On 26 September 2016 at 03:48, Pravin B Shelar <pshe...@ovn.org> wrote:
> OVS GRE IPsec tunnel support has multiple issues, Therefore
>
s/issues,/issues.
> it was deprecated in OVS 2.6.
>
> Following patch removes support GRE IPsec and allow external
>
s/support/support for
s/allow/allows
> IPsec tunnel management for any type of tunnel not just GRE.
e.g. user can encrpt Geneve or VxLan traffic.
>
s/encrpt/encrypt
>
> It can be done by using openflow pipeline to set skb-mark
> and using xfrm to implement IPsec tunnels. xfrm can match
> on the skb-mark to encrypt selective tunnel traffic.
>
Some folks may misinterpret the paragraph above that we are recommending
them to use XFRM *directly* as an alternative. XFRM is just NetLink
interface to linux kernel to install IPsec keys after these keys have been
negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan
or racoon.
Instead I would recommend users to use one of the IPsec keying daemons
rather than XFRM directly.
VMware-BZ: 1710701
> Signed-off-by: Pravin B Shelar <pshe...@ovn.org>
> ---
> This is targeted for OVS master branch only.
> ---
> NEWS | 1 +
> README.md | 2 +-
debian/automake.mk | 7 -
> debian/control | 24 --
> debian/openvswitch-ipsec.dirs | 1 -
> debian/openvswitch-ipsec.init | 203 ----------------
> debian/openvswitch-ipsec.install | 1 -
> debian/ovs-monitor-ipsec | 507 ------------------------------
> ---------
> lib/netdev-vport.c | 67 +-----
> lib/netdev.h | 1 -
> ofproto/ofproto-dpif-ipfix.c | 15 --
> ofproto/ofproto-dpif-sflow.c | 7 -
> ofproto/tunnel.c | 13 -
> tests/automake.mk | 1 -
> tests/ofproto-macros.at | 49 ----
> tests/ovn-controller.at | 2 +-
> tests/ovs-monitor-ipsec.at | 271 ---------------------
> tests/testsuite.at | 1 -
> tests/tunnel-push-pop-ipv6.at | 2 +-
> tests/tunnel-push-pop.at | 2 +-
> tests/tunnel.at | 87 +------
> utilities/bugtool/ovs-bugtool.in | 2 +-
> utilities/ovs-appctl.8.in | 4 +-
> vswitchd/vswitch.xml | 57 +----
> 24 files changed, 23 insertions(+), 1304 deletions(-)
> delete mode 100644 debian/openvswitch-ipsec.dirs
> delete mode 100755 debian/openvswitch-ipsec.init
> delete mode 100644 debian/openvswitch-ipsec.install
> delete mode 100755 debian/ovs-monitor-ipsec
> delete mode 100644 tests/ovs-monitor-ipsec.at
Assuming you were able to build all other debian packages with "fakeroot
debian/rules binary" after removing and editing those files, then
Acked-by: Ansis Atteka <aatt...@ovn.org>
Let me know, if you want me to independently verify that as well?
>
>
> diff --git a/NEWS b/NEWS
> index 6e284aa..069ab42 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -25,6 +25,7 @@ Post-v2.6.0
> * TLV mappings for protocols such as Geneve are now segregated on
> a per-OpenFlow bridge basis rather than globally. (The interface
> has not changed.)
> + * Removed support for IPsec tunnels.
>
> v2.6.0 - xx xxx xxxx
> ---------------------
> diff --git a/README.md b/README.md
> index cf53437..53b0faf 100644
> --- a/README.md
> +++ b/README.md
> @@ -30,7 +30,7 @@ vSwitch supports the following features:
> * NIC bonding with or without LACP on upstream switch
> * NetFlow, sFlow(R), and mirroring for increased visibility
> * QoS (Quality of Service) configuration, plus policing
> -* Geneve, GRE, GRE over IPSEC, VXLAN, and LISP tunneling
> +* Geneve, GRE, VXLAN, STT, and LISP tunneling
> * 802.1ag connectivity fault management
> * OpenFlow 1.0 plus numerous extensions
> * Transactional configuration database with C and Python bindings
> diff --git a/debian/automake.mk b/debian/automake.mk
> index 73b4d00..2da7055 100644
> --- a/debian/automake.mk
> +++ b/debian/automake.mk
> @@ -19,9 +19,6 @@ EXTRA_DIST += \
> debian/openvswitch-datapath-source.dirs \
> debian/openvswitch-datapath-source.install \
> debian/openvswitch-dev.install \
> - debian/openvswitch-ipsec.dirs \
> - debian/openvswitch-ipsec.init \
> - debian/openvswitch-ipsec.install \
> debian/openvswitch-pki.dirs \
> debian/openvswitch-pki.postinst \
> debian/openvswitch-pki.postrm \
> @@ -71,7 +68,6 @@ EXTRA_DIST += \
> debian/ovn-host.postinst \
> debian/ovn-host.postrm \
> debian/ovn-host.template \
> - debian/ovs-monitor-ipsec \
> debian/python-openvswitch.dirs \
> debian/python-openvswitch.install \
> debian/rules \
> @@ -79,9 +75,6 @@ EXTRA_DIST += \
> debian/ifupdown.sh \
> debian/source/format
>
> -FLAKE8_PYFILES += \
> - debian/ovs-monitor-ipsec
> -
> check-debian-changelog-version:
> @DEB_VERSION=`echo '$(VERSION)' | sed 's/pre/~pre/'`;
> \
> if $(FGREP) '($(DEB_VERSION)' $(srcdir)/debian/changelog
> >/dev/null; \
> diff --git a/debian/control b/debian/control
> index da86fe9..813721a 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -178,30 +178,6 @@ Description: OVN Docker drivers
> .
> ovn-docker provides the docker drivers for OVN.
>
> -Package: openvswitch-ipsec
> -Architecture: linux-any
> -Depends: ipsec-tools (>=0.8~alpha20101208),
> - iproute2,
> - openvswitch-common (= ${binary:Version}),
> - openvswitch-switch (= ${binary:Version}),
> - python,
> - python-openvswitch (= ${source:Version}),
> - racoon (>=0.8~alpha20101208),
> - ${misc:Depends},
> - ${shlibs:Depends}
> -Description: Open vSwitch GRE-over-IPsec support
> - Open vSwitch is a production quality, multilayer, software-based,
> - Ethernet virtual switch. It is designed to enable massive network
> - automation through programmatic extension, while still supporting
> - standard management interfaces and protocols (e.g. NetFlow, IPFIX,
> - sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
> - to support distribution across multiple physical servers similar to
> - VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
> - .
> - The ovs-monitor-ipsec script provides support for encrypting GRE
> - tunnels with IPsec.
> - IPsec tunnels support is deprecated.
> -
> Package: openvswitch-pki
> Architecture: all
> Depends: openvswitch-common (<< ${source:Version}.1~),
> diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
> deleted file mode 100644
> index 02130d0..0000000
> --- a/debian/openvswitch-ipsec.dirs
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/share/openvswitch/scripts
> diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
> deleted file mode 100755
> index a39dd40..0000000
> --- a/debian/openvswitch-ipsec.init
> +++ /dev/null
> @@ -1,203 +0,0 @@
> -#!/bin/sh
> -#
> -# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <j...@debian.org>
> -#
> -# This is free software; you may redistribute it and/or modify
> -# it under the terms of the GNU General Public License as
> -# published by the Free Software Foundation; either version 2,
> -# or (at your option) any later version.
> -#
> -# This is distributed in the hope that it will be useful, but
> -# WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License with
> -# the Debian operating system, in /usr/share/common-licenses/GPL; if
> -# not, write to the Free Software Foundation, Inc., 59 Temple Place,
> -# Suite 330, Boston, MA 02111-1307 USA
> -#
> -### BEGIN INIT INFO
> -# Provides: openvswitch-ipsec
> -# Required-Start: $network $local_fs $remote_fs openvswitch-switch
> -# Required-Stop: $remote_fs
> -# Default-Start: 2 3 4 5
> -# Default-Stop: 0 1 6
> -# Short-Description: Open vSwitch GRE-over-IPsec daemon
> -# Description: The ovs-monitor-ipsec script provides support for
> encrypting GRE
> -# tunnels with IPsec.
