults{ + local_addrs = $local_addrs + remote_addrs = $remote_ip + + $auth_section + + children { + $ifname-in-$version : child-defaults { + local_ts = $local_ip/$subnet [udp/6081] + remote_ts = $remote_ip/$subnet [udp] + } + $ifname-out-$version : child-defaults { + local_ts = $local_ip/$subnet [udp] + remote_ts = $remote_ip/$subnet [udp/6081] + } + } -""" + } +} - auth_tmpl = {"psk": Template("""\ - left=%any - right=$remote_ip - authby=psk"""), - "pki_remote": Template("""\ - left=%any - right=$remote_ip - leftid=$local_name - rightid=$remote_name - leftcert=$certificate - rightcert=$remote_cert"""), - "pki_ca": Template("""\ - left=%any - right=$remote_ip - leftid=$local_name - rightid=$remote_name - leftcert=$certificate""")} +"""), "stt": Template("""\ +connections { + $ifname-$version : conn-defaults{ + local_addrs = $local_addrs + remote_addrs = $remote_ip + + $auth_section + + children { + $ifname-in-$version : child-defaults { + local_ts = $local_ip/$subnet [tcp/7471] + remote_ts = $remote_ip/$subnet [tcp] + } + $ifname-out-$version : child-defaults { + local_ts = $local_ip/$subnet [tcp] + remote_ts = $remote_ip/$subnet [tcp/7471] + } + } + } +} + +"""), "vxlan": Template("""\ +connections { + $ifname-$version : conn-defaults{ + local_addrs = $local_addrs + remote_addrs = $remote_ip + + $auth_section + + children { + $ifname-in-$version : child-defaults { + local_ts = $local_ip/$subnet [udp/4789] + remote_ts = $remote_ip/$subnet [udp] + } + $ifname-out-$version : child-defaults { + local_ts = $local_ip/$subnet [udp] + remote_ts = $remote_ip/$subnet [udp/4789] + } + } + } +} + +""")} def __init__(self, root_prefix): - self.CHARON_CONF = root_prefix + "/etc/strongswan.d/ovs.conf" - self.IPSEC = root_prefix + "/usr/sbin/ipsec" - self.IPSEC_CONF = root_prefix + "/etc/ipsec.conf" - self.IPSEC_SECRETS = root_prefix + "/etc/ipsec.secrets" + if os.path.exists(root_prefix + "/etc/strongswan.d/"): + self.CHARON_CONF = root_prefix + "/etc/strongswan.d/ovs.conf" + else: + self.CHARON_CONF = (root_prefix + + "/etc/strongswan/strongswan.d/ovs.conf") + if os.path.exists(root_prefix + "/etc/swanctl/conf.d"): + self.SWANCTL_CONF = (root_prefix + + "/etc/swanctl/conf.d/ovs-swanctl.conf") + else: + self.SWANCTL_CONF = (root_prefix + + "/etc/strongswan/swanctl/conf.d/" + + "ovs-swanctl.conf") + self.SYSTEMCTL = root_prefix + "/usr/bin/systemctl" + self.SWANCTL = root_prefix + "/usr/sbin/swanctl" self.conf_file = None - self.secrets_file = None def restart_ike_daemon(self): """This function restarts StrongSwan.""" @@ -233,26 +364,24 @@ conn prevent_unencrypted_vxlan f.write(self.STRONGSWAN_CONF) f.close() - f = open(self.IPSEC_CONF, "w") - f.write(self.CONF_HEADER) - f.close() - - f = open(self.IPSEC_SECRETS, "w") - f.write(FILE_HEADER) + f = open(self.SWANCTL_CONF, "w") + f.write(self.SWANCTL_CONF_HEADER) f.close() vlog.info("Restarting StrongSwan") - subprocess.call([self.IPSEC, "restart"]) + subprocess.call((self.SYSTEMCTL + + " restart strongswan-starter.service").split()) def get_active_conns(self): - """This function parses output from 'ipsec status' command. + """This function parses output from 'swanctl --list-conns' command. It returns dictionary where is interface name (as in OVSDB) and is another dictionary. This another dictionary uses strongSwan connection name as and more detailed sample line from the parsed outpus as . """ conns = {} - proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE) + proc = subprocess.Popen([self.SWANCTL, '--list-conns'], + stdout=subprocess.PIPE) while True: line = proc.stdout.readline().strip().decode() @@ -272,10 +401,8 @@ conn prevent_unencrypted_vxlan return conns def config_init(self): - self.conf_file = open(self.IPSEC_CONF, "w") - self.secrets_file = open(self.IPSEC_SECRETS, "w") - self.conf_file.write(self.CONF_HEADER) - self.secrets_file.write(FILE_HEADER) + self.conf_file = open(self.SWANCTL_CONF, "w") + self.conf_file.write(self.SWANCTL_CONF_HEADER) def config_global(self, monitor): """Configure the global state of IPsec tunnels.""" @@ -299,13 +426,10 @@ conn prevent_unencrypted_vxlan def config_tunnel(self, tunnel): if tunnel.conf["psk"]: - self.secrets_file.write('%%any %s : PSK "%s"\n' % - (tunnel.conf["remote_ip"], tunnel.conf["psk"])) auth_section = self.auth_tmpl["psk"].substitute(tunnel.conf) + secrets = Template(self.SECRETS_SECTION).substitute(tunnel.conf) else: - self.secrets_file.write("%%any %s : RSA %s\n" % - (tunnel.conf["remote_ip"], - tunnel.conf["private_key"])) + secrets = None if tunnel.conf["remote_cert"]: tmpl = self.auth_tmpl["pki_remote"] auth_section = tmpl.substitute(tunnel.conf) @@ -316,45 +440,43 @@ conn prevent_unencrypted_vxlan vals = tunnel.conf.copy() vals["auth_section"] = auth_section vals["version"] = tunnel.version - conf_text = transp_tmpl[tunnel.conf["tunnel_type"]].substitute(vals) + if tunnel.conf["address_family"] == "IPv6": + vals["local_addrs"] = "::/0" + vals["subnet"] = "64" + else: + vals["local_addrs"] = "0.0.0.0/0" + vals["subnet"] = "32" + if vals["local_ip"] == "%defaultroute": + if tunnel.conf["address_family"] == "IPv6": + vals["local_ip"] = "::/0" + else: + vals["local_ip"] = "0.0.0.0/0" + conf_text = self.transp_tmpl[tunnel.conf[ + "tunnel_type"]].substitute(vals) self.conf_file.write(conf_text) + if secrets is not None: + self.conf_file.write(secrets) + def config_fini(self): - self.secrets_file.close() self.conf_file.close() - self.secrets_file = None self.conf_file = None def refresh(self, monitor): """This functions refreshes strongSwan configuration. Behind the scenes this function calls: - 1. once "ipsec update" command that tells strongSwan to load - all new tunnels from "ipsec.conf"; and - 2. once "ipsec rereadsecrets" command that tells strongswan to load - secrets from "ipsec.conf" file - 3. for every removed tunnel "ipsec stroke down-nb " command + 1. once "swanctl --load-all" command that tells strongSwan to load + all new tunnels from "swanctl.conf"; and + 2. for every removed tunnel "swanctl -t --child " command that removes old tunnels. Once strongSwan vici bindings will be distributed with major Linux distributions this function could be simplified.""" vlog.info("Refreshing StrongSwan configuration") - proc = subprocess.Popen([self.IPSEC, "update"], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - outs, errs = proc.communicate() - if proc.returncode != 0: - vlog.err("StrongSwan failed to update configuration:\n" - "%s \n %s" % (str(outs), str(errs))) - - subprocess.call([self.IPSEC, "rereadsecrets"]) - # "ipsec update" command does not remove those tunnels that were - # updated or that disappeared from the ipsec.conf file. So, we have - # to manually remove them by calling "ipsec stroke down-nb " + # "swanctl --load-all" command does not remove those tunnels that were + # updated or that disappeared from the swanctl.conf files. So, we have + # to manually remove them by calling "swanctl -t --child " # command. We use number to tell apart tunnels that # were just updated. - # "ipsec down-nb" command is designed to be non-blocking (opposed - # to "ipsec down" command). This means that we should not be concerned - # about possibility of ovs-monitor-ipsec to block for each tunnel - # while strongSwan sends IKE messages over Internet. conns_dict = self.get_active_conns() for ifname, conns in conns_dict.items(): tunnel = monitor.tunnels.get(ifname) @@ -378,7 +500,21 @@ conn prevent_unencrypted_vxlan if not tunnel or tunnel.version != ver: vlog.info("%s is outdated %u" % (conn, ver)) - subprocess.call([self.IPSEC, "stroke", "down-nb", conn]) + self.terminate_ipsec_connection(conn) + + self.update_ipsec_connections() + + def update_ipsec_connections(self): + process = subprocess.Popen((self.SWANCTL + " --load-all").split(), + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + err = str(process.stderr.read()) + if re.match(r".*Error.*", err, re.IGNORECASE) is not None: + vlog.err(err) + + def terminate_ipsec_connection(self, conn_name): + subprocess.Popen((self.SWANCTL + " -t --child " + + conn_name).split(), stdout=subprocess.PIPE) + vlog.info("IPsec connection terminated for " + conn_name) class LibreSwanHelper(object): @@ -449,6 +585,53 @@ conn prevent_unencrypted_vxlan leftrsasigkey=%cert rightca=%same""")} + transp_tmpl = {"gre": Template("""\ + conn $ifname-$version + $auth_section + leftprotoport=gre + rightprotoport=gre + + """), "gre64": Template("""\ + conn $ifname-$version + $auth_section + leftprotoport=gre + rightprotoport=gre + + """), "geneve": Template("""\ + conn $ifname-in-$version + $auth_section + leftprotoport=udp/6081 + rightprotoport=udp + + conn $ifname-out-$version + $auth_section + leftprotoport=udp + rightprotoport=udp/6081 + + """), "stt": Template("""\ + conn $ifname-in-$version + $auth_section + leftprotoport=tcp/7471 + rightprotoport=tcp + + conn $ifname-out-$version + $auth_section + leftprotoport=tcp + rightprotoport=tcp/7471 + + """), "vxlan": Template("""\ + conn $ifname-in-$version + $auth_section + leftprotoport=udp/4789 + rightprotoport=udp + + conn $ifname-out-$version + $auth_section + leftprotoport=udp + rightprotoport=udp/4789 + + """)} + CERT_PREFIX = "ovs_cert_" CERTKEY_PREFIX = "ovs_certkey_" @@ -553,7 +736,8 @@ conn prevent_unencrypted_vxlan vals = tunnel.conf.copy() vals["auth_section"] = auth_section vals["version"] = tunnel.version - conf_text = transp_tmpl[tunnel.conf["tunnel_type"]].substitute(vals) + conf_text = self.transp_tmpl[tunnel.conf[ + "tunnel_type"]].substitute(vals) self.conf_file.write(conf_text) def config_fini(self): From patchwork Tue Mar 22 14:08:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emeel Hakim X-Patchwork-Id: 1608199 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=SPOWcugk; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KNCz25TdRz9s09 for ; Wed, 23 Mar 2022 01:09:18 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id A8FB4611EB; Tue, 22 Mar 2022 14:09:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r9Q0M00n4OLQ; Tue, 22 Mar 2022 14:09:15 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id D150661209; Tue, 22 Mar 2022 14:09:14 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A7CEDC001D; Tue, 22 Mar 2022 14:09:14 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id F40CBC0012 for ; Tue, 22 Mar 2022 14:09:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id D2EE240B1E for ; Tue, 22 Mar 2022 14:09:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=nvidia.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QWAvDwgB9eaB for ; Tue, 22 Mar 2022 14:09:13 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam07on20608.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e83::608]) by smtp2.osuosl.org (Postfix) with ESMTPS id E7B6840AFF for ; Tue, 22 Mar 2022 14:09:12 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c7rBqWzuxM1v7zf7i5pyGFHA6/Exej3cP+T+BZd2fuEr3Li281DlCFIxC/wWdqv0YqstLMVUrBVGTRb8McihCxI/os7654mLQsm6o2/ScxCnugcRdmNMAOOZeGeDPpVl2c37WI647TdPYOcBiirgCm7kR+zo5hMdR5LdHlfo9WjinwLcVtIYKRUVhHuDXscwO/sfKODXlM+9IdOLzV+Hqzd17+asUmDmQIz4jJ+bbvblJ0khEIRVns44AyPk1cwFaXA1syVJ9JtsaEuITfWBPRkApYXQcbeDQTzhJK16RlNLfBs+rW/J0XCFjILRF9WU9+NEWzEGJwMl7WjEJMV/Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WDppny8y22Q+dZRykvd0BBwQDgajo2qjL+/d9e3Usgg=; b=jPSYRPMPH1UNP9o8Kb7/TixgH+uUz6WQX3x7dNE3lH5x2SnemBQRt+kj6QnqErkql/SfT4GiDw86fJjkZlnu9lXvDWQAIwX1M75hBLFzW+/lBWMZynm9eCyk7H0wHmALkrEr6SUM5/686jxvNtCuOD6Vf22/ldQwMaL+AQ/jGIXn7TxYWCpGXAHtkoQ0gSAUx0eERGuyErXEwXnYWAMnEoZKayDHKmhk878g6iyMGNiZrUpMMidxK9oSy3axyMv7rDl2KpgY0cgk2CXHHqW7/o1fGx9mekhvfGpD+fNaiXMvFRq70zT/BM3eNU7V28yEtGCMv+YY3l21E6cVboIMsw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.235) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WDppny8y22Q+dZRykvd0BBwQDgajo2qjL+/d9e3Usgg=; b=SPOWcugk8j1r4MGsdjS6TCealuc4tNnI6y4V2cHKRFfjjLgSumVWTgandbUo70on9eOA/EFH5K6ZsdEdTZxQZxskfOa9/aJmQUJoPjkQhazQI8JpUB/BxhmbYLi43ASgiN2ZFyrjwEDFjVqnDlmISmPCgUzu+apbijXjktkp73jiJqGMIIzY2vhfW4SGBA4ObXVsEcQyvuMKKmYuNQ5y0QDf/KVwBUGfhpdLUG12Oiu2hWX1RvUktN63RJIXgQlfQrVZ7wFzFt2IzkVd6bdZ/olZfBqxEvC1ERl5bH3Q8Oxg4n+v/272ixqlaKo58gXl7ANn1qoefZGoWmrrk+WoGw== Received: from BN6PR1101CA0007.namprd11.prod.outlook.com (2603:10b6:405:4a::17) by MW3PR12MB4394.namprd12.prod.outlook.com (2603:10b6:303:54::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.18; Tue, 22 Mar 2022 14:09:10 +0000 Received: from BN8NAM11FT005.eop-nam11.prod.protection.outlook.com (2603:10b6:405:4a:cafe::65) by BN6PR1101CA0007.outlook.office365.com (2603:10b6:405:4a::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.23 via Frontend Transport; Tue, 22 Mar 2022 14:09:10 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.235) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.235 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.235; helo=mail.nvidia.com; Received: from mail.nvidia.com (12.22.5.235) by BN8NAM11FT005.mail.protection.outlook.com (10.13.176.