[ovs-dev] can we talk!
___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network namespaces via dpdkvhostuser ports
- Original Message - > From: "Aaron Conole" > To: "Bala Sankaran" > Cc: "Tiago Lam" , d...@openvswitch.org > Sent: Wednesday, 29 August, 2018 5:14:41 PM > Subject: Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network namespaces > via dpdkvhostuser ports > > Bala Sankaran writes: > > > - Original Message - > >> From: "Tiago Lam" > >> To: "Bala Sankaran" , d...@openvswitch.org > >> Sent: Wednesday, 29 August, 2018 1:36:13 PM > >> Subject: Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network > >> namespaces via dpdkvhostuser ports > >> > >> Hi Bala, > >> > >> Thanks to both you and Aaron for working on this. Seems to be a great > >> addition. > >> > >> As a general comment I agree with Ian that running everything on v17.11 > >> would be preferable, as this would enable us to run this test on any > >> given system, and not only when v18.11 is installed. But after reading > >> through your thread on the DPDK users list on the 2MB hugepages > >> limitations around virtio_user, it seems this will have to be a > >> dependency until OvS-DPDK moves to v18.11. > > Hello Tiago, > > > > I agree, I did not happen to notice a workaround for this. > > > >> > >> On 28/08/2018 18:47, Bala Sankaran wrote: > >> > This adds a new test to the 'check-dpdk' subsystem that will exercise > >> > allocations, PMDs, and the vhost-user code path. > >> > > >> > Signed-off-by: Bala Sankaran > >> > Co-authored-by: Aaron Conole > >> > Signed-off-by: Aaron Conole > >> > --- > >> > tests/system-dpdk.at | 77 > >> > 1 file changed, 77 insertions(+) > >> > > >> > diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at > >> > index 58dc8aaae..914a1b644 100644 > >> > --- a/tests/system-dpdk.at > >> > +++ b/tests/system-dpdk.at > >> > @@ -1,3 +1,6 @@ > >> > +m4_define([CONFIGURE_VETH_OFFLOADS], > >> > + [AT_CHECK([ethtool -K $1 tx off], [0], [ignore], [ignore])]) > >> > + > >> > AT_BANNER([OVS-DPDK unit tests]) > >> > > >> > dnl > >> > > >> > -- > >> > @@ -74,3 +77,77 @@ OVS_VSWITCHD_STOP(["\@does not exist. The Open > >> > vSwitch > >> > kernel module is probably > >> > \@EAL: No free hugepages reported in hugepages-1048576kB@d"]) > >> > AT_CLEANUP > >> > dnl > >> > > >> > -- > >> > + > >> > + > >> > + > >> > +dnl > >> > -- > >> > +dnl Ping vhost-user-client port > >> > +AT_SETUP([OVS-DPDK datapath - ping vhost-user-client ports]) > > @bala: > > This is wrong here. These are vhost-user ports, not vhost-user-client ports. Sorry about that, I will make the correction. > > >> > >> Any reason why you're using vhost-user instead of vhost-user-client? If > >> we change it to "type=dpdkvhostuserclient" in the vhu0 interface added > >> to OvS and append ",server=1" to the net_virtio_user --vdev in the > >> testpmd arguments, doesn't it just work the same? > > > > I believe I encountered an error while running the tests with a vhost-user > > client ports. That's when I switched over to vhost-user instead. I do not > > remember the error at this moment, but now that you mentioned it, I am > > thinking > > of adding another unit test that use vhost-user-client port which would > > give > > me the error and then skip to vhost-user instead. > > I also don't remember which error we hit and whether it had anything to > do with the type of port. Maybe it makes sense to have both. That way > we cover both. And if we ever completely remove the server mode ports, > we can just drop the test as well (I like that it helps us also catch > the cleanup error in that case). > > >> > >> > +AT_KEYWORDS([dpdk]) > >> > +OVS_DPDK_PRE_CHECK() > >> > +OVS_DPDK_START() > >> > + > >> > +dnl Add userspace bridge and attach it to OVS > >> > +AT_CHECK([ovs-vsctl add-br br10 -- set bridge br10 > >> > datapath_type=netdev]) > >> > +AT_CHECK([ovs-vsctl add-port br10 vhu0 -- set Interface vhu0 \ > >> > + type=dpdkvhostuser], [], > >> > + [stdout], [stderr]) > >> > +AT_CHECK([ovs-vsctl show], [], [stdout]) > >> > + > >> > +dnl Parse log file > >> > +AT_CHECK([grep "VHOST_CONFIG: vhost-user server: socket created" \ > >> > + ovs-vswitchd.log], [], [stdout]) > >> > +AT_CHECK([grep "Socket $OVS_RUNDIR/vhu0 created for vhost-user port > >> > vhu0" > >> > \ > >> > + ovs-vswitchd.log], [], [stdout]) > >> > +AT_CHECK([grep "VHOST_CONFIG: bind to $OVS_RUNDIR/vhu0" > >> > ovs-vswitchd.log], > >> > [], > >> > + [stdout]) > >> > + > >> > +dnl Set up namespaces > >> > +ADD_NAMESPACES(ns1, ns2) > >> > + > >> > +dnl execute testpmd in background > >> > +on_exit "pkill -f -x -9 'tail -f /dev/null'" > >> > +tail -f /dev/null | testpmd --socket-mem=512 \ > >> > + --vdev="net_virtio_user,path=$OVS_RUNDIR/vhu0" \ > >> > +
Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network namespaces via dpdkvhostuser ports
Bala Sankaran writes: > - Original Message - >> From: "Tiago Lam" >> To: "Bala Sankaran" , d...@openvswitch.org >> Sent: Wednesday, 29 August, 2018 1:36:13 PM >> Subject: Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network >> namespaces via dpdkvhostuser ports >> >> Hi Bala, >> >> Thanks to both you and Aaron for working on this. Seems to be a great >> addition. >> >> As a general comment I agree with Ian that running everything on v17.11 >> would be preferable, as this would enable us to run this test on any >> given system, and not only when v18.11 is installed. But after reading >> through your thread on the DPDK users list on the 2MB hugepages >> limitations around virtio_user, it seems this will have to be a >> dependency until OvS-DPDK moves to v18.11. > Hello Tiago, > > I agree, I did not happen to notice a workaround for this. > >> >> On 28/08/2018 18:47, Bala Sankaran wrote: >> > This adds a new test to the 'check-dpdk' subsystem that will exercise >> > allocations, PMDs, and the vhost-user code path. >> > >> > Signed-off-by: Bala Sankaran >> > Co-authored-by: Aaron Conole >> > Signed-off-by: Aaron Conole >> > --- >> > tests/system-dpdk.at | 77 >> > 1 file changed, 77 insertions(+) >> > >> > diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at >> > index 58dc8aaae..914a1b644 100644 >> > --- a/tests/system-dpdk.at >> > +++ b/tests/system-dpdk.at >> > @@ -1,3 +1,6 @@ >> > +m4_define([CONFIGURE_VETH_OFFLOADS], >> > + [AT_CHECK([ethtool -K $1 tx off], [0], [ignore], [ignore])]) >> > + >> > AT_BANNER([OVS-DPDK unit tests]) >> > >> > dnl >> > -- >> > @@ -74,3 +77,77 @@ OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch >> > kernel module is probably >> > \@EAL: No free hugepages reported in hugepages-1048576kB@d"]) >> > AT_CLEANUP >> > dnl >> > -- >> > + >> > + >> > + >> > +dnl >> > -- >> > +dnl Ping vhost-user-client port >> > +AT_SETUP([OVS-DPDK datapath - ping vhost-user-client ports]) @bala: This is wrong here. These are vhost-user ports, not vhost-user-client ports. >> >> Any reason why you're using vhost-user instead of vhost-user-client? If >> we change it to "type=dpdkvhostuserclient" in the vhu0 interface added >> to OvS and append ",server=1" to the net_virtio_user --vdev in the >> testpmd arguments, doesn't it just work the same? > > I believe I encountered an error while running the tests with a vhost-user > client ports. That's when I switched over to vhost-user instead. I do not > remember the error at this moment, but now that you mentioned it, I am > thinking > of adding another unit test that use vhost-user-client port which would give > me the error and then skip to vhost-user instead. I also don't remember which error we hit and whether it had anything to do with the type of port. Maybe it makes sense to have both. That way we cover both. And if we ever completely remove the server mode ports, we can just drop the test as well (I like that it helps us also catch the cleanup error in that