> -### END INIT INFO
> -
> -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> -
> -DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's
> location
> -NAME=ovs-monitor-ipsec # Introduce the short server's name here
> -LOGDIR=/var/log/openvswitch # Log directory to use
> -
> -PIDFILE=/var/run/openvswitch/$NAME.pid
> -
> -test -x $DAEMON || exit 0
> -
> -. /lib/lsb/init-functions
> -
> -DODTIME=10 # Time to wait for the server to die, in seconds
> - # If this value is set too low you might not
> - # let some servers to die gracefully and
> - # 'restart' will not work
> -
> -set -e
> -
> -running_pid() {
> -# Check if a given process pid's cmdline matches a given name
> - pid=$1
> - name=$2
> - [ -z "$pid" ] && return 1
> - [ ! -d /proc/$pid ] && return 1
> - cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
> - # Is this the expected server
> - [ "$cmd" != "$name" ] && return 1
> - return 0
> -}
> -
> -running() {
> -# Check if the process is running looking at /proc
> -# (works for all users)
> -
> - # No pidfile, probably no daemon present
> - [ ! -f "$PIDFILE" ] && return 1
> - pid=`cat $PIDFILE`
> - running_pid $pid $DAEMON || return 1
> - return 0
> -}
> -
> -uninstall_mark_rule() {
> - iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
> -}
> -
> -install_mark_rule() {
> - if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2>
> /dev/null); then
> - iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
> - fi
> -}
> -
> -start_server() {
> - if [ ! -d /var/run/openvswitch ]; then
> - install -d -m 755 -o root -g root /var/run/openvswitch
> - fi
> -
> - install_mark_rule "-p esp"
> - install_mark_rule "-p udp --dport 4500"
> - /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
> - --pidfile=$PIDFILE --log-file --detach --monitor \
> - unix:/var/run/openvswitch/db.sock
> -
> - return 0
> -}
> -
> -stop_server() {
> - if [ -e $PIDFILE ]; then
> - kill `cat $PIDFILE`
> - fi
> - uninstall_mark_rule "-p esp"
> - uninstall_mark_rule "-p udp --dport 4500"
> -
> - return 0
> -}
> -
> -force_stop() {
> -# Force the process to die killing it manually
> - [ ! -e "$PIDFILE" ] && return
> - if running ; then
> - kill -15 $pid
> - # Is it really dead?
> - sleep "$DODTIME"
> - if running ; then
> - kill -9 $pid
> - sleep "$DODTIME"
> - if running ; then
> - echo "Cannot kill $NAME (pid=$pid)!"
> - exit 1
> - fi
> - fi
> - fi
> - rm -f $PIDFILE
> -}
> -
> -
> -case "$1" in
> - start)
> - log_daemon_msg "Starting $NAME"
> - # Check if it's running first
> - if running ; then
> - log_progress_msg "apparently already running"
> - log_end_msg 0
> - exit 0
> - fi
> - if start_server && running ; then
> - # It's ok, the server started and is running
> - log_end_msg 0
> - else
> - # Either we could not start it or it is not running
> - # after we did
> - # NOTE: Some servers might die some time after they start,
> - # this code does not try to detect this and might give
> - # a false positive (use 'status' for that)
> - log_end_msg 1
> - fi
> - ;;
> - stop)
> - log_daemon_msg "Stopping $NAME"
> - if running ; then
> - # Only stop the server if we see it running
> - stop_server
> - log_end_msg $?
> - else
> - # If it's not running don't do anything
> - log_progress_msg "apparently not running"
> - log_end_msg 0
> - exit 0
> - fi
> - ;;
> - force-stop)
> - # First try to stop gracefully the program
> - $0 stop
> - if running; then
> - # If it's still running try to kill it more forcefully
> - log_daemon_msg "Stopping (force) $NAME"
> - force_stop
> - log_end_msg $?
> - fi
> - ;;
> - restart|force-reload)
> - log_daemon_msg "Restarting $NAME"
> - stop_server
> - # Wait some sensible amount, some server need this
> - [ -n "$DODTIME" ] && sleep $DODTIME
> - start_server
> - running
> - log_end_msg $?
> - ;;
> - status)
> - log_daemon_msg "Checking status of $NAME"
> - if running ; then
> - log_progress_msg "running"
> - log_end_msg 0
> - else
> - log_progress_msg "apparently not running"
> - log_end_msg 1
> - exit 1
> - fi
> - ;;
> - # Use this if the daemon cannot reload
> - reload)
> - log_warning_msg "Reloading $NAME daemon: not implemented, as the
> daemon"
> - log_warning_msg "cannot re-read the config file (use restart)."
> - ;;
> - *)
> - N=/etc/init.d/openvswitch-ipsec
> - echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}"
> >&2
> - exit 1
> - ;;
> -esac
> -
> -exit 0
> diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.
> install
> deleted file mode 100644
> index 72cacfa..0000000
> --- a/debian/openvswitch-ipsec.install
> +++ /dev/null
> @@ -1 +0,0 @@
> -debian/ovs-monitor-ipsec usr/share/openvswitch/scripts
> diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
> deleted file mode 100755
> index 6bc26aa..0000000
> --- a/debian/ovs-monitor-ipsec
> +++ /dev/null
> @@ -1,507 +0,0 @@
> -#! /usr/bin/env python
> -# Copyright (c) 2009, 2010, 2011, 2012 Nicira, Inc.
> -#
> -# Licensed under the Apache License, Version 2.0 (the "License");
> -# you may not use this file except in compliance with the License.
> -# You may obtain a copy of the License at:
> -#
> -# http://www.apache.org/licenses/LICENSE-2.0
> -#
> -# Unless required by applicable law or agreed to in writing, software
> -# distributed under the License is distributed on an "AS IS" BASIS,
> -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> -# See the License for the specific language governing permissions and
> -# limitations under the License.
> -
> -
> -# A daemon to monitor attempts to create GRE-over-IPsec tunnels.
> -# Uses racoon and setkey to support the configuration. Assumes that
> -# OVS has complete control over IPsec configuration for the box.
> -
> -# xxx To-do:
> -# - Doesn't actually check that Interface is connected to bridge
> -# - If a certificate is badly formed, Racoon will refuse to start. We
> -# should do a better job of verifying certificates are valid before
> -# adding an interface to racoon.conf.
> -
> -
> -import argparse
> -import glob
> -import os
> -import subprocess
> -import sys
> -
> -import ovs.dirs
> -from ovs.db import error
> -import ovs.util
> -import ovs.daemon
> -import ovs.db.idl
> -import ovs.unixctl
> -import ovs.unixctl.server
> -import ovs.vlog
> -from six.moves import range
> -import six
> -
> -vlog = ovs.vlog.Vlog("ovs-monitor-ipsec")
> -root_prefix = '' # Prefix for absolute file names, for
> testing.
> -SETKEY = "/usr/sbin/setkey"
> -IP = "/sbin/ip"
> -exiting = False
> -IPSEC_MARK = "1"
> -
> -
> -def unixctl_exit(conn, unused_argv, unused_aux):
> - global exiting
> - exiting = True
> - conn.reply(None)
> -
> -
> -# Class to configure the racoon daemon, which handles IKE negotiation
> -class Racoon(object):
> - # Default locations for files
> - conf_file = "/etc/racoon/racoon.conf"
> - cert_dir = "/etc/racoon/certs"
> - psk_file = "/etc/racoon/psk.txt"
> -
> - # Racoon configuration header we use for IKE
> - conf_header = """# Configuration file generated by Open vSwitch
> -#
> -# Do not modify by hand!
> -
> -path pre_shared_key "%s";
> -path certificate "%s";
> -
> -"""
> -
> - # Racoon configuration footer we use for IKE
> - conf_footer = """sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -
> -"""
> -
> - # Certificate entry template.
> - cert_entry = """remote %s {
> - exchange_mode main;
> - nat_traversal on;
> - ike_frag on;
> - certificate_type x509 "%s" "%s";
> - my_identifier asn1dn;
> - peers_identifier asn1dn;
> - peers_certfile x509 "%s";
> - verify_identifier on;
> - proposal {
> - encryption_algorithm aes;
> - hash_algorithm sha1;
> - authentication_method rsasig;
> - dh_group 2;
> - }
> -}
> -
> -"""
> -
> - # Pre-shared key template.
> - psk_entry = """remote %s {
> - exchange_mode main;
> - nat_traversal on;
> - proposal {
> - encryption_algorithm aes;
> - hash_algorithm sha1;
> - authentication_method pre_shared_key;
> - dh_group 2;
> - }
> -}
> -
> -"""
> -
> - def __init__(self):
> - self.psk_hosts = {}
> - self.cert_hosts = {}
> -
> - if not os.path.isdir(root_prefix + self.cert_dir):
> - os.mkdir(self.cert_dir)
> -
> - # Clean out stale peer certs from previous runs
> - for ovs_cert in glob.glob("%s%s/ovs-*.pem"
> - % (root_prefix, self.cert_dir)):
> - try:
> - os.remove(ovs_cert)
> - except OSError:
> - vlog.warn("couldn't remove %s" % ovs_cert)
> -
> - # Replace racoon's conf file with our template
> - self.commit()
> -
> - def reload(self):
> - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon",
> - "reload"])
> - if exitcode != 0:
> - # Racoon is finicky about its configuration file and will
> - # refuse to start if it sees something it doesn't like
> - # (e.g., a certificate file doesn't exist). Try restarting
> - # the process before giving up.
> - vlog.warn("attempting to restart racoon")
> - exitcode = subprocess.call([root_prefix +
> "/etc/init.d/racoon",
> - "restart"])
> - if exitcode != 0:
> - vlog.warn("couldn't reload racoon")
> -
> - def commit(self):
> - # Rewrite the Racoon configuration file
> - conf_file = open(root_prefix + self.conf_file, 'w')
> - conf_file.write(Racoon.conf_header % (self.psk_file,
> self.cert_dir))
> -
> - for host, vals in six.iteritems(self.cert_hosts):
> - conf_file.write(Racoon.cert_entry % (host,
> vals["certificate"],
> - vals["private_key"], vals["peer_cert_file"]))
> -
> - for host in self.psk_hosts:
> - conf_file.write(Racoon.psk_entry % host)
> -
> - conf_file.write(Racoon.conf_footer)
> - conf_file.close()
> -
> - # Rewrite the pre-shared keys file; it must only be readable by
> root.
> - orig_umask = os.umask(0o077)
> - psk_file = open(root_prefix + Racoon.psk_file, 'w')
> - os.umask(orig_umask)
> -
> - psk_file.write("# Generated by Open vSwitch...do not modify by
> hand!")
> - psk_file.write("\n\n")
> - for host, vals in six.iteritems(self.psk_hosts):
> - psk_file.write("%s %s\n" % (host, vals["psk"]))
> - psk_file.close()
> -
> - self.reload()
> -
> - def _add_psk(self, host, psk):
> - if host in self.cert_hosts:
> - raise error.Error("host %s already defined for cert" % host)
> -
> - self.psk_hosts[host] = psk
> - self.commit()
> -
> - def _verify_certs(self, vals):
> - # Racoon will refuse to start if the certificate files don't
> - # exist, so verify that they're there.
> - if not os.path.isfile(root_prefix + vals["certificate"]):
> - raise error.Error("'certificate' file does not exist: %s"
> - % vals["certificate"])
> - elif not os.path.isfile(root_prefix + vals["private_key"]):
> - raise error.Error("'private_key' file does not exist: %s"
> - % vals["private_key"])
> -
> - # Racoon won't start if a given certificate or private key isn't
> - # valid. This is a weak test, but will detect the most flagrant
> - # errors.
> - if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1:
> - raise error.Error("'peer_cert' is not in valid PEM format")
> -
> - cert = open(root_prefix + vals["certificate"]).read()
> - if cert.find("-----BEGIN CERTIFICATE-----") == -1:
> - raise error.Error("'certificate' is not in valid PEM format")
> -
> - cert = open(root_prefix + vals["private_key"]).read()
> - if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1:
> - raise error.Error("'private_key' is not in valid PEM format")
> -
> - def _add_cert(self, host, vals):
> - if host in self.psk_hosts:
> - raise error.Error("host %s already defined for psk" % host)
> -
> - if vals["certificate"] is None:
> - raise error.Error("'certificate' not defined for %s" % host)
> - elif vals["private_key"] is None:
> - # Assume the private key is stored in the same PEM file as
> - # the certificate. We make a copy of "vals" so that we don't
> - # modify the original "vals", which would cause the script
> - # to constantly think that the configuration has changed
> - # in the database.
> - vals = vals.copy()
> - vals["private_key"] = vals["certificate"]
> -
> - self._verify_certs(vals)
> -
> - # The peer's certificate comes to us in PEM format as a string.
> - # Write that string to a file for Racoon to use.
> - f = open(root_prefix + vals["peer_cert_file"], "w")
> - f.write(vals["peer_cert"])
> - f.close()
> -
> - self.cert_hosts[host] = vals
> - self.commit()
> -
> - def _del_cert(self, host):
> - peer_cert_file = self.cert_hosts[host]["peer_cert_file"]
> - del self.cert_hosts[host]
> - self.commit()
> - try:
> - os.remove(root_prefix + peer_cert_file)
> - except OSError:
> - pass
> -
> - def add_entry(self, host, vals):
> - if vals["peer_cert"]:
> - self._add_cert(host, vals)
> - elif vals["psk"]:
> - self._add_psk(host, vals)
> -
> - def del_entry(self, host):
> - if host in self.cert_hosts:
> - self._del_cert(host)
> - elif host in self.psk_hosts:
> - del self.psk_hosts[host]
> - self.commit()
> -
> -
> -# Class to configure IPsec on a system using racoon for IKE and setkey
> -# for maintaining the Security Association Database (SAD) and Security
> -# Policy Database (SPD). Only policies for GRE are supported.
> -class IPsec(object):
> - def __init__(self):
> - self.sad_flush()
> - self.spd_flush()
> - self.racoon = Racoon()
> - self.entries = []
> -
> - def call_setkey(self, cmds):
> - try:
> - p = subprocess.Popen([root_prefix + SETKEY, "-c"],
> - stdin=subprocess.PIPE,
> - stdout=subprocess.PIPE)
> - except:
> - vlog.err("could not call %s%s" % (root_prefix, SETKEY))
> - sys.exit(1)
> -
> - # xxx It is safer to pass the string into the communicate()
> - # xxx method, but it didn't work for slightly longer commands.
> - # xxx An alternative may need to be found.
> - p.stdin.write(cmds)
> - return p.communicate()[0]
> -
> - def call_ip_xfrm(self, cmds):
> - exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds)
> - if exitcode != 0:
> - vlog.err("couldn't install IPsec policy that prevents "
> - "traffic from exiting unencrypted")
> -
> - def get_spi(self, local_ip, remote_ip, proto="esp"):
> - # Run the setkey dump command to retrieve the SAD. Then, parse
> - # the output looking for SPI buried in the output. Note that
> - # multiple SAD entries can exist for the same "flow", since an
> - # older entry could be in a "dying" state.
> - spi_list = []
> - host_line = "%s %s" % (local_ip, remote_ip)
> - results = self.call_setkey("dump ;\n").split("\n")
> - for i in range(len(results)):
> - if results[i].strip() == host_line:
> - # The SPI is in the line following the host pair
> - spi_line = results[i + 1]
> - if (spi_line[1:4] == proto):
> - spi = spi_line.split()[2]
> - spi_list.append(spi.split('(')[1].rstrip(')'))
> - return spi_list
> -
> - def sad_flush(self):
> - self.call_setkey("flush;\n")
> -
> - def sad_del(self, local_ip, remote_ip):
> - # To delete all SAD entries, we should be able to use setkey's
> - # "deleteall" command. Unfortunately, it's fundamentally broken
> - # on Linux and not documented as such.
> - cmds = ""
> -
> - # Delete local_ip->remote_ip SAD entries
> - spi_list = self.get_spi(local_ip, remote_ip)
> - for spi in spi_list:
> - cmds += "delete %s %s esp %s;\n" % (local_ip, remote_ip, spi)
> -
> - # Delete remote_ip->local_ip SAD entries
> - spi_list = self.get_spi(remote_ip, local_ip)
> - for spi in spi_list:
> - cmds += "delete %s %s esp %s;\n" % (remote_ip, local_ip, spi)
> -
> - if cmds:
> - self.call_setkey(cmds)
> -
> - def spd_flush(self):
> - self.call_setkey("spdflush;\n")
> - self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst",
> - "0.0.0.0/0", "proto", "gre", "dir", "out",
> - "mark", IPSEC_MARK, "mask", IPSEC_MARK,
> - "action", "block", "priority", "4294967295"])
> -
> - def spd_add(self, local_ip, remote_ip):
> - cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n"
> %
> - (local_ip, remote_ip))
> - cmds += ("spdadd %s %s gre -P in ipsec esp/transport//require;\n"
> %
> - (remote_ip, local_ip))
> - self.call_setkey(cmds)
> -
> - def spd_del(self, local_ip, remote_ip):
> - cmds = "spddelete %s %s gre -P out;\n" % (local_ip, remote_ip)
> - cmds += "spddelete %s %s gre -P in;\n" % (remote_ip, local_ip)
> - self.call_setkey(cmds)
> -
> - def add_entry(self, local_ip, remote_ip, vals):
> - if remote_ip in self.entries:
> - raise error.Error("host %s already configured for ipsec"
> - % remote_ip)
> -
> - self.racoon.add_entry(remote_ip, vals)
> - self.spd_add(local_ip, remote_ip)
> -
> - self.entries.append(remote_ip)
> -
> - def del_entry(self, local_ip, remote_ip):
> - if remote_ip in self.entries:
> - self.racoon.del_entry(remote_ip)
> - self.spd_del(local_ip, remote_ip)
> - self.sad_del(local_ip, remote_ip)
> -
> - self.entries.remove(remote_ip)
> -
> -
> -def update_ipsec(ipsec, interfaces, new_interfaces):
> - for name, vals in six.iteritems(interfaces):
> - if name not in new_interfaces:
> - ipsec.del_entry(vals["local_ip"], vals["remote_ip"])
> -
> - for name, vals in six.iteritems(new_interfaces):
> - orig_vals = interfaces.get(name)
> - if orig_vals:
> - # Configuration for this host already exists. Check if it's
> - # changed. We use set difference, since we want to ignore
> - # any local additions to "orig_vals" that we've made
> - # (e.g. the "peer_cert_file" key).
> - if set(vals.items()) - set(orig_vals.items()):
> - ipsec.del_entry(vals["local_ip"], vals["remote_ip"])
> - else:
> - continue
> -
> - try:
> - ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals)
> - except error.Error as msg:
> - vlog.warn("skipping ipsec config for %s: %s" % (name, msg))
> -
> -
> -def get_ssl_cert(data):
> - for ovs_rec in data["Open_vSwitch"].rows.values():
> - if ovs_rec.ssl:
> - ssl = ovs_rec.ssl[0]
> - if ssl.certificate and ssl.private_key:
> - return (ssl.certificate, ssl.private_key)
> -
> - return None
> -
> -
> -def main():
> -
> - parser = argparse.ArgumentParser()
> - parser.add_argument("database", metavar="DATABASE",
> - help="A socket on which ovsdb-server is
> listening.")
> - parser.add_argument("--root-prefix", metavar="DIR",
> - help="Use DIR as alternate root directory"
> - " (for testing).")
> -
> - ovs.vlog.add_args(parser)
> - ovs.daemon.add_args(parser)
> - args = parser.parse_args()
> - ovs.vlog.handle_args(args)
> - ovs.daemon.handle_args(args)
> -
> - global root_prefix
> - if args.root_prefix:
> - root_prefix = args.root_prefix
> -
> - remote = args.database
> - schema_helper = ovs.db.idl.SchemaHelper()
> - schema_helper.register_columns("Interface", ["name", "type",
> "options"])
> - schema_helper.register_columns("Open_vSwitch", ["ssl"])
> - schema_helper.register_columns("SSL", ["certificate", "private_key"])
> - idl = ovs.db.idl.Idl(remote, schema_helper)
> -
> - ipsec = IPsec()
> -
> - ovs.daemon.daemonize()
> -
> - ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None)
> - error, unixctl_server = ovs.unixctl.server.UnixctlServer.create(None)
> - if error:
> - ovs.util.ovs_fatal(error, "could not create unixctl server", vlog)
> -
> - interfaces = {}
> - seqno = idl.change_seqno # Sequence number when we last processed
> the db
> - while True:
> - unixctl_server.run()
> - if exiting:
> - break
> -
> - idl.run()
> - if seqno == idl.change_seqno:
> - poller = ovs.poller.Poller()
> - unixctl_server.wait(poller)
> - idl.wait(poller)
> - poller.block()
> - continue
> - seqno = idl.change_seqno
> -
> - ssl_cert = get_ssl_cert(idl.tables)
> -
> - new_interfaces = {}
> - for rec in six.itervalues(idl.tables["Interface"].rows):
> - if rec.type == "ipsec_gre":
> - name = rec.name
> - options = rec.options
> - peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip"))
> - entry = {
> - "remote_ip": options.get("remote_ip"),
> - "local_ip": options.get("local_ip", "0.0.0.0/0"),
> - "certificate": options.get("certificate"),
> - "private_key": options.get("private_key"),
> - "use_ssl_cert": options.get("use_ssl_cert"),
> - "peer_cert": options.get("peer_cert"),
> - "peer_cert_file": Racoon.cert_dir + "/" +
> peer_cert_name,
> - "psk": options.get("psk")}
> -
> - if entry["peer_cert"] and entry["psk"]:
> - vlog.warn("both 'peer_cert' and 'psk' defined for %s"
> - % name)
> - continue
> - elif not entry["peer_cert"] and not entry["psk"]:
> - vlog.warn("no 'peer_cert' or 'psk' defined for %s" %
> name)
> - continue
> -
> - # The "use_ssl_cert" option is deprecated and will
> - # likely go away in the near future.
> - if entry["use_ssl_cert"] == "true":
> - if not ssl_cert:
> - vlog.warn("no valid SSL entry for %s" % name)
> - continue
> -
> - entry["certificate"] = ssl_cert[0]
> - entry["private_key"] = ssl_cert[1]
> -
> - new_interfaces[name] = entry
> -
> - if interfaces != new_interfaces:
> - update_ipsec(ipsec, interfaces, new_interfaces)
> - interfaces = new_interfaces
> -
> - unixctl_server.close()
> - idl.close()
> -
> -
> -if __name__ == '__main__':
> - try:
> - main()
> - except SystemExit:
> - # Let system.exit() calls complete normally
> - raise
> - except:
> - vlog.exception("traceback")
> - sys.exit(ovs.daemon.RESTART_EXIT_CODE)
> diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
> index ac31da6..02a246a 100644
> --- a/lib/netdev-vport.c
> +++ b/lib/netdev-vport.c
> @@ -402,14 +402,13 @@ set_tunnel_config(struct netdev *dev_, const struct
> smap *args)
> struct netdev_vport *dev = netdev_vport_cast(dev_);
> const char *name = netdev_get_name(dev_);
> const char *type = netdev_get_type(dev_);
> - bool ipsec_mech_set, needs_dst_port, has_csum;
> + bool needs_dst_port, has_csum;
> uint16_t dst_proto = 0, src_proto = 0;
> struct netdev_tunnel_config tnl_cfg;
> struct smap_node *node;
>
> has_csum = strstr(type, "gre") || strstr(type, "geneve") ||
> strstr(type, "stt") || strstr(type, "vxlan");
> - ipsec_mech_set = false;
> memset(&tnl_cfg, 0, sizeof tnl_cfg);
>
> /* Add a default destination port for tunnel ports if none specified.
> */
> @@ -430,7 +429,6 @@ set_tunnel_config(struct netdev *dev_, const struct
> smap *args)
> }
>
> needs_dst_port = netdev_vport_needs_dst_port(dev_);
> - tnl_cfg.ipsec = strstr(type, "ipsec");
> tnl_cfg.dont_fragment = true;
>
> SMAP_FOR_EACH (node, args) {
> @@ -485,33 +483,6 @@ set_tunnel_config(struct netdev *dev_, const struct
> smap *args)
> if (!strcmp(node->value, "false")) {
> tnl_cfg.dont_fragment = false;
> }
> - } else if (!strcmp(node->key, "peer_cert") && tnl_cfg.ipsec) {
> - if (smap_get(args, "certificate")) {
> - ipsec_mech_set = true;
> - } else {
> - const char *use_ssl_cert;
> -
> - /* If the "use_ssl_cert" is true, then "certificate" and
> - * "private_key" will be pulled from the SSL table. The
> - * use of this option is strongly discouraged, since it
> - * will like be removed when multiple SSL configurations
> - * are supported by OVS.
> - */
> - use_ssl_cert = smap_get(args, "use_ssl_cert");
> - if (!use_ssl_cert || strcmp(use_ssl_cert, "true")) {
> - VLOG_ERR("%s: 'peer_cert' requires 'certificate'
> argument",
> - name);
> - return EINVAL;
> - }
> - ipsec_mech_set = true;
> - }
> - } else if (!strcmp(node->key, "psk") && tnl_cfg.ipsec) {
> - ipsec_mech_set = true;
> - } else if (tnl_cfg.ipsec
> - && (!strcmp(node->key, "certificate")
> - || !strcmp(node->key, "private_key")
> - || !strcmp(node->key, "use_ssl_cert"))) {
> - /* Ignore options not used by the netdev. */
> } else if (!strcmp(node->key, "key") ||
> !strcmp(node->key, "in_key") ||
> !strcmp(node->key, "out_key")) {
> @@ -539,41 +510,6 @@ set_tunnel_config(struct netdev *dev_, const struct
> smap *args)
> }
> }
>
> - if (tnl_cfg.ipsec) {
> - static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
> - static pid_t pid = 0;
> -
> - VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
> -
> -#ifndef _WIN32
> - ovs_mutex_lock(&mutex);
> - if (pid <= 0) {
> - char *file_name = xasprintf("%s/%s", ovs_rundir(),
> - "ovs-monitor-ipsec.pid");
> - pid = read_pidfile(file_name);
> - free(file_name);
> - }
> - ovs_mutex_unlock(&mutex);
> -#endif
> -
> - if (pid < 0) {
> - VLOG_ERR("%s: IPsec requires the ovs-monitor-ipsec daemon",
> - name);
> - return EINVAL;
> - }
> -
> - if (smap_get(args, "peer_cert") && smap_get(args, "psk")) {
> - VLOG_ERR("%s: cannot define both 'peer_cert' and 'psk'",
> name);
> - return EINVAL;
> - }
> -
> - if (!ipsec_mech_set) {
> - VLOG_ERR("%s: IPsec requires an 'peer_cert' or psk' argument",
> - name);
> - return EINVAL;
> - }
> - }
> -
> if (!ipv6_addr_is_set(&tnl_cfg.ipv6_dst) && !tnl_cfg.ip_dst_flow) {
> VLOG_ERR("%s: %s type requires valid 'remote_ip' argument",
> name, type);
> @@ -898,7 +834,6 @@ netdev_vport_tunnel_register(void)
> TUNNEL_CLASS("gre", "gre_sys", netdev_gre_build_header,
> netdev_gre_push_header,
> netdev_gre_pop_header),
> - TUNNEL_CLASS("ipsec_gre", "gre_sys", NULL, NULL, NULL),
> TUNNEL_CLASS("vxlan", "vxlan_sys", netdev_vxlan_build_header,
> netdev_tnl_push_udp_header,
> netdev_vxlan_pop_header),
> diff --git a/lib/netdev.h b/lib/netdev.h
> index 634c665..bad28c4 100644
> --- a/lib/netdev.h
> +++ b/lib/netdev.h
> @@ -97,7 +97,6 @@ struct netdev_tunnel_config {
> bool tos_inherit;
>
> bool csum;
> - bool ipsec;
> bool dont_fragment;
> };
>
> diff --git a/ofproto/ofproto-dpif-ipfix.c b/ofproto/ofproto-dpif-ipfix.c
> index abea492..6b00b77 100644
> --- a/ofproto/ofproto-dpif-ipfix.c
> +++ b/ofproto/ofproto-dpif-ipfix.c
> @@ -78,7 +78,6 @@ enum dpif_ipfix_tunnel_type {
> DPIF_IPFIX_TUNNEL_GRE = 0x02,
> DPIF_IPFIX_TUNNEL_LISP = 0x03,
> DPIF_IPFIX_TUNNEL_STT = 0x04,
> - DPIF_IPFIX_TUNNEL_IPSEC_GRE = 0x05,
> DPIF_IPFIX_TUNNEL_GENEVE = 0x07,
> NUM_DPIF_IPFIX_TUNNEL
> };
> @@ -311,16 +310,12 @@ struct ipfix_data_record_flow_key_icmp {
> });
> BUILD_ASSERT_DECL(sizeof(struct ipfix_data_record_flow_key_icmp) == 2);
>
> -/* For the tunnel type that is on the top of IPSec, the protocol
> identifier
> - * of the upper tunnel type is used.
> - */
> static uint8_t tunnel_protocol[NUM_DPIF_IPFIX_TUNNEL] = {
> 0, /* reserved */
> IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_VXLAN */
> IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_GRE */
> IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_LISP*/
> IPPROTO_TCP, /* DPIF_IPFIX_TUNNEL_STT*/
> - IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_IPSEC_GRE */
> 0 , /* reserved */
> IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_GENEVE*/
> };
> @@ -657,10 +652,6 @@ dpif_ipfix_add_tunnel_port(struct dpif_ipfix *di,
> struct ofport *ofport,
> /* 32-bit key gre */
> dip->tunnel_type = DPIF_IPFIX_TUNNEL_GRE;
> dip->tunnel_key_length = 4;
> - } else if (strcmp(type, "ipsec_gre") == 0) {
> - /* 32-bit key ipsec_gre */
> - dip->tunnel_type = DPIF_IPFIX_TUNNEL_IPSEC_GRE;
> - dip->tunnel_key_length = 4;
> } else if (strcmp(type, "vxlan") == 0) {
> dip->tunnel_type = DPIF_IPFIX_TUNNEL_VXLAN;
> dip->tunnel_key_length = 3;
> @@ -1728,12 +1719,6 @@ ipfix_cache_entry_init(struct
> ipfix_flow_cache_entry *entry,
> data_tunnel->tunnel_destination_ipv4_address =
> tunnel_key->ip_dst;
> /* The tunnel_protocol_identifier is from tunnel_proto array,
> which
> * contains protocol_identifiers of each tunnel type.
> - * For the tunnel type on the top of IPSec, which uses the
> protocol
> - * identifier of the upper tunnel type is used, the tcp_src and
> tcp_dst
> - * are decided based on the protocol identifiers.
> - * E.g:
> - * The protocol identifier of DPIF_IPFIX_TUNNEL_IPSEC_GRE is
> IPPROTO_GRE,
> - * and both tp_src and tp_dst are zero.
> */
> data_tunnel->tunnel_protocol_identifier =
> tunnel_protocol[tunnel_port->tunnel_type];
> diff --git a/ofproto/ofproto-dpif-sflow.c b/ofproto/ofproto-dpif-sflow.c
> index 11d3a53..9ea8851 100644
> --- a/ofproto/ofproto-dpif-sflow.c
> +++ b/ofproto/ofproto-dpif-sflow.c
> @@ -61,7 +61,6 @@ enum dpif_sflow_tunnel_type {
> DPIF_SFLOW_TUNNEL_VXLAN,
> DPIF_SFLOW_TUNNEL_GRE,
> DPIF_SFLOW_TUNNEL_LISP,
> - DPIF_SFLOW_TUNNEL_IPSEC_GRE,
> DPIF_SFLOW_TUNNEL_GENEVE
> };
>
> @@ -582,8 +581,6 @@ dpif_sflow_tunnel_type(struct ofport *ofport) {
> if (type) {
> if (strcmp(type, "gre") == 0) {
> return DPIF_SFLOW_TUNNEL_GRE;
> - } else if (strcmp(type, "ipsec_gre") == 0) {
> - return DPIF_SFLOW_TUNNEL_IPSEC_GRE;
> } else if (strcmp(type, "vxlan") == 0) {
> return DPIF_SFLOW_TUNNEL_VXLAN;
> } else if (strcmp(type, "lisp") == 0) {
> @@ -606,10 +603,6 @@ dpif_sflow_tunnel_proto(enum dpif_sflow_tunnel_type
> tunnel_type)
> ipproto = IPPROTO_GRE;
> break;
>
> - case DPIF_SFLOW_TUNNEL_IPSEC_GRE:
> - ipproto = IPPROTO_ESP;
> - break;
> -
> case DPIF_SFLOW_TUNNEL_VXLAN:
> case DPIF_SFLOW_TUNNEL_LISP:
> case DPIF_SFLOW_TUNNEL_GENEVE:
> diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
> index 9a69071..97de59e 100644
> --- a/ofproto/tunnel.c
> +++ b/ofproto/tunnel.c
> @@ -41,15 +41,11 @@
>
> VLOG_DEFINE_THIS_MODULE(tunnel);
>
> -/* skb mark used for IPsec tunnel packets */
> -#define IPSEC_MARK 1
> -
> struct tnl_match {
> ovs_be64 in_key;
> struct in6_addr ipv6_src;
> struct in6_addr ipv6_dst;
> odp_port_t odp_port;
> - uint32_t pkt_mark;
> bool in_key_flow;
> bool ip_src_flow;
> bool ip_dst_flow;
> @@ -164,7 +160,6 @@ tnl_port_add__(const struct ofport_dpif *ofport, const
> struct netdev *netdev,
> tnl_port->match.ipv6_dst = cfg->ipv6_dst;
> tnl_port->match.ip_src_flow = cfg->ip_src_flow;
> tnl_port->match.ip_dst_flow = cfg->ip_dst_flow;
> - tnl_port->match.pkt_mark = cfg->ipsec ? IPSEC_MARK : 0;
> tnl_port->match.in_key_flow = cfg->in_key_flow;
> tnl_port->match.odp_port = odp_port;
>
> @@ -357,7 +352,6 @@ tnl_process_ecn(struct flow *flow)
> flow->nw_tos |= IP_ECN_CE;
> }
>
> - flow->pkt_mark &= ~IPSEC_MARK;
> return true;
> }
>
> @@ -383,8 +377,6 @@ tnl_wc_init(struct flow *flow, struct flow_wildcards
> *wc)
> wc->masks.tunnel.tp_src = 0;
> wc->masks.tunnel.tp_dst = 0;
>
> - memset(&wc->masks.pkt_mark, 0xff, sizeof wc->masks.pkt_mark);
> -
> if (is_ip_any(flow)
> && IP_ECN_is_ce(flow->tunnel.ip_tos)) {
> wc->masks.nw_tos |= IP_ECN_MASK;
> @@ -435,9 +427,6 @@ tnl_port_send(const struct ofport_dpif *ofport, struct
> flow *flow,
> flow->tunnel.ipv6_dst = in6addr_any;
> }
> }
> - flow->pkt_mark |= tnl_port->match.pkt_mark;
> - wc->masks.pkt_mark |= tnl_port->match.pkt_mark;
> -
> if (!cfg->out_key_flow) {
> flow->tunnel.tun_id = cfg->out_key;
> }
> @@ -561,7 +550,6 @@ tnl_find(const struct flow *flow)
> OVS_REQ_RDLOCK(rwlock)
> match.ipv6_dst = flow_tnl_src(&flow->tunnel);
> }
> match.odp_port = flow->in_port.odp_port;
> - match.pkt_mark = flow->pkt_mark;
> match.in_key_flow = in_key_flow;
> match.ip_dst_flow = ip_dst_flow;
> match.ip_src_flow = ip_src == IP_SRC_FLOW;
> @@ -616,7 +604,6 @@ tnl_match_fmt(const struct tnl_match *match, struct ds
> *ds)
> }
>
> ds_put_format(ds, ", dp port=%"PRIu32, match->odp_port);
> - ds_put_format(ds, ", pkt mark=%"PRIu32, match->pkt_mark);
> }
>
> static void
> diff --git a/tests/automake.mk b/tests/automake.mk
> index 8ac98bf..a2b7786 100644
> --- a/tests/automake.mk
> +++ b/tests/automake.mk
> @@ -82,7 +82,6 @@ TESTSUITE_AT = \
> tests/ovsdb-idl.at \
> tests/ovsdb-lock.at \
> tests/ovs-vsctl.at \
> - tests/ovs-monitor-ipsec.at \
> tests/ovs-xapi-sync.at \
> tests/stp.at \
> tests/rstp.at \
> diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
> index 79dedf4..92ab9ab 100644
> --- a/tests/ofproto-macros.at
> +++ b/tests/ofproto-macros.at
> @@ -468,53 +468,4 @@ m4_define([WAIT_FOR_DUMMY_PORTS], \
> OVS_WAIT_WHILE([ovs-appctl netdev-dummy/conn-state dummy_port \
> | grep 'unknown\|disconnected'])])])
>
> -# OVS_MONITOR_IPSEC_START()
> -#
> -# Starts ovs-monitor-ipsec daemon. Use this macro only after testing
> -# that python is present on the system.
> -m4_define([OVS_MONITOR_IPSEC_START],
> -[
> -cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
> -
> -on_exit 'kill `cat pid ovs-monitor-ipsec.pid`'
>
> -mkdir etc etc/init.d etc/racoon etc/racoon/certs
> -mkdir usr usr/sbin
> -mkdir sbin
> -
> -AT_DATA([etc/init.d/racoon], [dnl
> -#! /bin/sh
> -echo "racoon: @S|@@" >&3
> -exit 0
> -])
> -chmod +x etc/init.d/racoon
> -
> -AT_DATA([usr/sbin/setkey], [dnl
> -#! /bin/sh
> -exec >&3
> -echo "setkey:"
> -while read line; do
> - echo "> $line"
> -done
> -])
> -chmod +x usr/sbin/setkey
> -
> -AT_DATA([sbin/ip], [dnl
> -#! /bin/sh
> -exit 0
> -])
> -chmod +x sbin/ip
> -
> -touch etc/racoon/certs/ovs-stale.pem
> -
> -###
> -### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
> -###
> -AT_CHECK(
> - [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
> - "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
> - unix:$OVS_RUNDIR/db.sock 2>log 3>actions &])
> -AT_CAPTURE_FILE([log])
> -AT_CAPTURE_FILE([actions])
> -OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
> -])
> diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
> index 372db27..00ee482 100644
> --- a/tests/ovn-controller.at
> +++ b/tests/ovn-controller.at
> @@ -195,7 +195,7 @@ OVS_WAIT_UNTIL([check_datapath_type ""])
>
> # The following will need to be updated as OVS starts to support more
> # interface types.
> -expected_iface_types="dummy,dummy-internal,dummy-pmd,
> geneve,gre,internal,ipsec_gre,lisp,patch,stt,system,tap,vxlan"
> +expected_iface_types="dummy,dummy-internal,dummy-pmd,
> geneve,gre,internal,lisp,patch,stt,system,tap,vxlan"
> chassis_iface_types=$(ovn-sbctl get Chassis ${sysid}
> external_ids:iface-types | sed -e 's/\"//g')
> echo "chassis_iface_types = ${chassis_iface_types}"
> AT_CHECK([test "${expected_iface_types}" = "${chassis_iface_types}"])
> diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at
> deleted file mode 100644
> index cae2878..0000000
> --- a/tests/ovs-monitor-ipsec.at
> +++ /dev/null
> @@ -1,271 +0,0 @@
> -AT_BANNER([ovs-monitor-ipsec])
> -
> -AT_SETUP([ovs-monitor-ipsec])
> -AT_SKIP_IF([test $HAVE_PYTHON = no])
> -AT_SKIP_IF([test "$IS_WIN32" = "yes"])
> -AT_SKIP_IF([$non_ascii_cwd])
> -
> -trim () { # Removes blank lines and lines starting with # from input.
> - sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
> -}
> -
> -OVS_VSWITCHD_START([])
> -OVS_MONITOR_IPSEC_START
> -
> -###
> -### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
> -###
> -AT_CHECK([ovs-vsctl \
> - -- add-port br0 gre0 \
> - -- set interface gre0 type=ipsec_gre \
> - options:remote_ip=1.2.3.4 \
> - options:psk=swordfish])
> -OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions
> >/dev/null])
> -AT_CHECK([cat actions], [0], [dnl
> -setkey:
> -> flush;
> -setkey:
> -> spdflush;
> -racoon: reload
> -racoon: reload
> -setkey:
> -> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> -> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
> -])
> -AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
> -])
> -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> -path pre_shared_key "/etc/racoon/psk.txt";
> -path certificate "/etc/racoon/certs";
> -remote 1.2.3.4 {
> - exchange_mode main;
> - nat_traversal on;
> - proposal {
> - encryption_algorithm aes;
> - hash_algorithm sha1;
> - authentication_method pre_shared_key;
> - dh_group 2;
> - }
> -}
> -sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -])
> -
> -###
> -### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
> -###
> -AT_CHECK([ovs-vsctl del-port gre0])
> -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
> -AT_CHECK([sed '1,9d' actions], [0], [dnl
> -racoon: reload
> -setkey:
> -> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> -> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
> -setkey:
> -> dump ;
> -setkey:
> -> dump ;
> -])
> -AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> -path pre_shared_key "/etc/racoon/psk.txt";
> -path certificate "/etc/racoon/certs";
> -sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -])
> -
> -###
> -### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec
> does
> -###
> -AT_DATA([cert.pem], [dnl
> ------BEGIN CERTIFICATE-----
> -(not a real certificate)
> ------END CERTIFICATE-----
> -])
> -AT_DATA([key.pem], [dnl
> ------BEGIN RSA PRIVATE KEY-----
> -(not a real private key)
> ------END RSA PRIVATE KEY-----
> -])
> -AT_CHECK([ovs-vsctl \
> - -- add-port br0 gre1 \
> - -- set Interface gre1 type=ipsec_gre \
> - options:remote_ip=2.3.4.5 \
> - options:peer_cert='"-----BEGIN CERTIFICATE-----
> -(not a real peer certificate)
> ------END CERTIFICATE-----
> -"' \
> - options:certificate='"/cert.pem"' \
> - options:private_key='"/key.pem"'])
> -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
> -AT_CHECK([sed '1,17d' actions], [0], [dnl
> -racoon: reload
> -setkey:
> -> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> -> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
> -])
> -AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> -path pre_shared_key "/etc/racoon/psk.txt";
> -path certificate "/etc/racoon/certs";
> -remote 2.3.4.5 {
> - exchange_mode main;
> - nat_traversal on;
> - ike_frag on;
> - certificate_type x509 "/cert.pem" "/key.pem";
> - my_identifier asn1dn;
> - peers_identifier asn1dn;
> - peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
> - verify_identifier on;
> - proposal {
> - encryption_algorithm aes;
> - hash_algorithm sha1;
> - authentication_method rsasig;
> - dh_group 2;
> - }
> -}
> -sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -])
> -AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
> ------BEGIN CERTIFICATE-----
> -(not a real peer certificate)
> ------END CERTIFICATE-----
> -])
> -
> -###
> -### Delete the ipsec_gre certificate interface.