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5081.14 via Frontend Transport; Tue, 22 Mar 2022 14:09:09 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by DRHQMAIL107.nvidia.com (10.27.9.16) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 22 Mar 2022 14:09:07 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Tue, 22 Mar 2022 07:09:06 -0700 Received: from vdi.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.22 via Frontend Transport; Tue, 22 Mar 2022 07:09:04 -0700 To: Date: Tue, 22 Mar 2022 16:08:38 +0200 Message-ID: <20220322140838.28772-3-ehakim@nvidia.com> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20220322140838.28772-1-ehakim@nvidia.com> References: <20220322140838.28772-1-ehakim@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e408a029-13da-4bfc-8d47-08da0c0d891d X-MS-TrafficTypeDiagnostic: MW3PR12MB4394:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zgg8lCTF7j/4xK83m3jdJFBgdAlFhEFwg1FSJgK6OEYVzz0xcFcqvHtAVboCMmwx4Bzys57837RWoOjEZuFTAXHGl/l+nZUZaSp2TPJsIlfPxnR5ZwietHcljtNPejCqAhm73y6KcT5V2SoVqGdqJc7ezKXpXNorMEQMMOHfCLty6SxXrO5MAkOicB4tp3Up+GAtUGUhuDy5Lw0o3HYESmw6J9ZuGIPwpW6HfE9swb2V9uzj8GUvhCXco51B1BFO9RxR4BTi5/yABMyr5ytaNPThhRvDuvdPHLob7hv/+3cFiHa1/oXI1qBVBl4UVXSCa7Uwjrz5zVzhsGs6SfwMSuur7akF8b1lOac6LJx4asDb1x9RlSmFra9IqJ0ScRTtB+emjcOSe04WrgdpdIvActUkXq6GwlSibvaPu7jwG+xcKOm7uaJgbwFXXGp8wGTQAvUdu3zJ1J9dCdRmIqfPpx6H7Ejf/qAX6yyzjxJyA5A8oEEUXEp33zZ7cAUCGgPg4jSRJQGnm157+x6HjBoC8jHO7MUfoCH255XoV6h4zGfVb7oYgKIJAGkshYlQEdcypaYsBArHu/YCFWe+QY2QoocuDLu4GA800suggvSQN0SPDb6Ie5AcURYjqy7o6bSpWMbnCiE7EdzVLkcXon87+R2fAWKVis90EUfRVGx/egOnj2CCG0a35m55aCDKu9j4yTJrOBX7oCW3elsK6MtjjQ== X-Forefront-Antispam-Report: CIP:12.22.5.235; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:mail.nvidia.com; PTR:InfoNoRecords; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(2616005)(70586007)(70206006)(1076003)(2906002)(8676002)(4326008)(356005)(81166007)(36756003)(40460700003)(86362001)(47076005)(82310400004)(5660300002)(8936002)(36860700001)(508600001)(107886003)(186003)(26005)(426003)(336012)(6916009)(54906003)(4744005)(316002)(7696005)(6666004)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2022 14:09:09.6026 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e408a029-13da-4bfc-8d47-08da0c0d891d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[12.22.5.235]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT005.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR12MB4394 Cc: raeds@nvidia.com Subject: [ovs-dev] [PATCH v2 2/2] deb: Update openvswitch-ipsec dependencies X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Emeel Hakim via dev From: Emeel Hakim Reply-To: Emeel Hakim Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" patch ovs-monitor-ipsec: Migration from ipsec.conf to swanctl.conf introduces strongswan-swanctl as an openvswitch-ipsec dependency, this patch adds it to the openvswitch-ipsec dependencies. Signed-off-by: Emeel Hakim --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index 6420b9d3e..e75770d91 100644 --- a/debian/control +++ b/debian/control @@ -252,6 +252,7 @@ Depends: iproute2, python3, python3-openvswitch (= ${source:Version}), strongswan, + strongswan-swanctl, ${misc:Depends}, ${shlibs:Depends} Description: Open vSwitch IPsec tunneling support