case). >> >> > +AT_KEYWORDS([dpdk]) >> > +OVS_DPDK_PRE_CHECK() >> > +OVS_DPDK_START() >> > + >> > +dnl Add userspace bridge and attach it to OVS >> > +AT_CHECK([ovs-vsctl add-br br10 -- set bridge br10 datapath_type=netdev]) >> > +AT_CHECK([ovs-vsctl add-port br10 vhu0 -- set Interface vhu0 \ >> > + type=dpdkvhostuser], [], >> > + [stdout], [stderr]) >> > +AT_CHECK([ovs-vsctl show], [], [stdout]) >> > + >> > +dnl Parse log file >> > +AT_CHECK([grep "VHOST_CONFIG: vhost-user server: socket created" \ >> > + ovs-vswitchd.log], [], [stdout]) >> > +AT_CHECK([grep "Socket $OVS_RUNDIR/vhu0 created for vhost-user port vhu0" >> > \ >> > + ovs-vswitchd.log], [], [stdout]) >> > +AT_CHECK([grep "VHOST_CONFIG: bind to $OVS_RUNDIR/vhu0" ovs-vswitchd.log], >> > [], >> > + [stdout]) >> > + >> > +dnl Set up namespaces >> > +ADD_NAMESPACES(ns1, ns2) >> > + >> > +dnl execute testpmd in background >> > +on_exit "pkill -f -x -9 'tail -f /dev/null'" >> > +tail -f /dev/null | testpmd --socket-mem=512 \ >> > + --vdev="net_virtio_user,path=$OVS_RUNDIR/vhu0" \ >> > + --vdev="net_tap0,iface=tap0" --file-prefix page0 \ >> > + --single-file-segments -- -a >$OVS_RUNDIR/testpmd-vhu0.log 2>&1 >> > & >> > + >> >> I've seen your reply to Ian's comment on the $PATH environment variable >> on v2; That could be enough if there wasn't a requirement for DPDK >> v18.11 for the `testpmd` bin. Since there is a separate environment >> variable will be needed to guarantee we're executing the correct one >> (and not the v17.11 that's currently linked with OvS, as an example). It >> would also enable us to detect if the variable is set or not, and if >> no
Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network namespaces via dpdkvhostuser ports
- Original Message - > From: "Tiago Lam" > To: "Bala Sankaran" , d...@openvswitch.org > Sent: Wednesday, 29 August, 2018 1:36:13 PM > Subject: Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network namespaces > via dpdkvhostuser ports > > Hi Bala, > > Thanks to both you and Aaron for working on this. Seems to be a great > addition. > > As a general comment I agree with Ian that running everything on v17.11 > would be preferable, as this would enable us to run this test on any > given system, and not only when v18.11 is installed. But after reading > through your thread on the DPDK users list on the 2MB hugepages > limitations around virtio_user, it seems this will have to be a > dependency until OvS-DPDK moves to v18.11. Hello Tiago, I agree, I did not happen to notice a workaround for this. > > On 28/08/2018 18:47, Bala Sankaran wrote: > > This adds a new test to the 'check-dpdk' subsystem that will exercise > > allocations, PMDs, and the vhost-user code path. > > > > Signed-off-by: Bala Sankaran > > Co-authored-by: Aaron Conole > > Signed-off-by: Aaron Conole > > --- > > tests/system-dpdk.at | 77 > > 1 file changed, 77 insertions(+) > > > > diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at > > index 58dc8aaae..914a1b644 100644 > > --- a/tests/system-dpdk.at > > +++ b/tests/system-dpdk.at > > @@ -1,3 +1,6 @@ > > +m4_define([CONFIGURE_VETH_OFFLOADS], > > + [AT_CHECK([ethtool -K $1 tx off], [0], [ignore], [ignore])]) > > + > > AT_BANNER([OVS-DPDK unit tests]) > > > > dnl > > -- > > @@ -74,3 +77,77 @@ OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch > > kernel module is probably > > \@EAL: No free hugepages reported in hugepages-1048576kB@d"]) > > AT_CLEANUP > > dnl > > -- > > + > > + > > + > > +dnl > > -- > > +dnl Ping vhost-user-client port > > +AT_SETUP([OVS-DPDK datapath - ping vhost-user-client ports]) > > Any reason why you're using vhost-user instead of vhost-user-client? If > we change it to "type=dpdkvhostuserclient" in the vhu0 interface added > to OvS and append ",server=1" to the net_virtio_user --vdev in the > testpmd arguments, doesn't it just work the same? I believe I encountered an error while running the tests with a vhost-user client ports. That's