> -###
> -AT_CHECK([ovs-vsctl del-port gre1])
> -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
> -AT_CHECK([sed '1,21d' actions], [0], [dnl
> -racoon: reload
> -setkey:
> -> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> -> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
> -setkey:
> -> dump ;
> -setkey:
> -> dump ;
> -])
> -AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> -path pre_shared_key "/etc/racoon/psk.txt";
> -path certificate "/etc/racoon/certs";
> -sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -])
> -AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
> -
> -###
> -### Add an SSL certificate interface.
> -###
> -cp cert.pem ssl-cert.pem
> -cp key.pem ssl-key.pem
> -AT_DATA([ssl-cacert.pem], [dnl
> ------BEGIN CERTIFICATE-----
> -(not a real CA certificate)
> ------END CERTIFICATE-----
> -])
> -AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
> - -- add-port br0 gre2 \
> - -- set Interface gre2 type=ipsec_gre \
> - options:remote_ip=3.4.5.6 \
> - options:peer_cert='"-----BEGIN CERTIFICATE-----
> -(not a real peer certificate)
> ------END CERTIFICATE-----
> -"' \
> - options:use_ssl_cert='"true"'])
> -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
> -AT_CHECK([sed '1,29d' actions], [0], [dnl
> -racoon: reload
> -setkey:
> -> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> -> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
> -])
> -AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> -path pre_shared_key "/etc/racoon/psk.txt";
> -path certificate "/etc/racoon/certs";
> -remote 3.4.5.6 {
> - exchange_mode main;
> - nat_traversal on;
> - ike_frag on;
> - certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
> - my_identifier asn1dn;
> - peers_identifier asn1dn;
> - peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
> - verify_identifier on;
> - proposal {
> - encryption_algorithm aes;
> - hash_algorithm sha1;
> - authentication_method rsasig;
> - dh_group 2;
> - }
> -}
> -sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -])
> -AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
> ------BEGIN CERTIFICATE-----
> -(not a real peer certificate)
> ------END CERTIFICATE-----
> -])
> -
> -###
> -### Delete the SSL certificate interface.
> -###
> -AT_CHECK([ovs-vsctl del-port gre2])
> -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
> -AT_CHECK([sed '1,33d' actions], [0], [dnl
> -racoon: reload
> -setkey:
> -> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> -> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
> -setkey:
> -> dump ;
> -setkey:
> -> dump ;
> -])
> -AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> -path pre_shared_key "/etc/racoon/psk.txt";
> -path certificate "/etc/racoon/certs";
> -sainfo anonymous {
> - pfs_group 2;
> - lifetime time 1 hour;
> - encryption_algorithm aes;
> - authentication_algorithm hmac_sha1, hmac_md5;
> - compression_algorithm deflate;
> -}
> -])
> -AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
> -
> -dnl Skip SSL errors reported by Open vSwitch
> -OVS_VSWITCHD_STOP(["/stream_ssl/d"])
> -AT_CLEANUP
> diff --git a/tests/testsuite.at b/tests/testsuite.at
> index f5f1253..2123bee 100644
> --- a/tests/testsuite.at
> +++ b/tests/testsuite.at
> @@ -63,7 +63,6 @@ m4_include([tests/bridge.at])
> m4_include([tests/netdev-type.at])
> m4_include([tests/ovsdb.at])
> m4_include([tests/ovs-vsctl.at])
> -m4_include([tests/ovs-monitor-ipsec.at])
> m4_include([tests/ovs-xapi-sync.at])
> m4_include([tests/interface-reconfigure.at])
> m4_include([tests/stp.at])
> diff --git a/tests/tunnel-push-pop-ipv6.at b/tests/tunnel-push-pop-ipv6.at
> index c213a85..16dc571 100644
> --- a/tests/tunnel-push-pop-ipv6.at
> +++ b/tests/tunnel-push-pop-ipv6.at
> @@ -158,7 +158,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port
> 5'], [0], [dnl
> port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=?
> ])
> AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0],
> [dnl
> -tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001:
> cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{
> class=0xffff,type=0,len=4}),flags(-df-csum+key)),skb_mark(
> 0),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0,
> bytes:0, used:never, actions:userspace(pid=0,slow_path(controller))
> +tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001:
> cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{
> class=0xffff,type=0,len=4}),flags(-df-csum+key)),recirc_
> id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0,
> used:never, actions:userspace(pid=0,slow_path(controller))
> ])
>
> OVS_VSWITCHD_STOP
> diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at
> index 8245bf1..700ef55 100644
> --- a/tests/tunnel-push-pop.at
> +++ b/tests/tunnel-push-pop.at
> @@ -163,7 +163,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port
> 5'], [0], [dnl
> port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=?
> ])
> AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0],
> [dnl
> -tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class=
> 0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=
> 4}),flags(-df-csum+key)),skb_mark(0),recirc_id(0),in_port(
> 6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never,
> actions:userspace(pid=0,slow_path(controller))
> +tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class=
> 0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=
> 4}),flags(-df-csum+key)),recirc_id(0),in_port(6081),
> eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never,
> actions:userspace(pid=0,slow_path(controller))
> ])
>
> OVS_VSWITCHD_STOP
> diff --git a/tests/tunnel.at b/tests/tunnel.at
> index dbc6a11..647a466 100644
> --- a/tests/tunnel.at
> +++ b/tests/tunnel.at
> @@ -82,28 +82,28 @@ AT_CHECK([ovs-appctl dpif/show | tail -n +3], [0], [dnl
> dnl Tunnel CE and encapsulated packet CE
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy
> 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_
> port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),
> eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=
> 6,tos=3,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,
> tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no
> Datapath actions: 2
> ])
>
> dnl Tunnel CE and encapsulated packet ECT(1)
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy
> 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_
> port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),
> eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=
> 6,tos=1,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,
> tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no
> Datapath actions: set(ipv4(tos=0x3/0x3)),2
> ])
>
> dnl Tunnel CE and encapsulated packet ECT(2)
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy
> 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_
> port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),
> eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=
> 6,tos=2,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,
> tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no
> Datapath actions: set(ipv4(tos=0x3/0x3)),2
> ])
>
> dnl Tunnel CE and encapsulated packet Non-ECT
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy
> 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_
> port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),
> eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=
> 6,tos=0,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,
> tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no
> Datapath actions: drop
> ])
> OVS_VSWITCHD_STOP(["/dropping tunnel packet marked ECN CE but is not ECN
> capable/d"])
> @@ -196,75 +196,6 @@ AT_CHECK([tail -1 stdout], [0],
> OVS_VSWITCHD_STOP
> AT_CLEANUP
>
> -AT_SETUP([tunnel - encrypted tunnel and not setting skb_mark])
> -AT_SKIP_IF([test $HAVE_PYTHON = no])
> -AT_SKIP_IF([test "$IS_WIN32" = "yes"])
> -AT_SKIP_IF([$non_ascii_cwd])
> -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \
> - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \
> - options:key=5 ofport_request=1\
> - -- add-port br0 p2 -- set Interface p2 type=dummy \
> - ofport_request=2 ofport_request=2])
> -AT_DATA([flows.txt], [dnl
> -actions=output:1
> -])
> -OVS_MONITOR_IPSEC_START
> -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre
> options:psk=1234567890])
> -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP
> -AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
> -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:
> 00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=
> 192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'],
> [0], [stdout])
> -AT_CHECK([tail -1 stdout], [0],
> - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.
> 2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1/0x1)),1
> -])
> -OVS_VSWITCHD_STOP
> -AT_CLEANUP
> -
> -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 1])
> -AT_SKIP_IF([test $HAVE_PYTHON = no])
> -AT_SKIP_IF([test "$IS_WIN32" = "yes"])
> -AT_SKIP_IF([$non_ascii_cwd])
> -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \
> - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \
> - options:key=5 ofport_request=1\
> - -- add-port br0 p2 -- set Interface p2 type=dummy \
> - ofport_request=2 ofport_request=2])
> -AT_DATA([flows.txt], [dnl
> -actions=load:0x1->NXM_NX_PKT_MARK[[]],output:1
> -])
> -OVS_MONITOR_IPSEC_START
> -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre
> options:psk=1234567890])
> -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP
> -AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
> -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:
> 00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=
> 192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'],
> [0], [stdout])
> -AT_CHECK([tail -1 stdout], [0],
> - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.
