OVS IPsec tunnel support has issues: 1. It only works for GRE. 2. only works on Debian. 3. It does not allow user to match on packet-mark on packet received on tunnel ports.
This patch deprecates support for IPsec tunnel port. Signed-off-by: Pravin B Shelar <pshe...@ovn.org> --- After discussing this patch with Jesse, I have decided to just deprecate this feature and not provide any option to allow external IPsec tunnel management. The reason is that this the option would again cause compatibility issues when IPsec tunnel port support is removed. Considering this feature is not much used it is better to just deprecate it for OVS 2.6. --- NEWS | 1 + debian/changelog | 1 + debian/control | 1 + lib/netdev-vport.c | 2 ++ vswitchd/vswitch.xml | 3 +++ 5 files changed, 8 insertions(+) diff --git a/NEWS b/NEWS index 21ab538..9363e91 100644 --- a/NEWS +++ b/NEWS @@ -149,6 +149,7 @@ v2.6.0 - xx xxx xxxx * Flow based tunnel match and action can be used for IPv6 address using tun_ipv6_src, tun_ipv6_dst fields. * Added support for IPv6 tunnels, for details checkout FAQ. + * Deprecated support for IPsec tunnels ports. - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and watch with tcpdump - Introduce --no-self-confinement flag that allows daemons to work with diff --git a/debian/changelog b/debian/changelog index d73e636..13aae36 100644 --- a/debian/changelog +++ b/debian/changelog @@ -108,6 +108,7 @@ openvswitch (2.6.0-1) unstable; urgency=low * Flow based tunnel match and action can be used for IPv6 address using tun_ipv6_src, tun_ipv6_dst fields. * Added support for IPv6 tunnels, for details checkout FAQ. + * Deprecated support for IPsec tunnels ports. - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and watch with tcpdump - Introduce --no-self-confinement flag that allows daemons to work with diff --git a/debian/control b/debian/control index 6e704f1..da86fe9 100644 --- a/debian/control +++ b/debian/control @@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support . The ovs-monitor-ipsec script provides support for encrypting GRE tunnels with IPsec. + IPsec tunnels support is deprecated. Package: openvswitch-pki Architecture: all diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c index 8d22cf5..ac31da6 100755 --- a/lib/netdev-vport.c +++ b/lib/netdev-vport.c @@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER; static pid_t pid = 0; + VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name); + #ifndef _WIN32 ovs_mutex_lock(&mutex); if (pid <= 0) { diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index e73023d..6381cc8 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -2008,6 +2008,9 @@ <dd> An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6 IPsec tunnel. + IPsec tunnel port are deprecated. The support will be completely + removed in next version. + </dd> <dt><code>vxlan</code></dt> -- 1.9.1 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev