Re: [ovs-dev] [PATCH v2] ovs-monitor-ipsec: Allow custom options per tunnel

Fri, 18 Mar 2022 08:08:54 -0700 

On Wed, Mar 2, 2022 at 8:40 AM Andreas Karis <ak.ka...@gmail.com> wrote:
>
> Tunnels in LibreSwan and OpenSwan allow for many options to be set on a
> per tunnel basis. Pass through any options starting with ipsec_ to the
> connection in the configuration file. Administrators are responsible for
> picking valid key/value pairs.
>
> Signed-off-by: Andreas Karis <ak.ka...@gmail.com>

Acked-by: Mike Pattrick <m...@redhat.com>

> ---
>  Documentation/tutorials/ipsec.rst | 45 +++++++++++++++++++++++++++++++
>  ipsec/ovs-monitor-ipsec.in        | 17 +++++++++++-
>  vswitchd/vswitch.xml              |  4 ++-
>  3 files changed, 64 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/tutorials/ipsec.rst 
> b/Documentation/tutorials/ipsec.rst
> index b6cc1c3a8..00cdc5ec2 100644
> --- a/Documentation/tutorials/ipsec.rst
> +++ b/Documentation/tutorials/ipsec.rst
> @@ -303,6 +303,50 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 
> 2.2.2.2. Make sure
>     You should be able to see that ESP packets are being sent from `host_1` to
>     `host_2`.
>
> +Custom options
> +---------------
> +
> +Any parameter prefixed with `ipsec_` will be added to the connection profile.
> +For example::
> +
> +    # ovs-vsctl set interface tun options:ipsec_encapsulation=yes
> +
> +Will result in::
> +
> +    #  ovs-appctl -t ovs-monitor-ipsec tunnels/show
> +    Interface name: tun v7 (CONFIGURED)
> +    Tunnel Type:    vxlan
> +    Local IP:       192.0.0.1
> +    Remote IP:      192.0.0.2
> +    Address Family: IPv4
> +    SKB mark:       None
> +    Local cert:     None
> +    Local name:     None
> +    Local key:      None
> +    Remote cert:    None
> +    Remote name:    None
> +    CA cert:        None
> +    PSK:            swordfish
> +    Custom Options: {'encapsulation': 'yes'}
> +
> +And in the following connection profiles::
> +
> +    conn tun-in-7
> +        left=192.0.0.1
> +        right=192.0.0.2
> +        authby=secret
> +        encapsulation=yes
> +        leftprotoport=udp/4789
> +        rightprotoport=udp
> +
> +    conn tun-out-7
> +        left=192.0.0.1
> +        right=192.0.0.2
> +        authby=secret
> +        encapsulation=yes
> +        leftprotoport=udp
> +        rightprotoport=udp/4789
> +
>  Troubleshooting
>  ---------------
>
> @@ -329,6 +373,7 @@ For example::
>     Remote name:    None
>     CA cert:        None
>     PSK:            swordfish
> +   Custom Options: {}
>     Ofport:         1          <--- Whether ovs-vswitchd has assigned Ofport
>                                     number to this Tunnel Port
>     CFM state:      Up         <--- Whether CFM declared this tunnel healthy
> diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
> index a8b0705d9..e422b07bf 100755
> --- a/ipsec/ovs-monitor-ipsec.in
> +++ b/ipsec/ovs-monitor-ipsec.in
> @@ -313,6 +313,10 @@ conn prevent_unencrypted_vxlan
>                  tmpl = self.auth_tmpl["pki_ca"]
>                  auth_section = tmpl.substitute(tunnel.conf)
>
> +        if "custom_options" in tunnel.conf:
> +            for key, value in tunnel.conf["custom_options"].items():
> +                auth_section += "\n    " + key + "=" + value
> +
>          vals = tunnel.conf.copy()
>          vals["auth_section"] = auth_section
>          vals["version"] = tunnel.version
> @@ -543,6 +547,10 @@ conn prevent_unencrypted_vxlan
>          if tunnel.conf["address_family"] == "IPv6":
>              auth_section = self.IPV6_CONN + auth_section
>
> +        if "custom_options" in tunnel.conf:
> +            for key, value in tunnel.conf["custom_options"].items():
> +                auth_section += "\n    " + key + "=" + value
> +
>          vals = tunnel.conf.copy()
>          vals["auth_section"] = auth_section
>          vals["version"] = tunnel.version
> @@ -819,6 +827,7 @@ class IPsecTunnel(object):
>    Remote name:    $remote_name
>    CA cert:        $ca_cert
>    PSK:            $psk
> +  Custom Options: $custom_options
>  """)
>
>      unixctl_status_tmpl = Template("""\
> @@ -862,7 +871,13 @@ class IPsecTunnel(object):
>              "remote_cert": remote_cert,
>              "remote_name": remote_name,
>              "local_name": monitor.conf["pki"]["local_name"],
> -            "psk": options.get("psk")}
> +            "psk": options.get("psk"),
> +            "custom_options": {}}
> +
> +        # add custom ipsec options to the connection
> +        for key, value in options.items():
> +            if key.startswith("ipsec_"):
> +                new_conf["custom_options"][key[len("ipsec_"):]] = value
>
>          if self.conf != new_conf:
>              # Configuration was updated in OVSDB.  Validate it and figure
> diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
> index 0c6632617..b124fee54 100644
> --- a/vswitchd/vswitch.xml
> +++ b/vswitchd/vswitch.xml
> @@ -1046,7 +1046,9 @@
>        <p>
>          These settings control the global configuration of IPsec tunnels.  
> The
>          <code>options</code> column of the <code>Interface</code> table
> -        configures IPsec for individual tunnels.
> +        configures IPsec for individual tunnels. The <code>options</code>
> +        column also allows for custom options prefixed with 
> <code>ipsec_</code>
> +        to be passed to the individual connections.
>        </p>
>        <p>
>          OVS IPsec supports the following three forms of authentication.
> --
> 2.35.1
>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to