> 2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1)),1
> -])
> -OVS_VSWITCHD_STOP
> -AT_CLEANUP
> -
> -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 2])
> -AT_SKIP_IF([test $HAVE_PYTHON = no])
> -AT_SKIP_IF([test "$IS_WIN32" = "yes"])
> -AT_SKIP_IF([$non_ascii_cwd])
> -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \
> - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \
> - options:key=5 ofport_request=1\
> - -- add-port br0 p2 -- set Interface p2 type=dummy \
> - ofport_request=2 ofport_request=2])
> -AT_DATA([flows.txt], [dnl
> -actions=load:0x2->NXM_NX_PKT_MARK[[]],output:1
> -])
> -OVS_MONITOR_IPSEC_START
> -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre
> options:psk=1234567890])
> -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP
> -AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
> -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:
> 00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=
> 192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'],
> [0], [stdout])
> -AT_CHECK([tail -1 stdout], [0],
> - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.
> 2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x3)),1
> -])
> -OVS_VSWITCHD_STOP
> -AT_CLEANUP
> -
> AT_SETUP([tunnel - ToS and TTL inheritance])
> OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \
> options:remote_ip=1.1.1.1 options:tos=inherit \
> @@ -559,14 +490,14 @@ AT_CHECK([tail -1 stdout], [0],
> dnl Option match
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=
> 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,
> type=0,len=4,0xb}),flags(df|key)),in_port(6081),skb_mark(
> 0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/
> 0xf,in_port=1,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,
> tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_
> port=1,nw_frag=no
> Datapath actions: 2
> ])
>
> dnl Skip unknown option
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=
> 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,
> type=0,len=4,0xb}{class=0xffff,type=2,len=4,0xc}),
> flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'],
> [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/
> 0xf,in_port=1,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,
> tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_
> port=1,nw_frag=no
> Datapath actions: 2
> ])
>
> @@ -600,7 +531,7 @@ AT_CHECK([ovs-ofctl add-tlv-map br0
> "{class=0xffff,type=3,len=8}->tun_metadata3"
> AT_CHECK([ovs-ofctl add-flow br0 tun_metadata3=
> 0x1234567890abcdef,actions=2])
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=
> 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=3,len=8,
> 0x1234567890abcdef}),flags(df|key)),in_port(6081),skb_mark(
> 0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata3=
> 0x1234567890abcdef,in_port=1,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,
> tun_tos=0,tun_flags=+df-csum+key,tun_metadata3=
> 0x1234567890abcdef,in_port=1,nw_frag=no
> Datapath actions: 2
> ])
>
> @@ -635,13 +566,13 @@ NXST_FLOW reply:
>
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=
> 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,
> type=0,len=4,0x12345678}),flags(df|key)),in_port(6081),
> skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_
> metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,
> tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_
> metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no
> Datapath actions: 2
> ])
>
> AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=
> 0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,
> type=1,len=0}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'],
> [0], [stdout])
> AT_CHECK([tail -2 stdout], [0],
> - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=
> 1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_
> metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no
> + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,
> tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_
> metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no
> Datapath actions: set(tunnel(tun_id=0x0,dst=1.1.1.1,ttl=64,geneve({class=
> 0xffff,type=0x1,len=0}),flags(df|key))),6081
> ])
>
> diff --git a/utilities/bugtool/ovs-bugtool.in b/utilities/bugtool/ovs-
> bugtool.in
> index 2ec2f2a..963c50c 100755
> --- a/utilities/bugtool/ovs-bugtool.in
> +++ b/utilities/bugtool/ovs-bugtool.in
> @@ -630,7 +630,7 @@ exclude those logs from the archive.
>
> ovs_logs = ([OPENVSWITCH_LOG_DIR + x for x in
> ['ovs-vswitchd.log', 'ovsdb-server.log',
> - 'ovs-xapi-sync.log', 'ovs-monitor-ipsec.log', 'ovs-ctl.log']])
> + 'ovs-xapi-sync.log', 'ovs-ctl.log']])
> for log in ovs_logs:
> prefix_output(CAP_OPENVSWITCH_LOGS, log,
> last_mod_time=log_last_mod_time)
> diff --git a/utilities/ovs-appctl.8.in b/utilities/ovs-appctl.8.in
> index 0eda7f2..645b62b 100644
> --- a/utilities/ovs-appctl.8.in
> +++ b/utilities/ovs-appctl.8.in
> @@ -254,8 +254,8 @@ The default pattern for console and file output is
> \fB%D{%Y-%m-%dT
> %H:%M:%SZ}|%05N|%c|%p|%m\fR; for syslog output, \fB%05N|%c|%p|%m\fR.
> .
> .IP
> -Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR,
> -\fBovs\-monitor\-ipsec) do not allow control over the log pattern.
> +Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR) do not allow
> +control over the log pattern.
> .
> .IP "\fBvlog/set\fR FACILITY:\fIfacility\fR"
> Sets the RFC5424 facility of the log message. \fIfacility\fR can be one of
> diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
> index 976f3ca..8ff3853 100644
> --- a/vswitchd/vswitch.xml
> +++ b/vswitchd/vswitch.xml
> @@ -2004,15 +2004,6 @@
> tunnel.
> </dd>
>
> - <dt><code>ipsec_gre</code></dt>
> - <dd>
> - An Ethernet over RFC 2890 Generic Routing Encapsulation over
> IPv4/IPv6
> - IPsec tunnel.
> - IPsec tunnel ports are deprecated. The support will be
> completely
> - removed in next version.
> -
> - </dd>
> -
> <dt><code>vxlan</code></dt>
> <dd>
> <p>
> @@ -2075,8 +2066,8 @@
> <group title="Tunnel Options">
> <p>
> These options apply to interfaces with <ref column="type"/> of
> - <code>geneve</code>, <code>gre</code>, <code>ipsec_gre</code>,
> - <code>vxlan</code>, <code>lisp</code> and <code>stt</code>.
> + <code>geneve</code>, <code>gre</code>, <code>vxlan</code>,
> + <code>lisp</code> and <code>stt</code>.
> </p>
>
> <p>
> @@ -2253,9 +2244,9 @@
>
> </group>
>
> - <group title="Tunnel Options: gre, ipsec_gre, geneve, and vxlan">
> + <group title="Tunnel Options: gre, geneve, and vxlan">
> <p>
> - <code>gre</code>, <code>ipsec_gre</code>, <code>geneve</code>,
> and
> + <code>gre</code>, <code>geneve</code>, and
> <code>vxlan</code> interfaces support these options.
> </p>
>
> @@ -2277,43 +2268,6 @@
> is compatible with.
> </p>
>
> - <p>
> - This option is supported for <code>ipsec_gre</code>, but not
> useful
> - because GRE checksums are weaker than, and redundant with,
> IPsec
> - payload authentication.
> - </p>
> - </column>
> - </group>
> -
> - <group title="Tunnel Options: ipsec_gre only">
> - <p>
> - Only <code>ipsec_gre</code> interfaces support these options.
> - </p>
> -
> - <column name="options" key="peer_cert">
> - Required for certificate authentication. A string containing
> the
> - peer's certificate in PEM format. Additionally the host's
> - certificate must be specified with the <code>certificate</code>
> - option.
> - </column>
> -
> - <column name="options" key="certificate">
> - Required for certificate authentication. The name of a PEM file
> - containing a certificate that will be presented to the peer
> during
> - authentication.
> - </column>
> -
> - <column name="options" key="private_key">
> - Optional for certificate authentication. The name of a PEM file
> - containing the private key associated with
> <code>certificate</code>.
> - If <code>certificate</code> contains the private key, this
> option may
> - be omitted.
> - </column>
> -
> - <column name="options" key="psk">
> - Required for pre-shared key authentication. Specifies a
> pre-shared
> - key for authentication that must be identical on both sides of
> the
> - tunnel.
> </column>
> </group>
> </group>
> @@ -4774,8 +4728,7 @@
> <p>type: unsigned 8-bit integer.</p>
> <p>data type semantics: identifier.</p>
> <p>description: Identifier of the layer 2 network overlay
> network
> - encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05
> IPsec+GRE,
> - 0x07 GENEVE.</p>
> + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x07
> GENEVE.</p>
> </dd>
> <dt>tunnelKey:</dt>
> <dd>
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