when I switched over to vhost-user instead. I do not remember the error at this moment, but now that you mentioned it, I am thinking of adding another unit test that use vhost-user-client port which would give me the error and then skip to vhost-user instead. > > > +AT_KEYWORDS([dpdk]) > > +OVS_DPDK_PRE_CHECK() > > +OVS_DPDK_START() > > + > > +dnl Add userspace bridge and attach it to OVS > > +AT_CHECK([ovs-vsctl add-br br10 -- set bridge br10 datapath_type=netdev]) > > +AT_CHECK([ovs-vsctl add-port br10 vhu0 -- set Interface vhu0 \ > > + type=dpdkvhostuser], [], > > + [stdout], [stderr]) > > +AT_CHECK([ovs-vsctl show], [], [stdout]) > > + > > +dnl Parse log file > > +AT_CHECK([grep "VHOST_CONFIG: vhost-user server: socket created" \ > > + ovs-vswitchd.log], [], [stdout]) > > +AT_CHECK([grep "Socket $OVS_RUNDIR/vhu0 created for vhost-user port vhu0" > > \ > > + ovs-vswitchd.log], [], [stdout]) > > +AT_CHECK([grep "VHOST_CONFIG: bind to $OVS_RUNDIR/vhu0" ovs-vswitchd.log], > > [], > > + [stdout]) > > + > > +dnl Set up namespaces > > +ADD_NAMESPACES(ns1, ns2) > > + > > +dnl execute testpmd in background > > +on_exit "pkill -f -x -9 'tail -f /dev/null'" > > +tail -f /dev/null | testpmd --socket-mem=512 \ > > + --vdev="net_virtio_user,path=$OVS_RUNDIR/vhu0" \ > > + --vdev="net_tap0,iface=tap0" --file-prefix page0 \ > > + --single-file-segments -- -a >$OVS_RUNDIR/testpmd-vhu0.log 2>&1 > > & > > + > > I've seen your reply to Ian's comment on the $PATH environment variable > on v2; That could be enough if there wasn't a requirement for DPDK > v18.11 for the `testpmd` bin. Since there is a separate environment > variable will be needed to guarantee we're executing the correct one > (and not the v17.11 that's currently linked with OvS, as an example). It > would also enable us to detect if the variable is set or not, and if > not, skip the test altogether. At the moment the test will just fail, if > the binary doesn't exist. I do not have complete familiarity on this note, I have copied Aaron along in this email. I suppose that he would be able to comment on this. > > > > +dnl add veth device > > +ADD_VETH(tap1, ns2, br10, "172.31.110.12/24") > > The ADD_VETH() macro skips the test if $1 already exists. It would be > better to set up tap1 at the beginning, thus skipping the test if it > can't b set up, and this way it wouldn't be starting the `testpmd` > process
Re: [ovs-dev] [PATCH v5 2/6] ipsec: reintroduce IPsec support for tunneling
On Sun, 19 Aug 2018 at 20:31, Qiuyu Xiao wrote:
>
> On Mon, Aug 13, 2018 at 2:33 AM, Ansis Atteka wrote:
> > On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote:
> >>
> >> This patch reintroduces ovs-monitor-ipsec daemon that
> >> was previously removed by commit 2b02d770 ("openvswitch:
> >> Allow external IPsec tunnel management.")
> >>
> >> After this patch, there are no IPsec flavored tunnels anymore.
> >> IPsec is enabled by setting up the right values in:
> >> 1. OVSDB:Interface:options column;
> >> 2. OVSDB:Open_vSwitch:other_config column;
> >> 3. OpenFlow pipeline.
> >>
> >> GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and
> >> StrongSwan IKE daemons are supported. User can choose pre-shared key,
> >> self-signed peer certificate, or CA-signed certificate as authentication
> >> method.
> > s/mehod/methods
> >>
> >> Signed-off-by: Qiuyu Xiao
> >> Signed-off-by: Ansis Atteka
> >> Co-authored-by: Ansis Atteka
> >> ---
Sorry for responding so late. I was off for the last two weeks.
> >
> > I have two high level comments that we privately discussed earlier on
> > Friday:
> > 1. the local_ip should be wildcardable. Otherwise, if routes change,
> > then then packets may leak out unencrypted before local_ip gets
> > explicitly updated by administrator as well.
>
> I did some test. The IP can be set as %defaultroute in LibreSwan so
> that no fixed IP is required. I will use this and avoid local_ip
> setting on the next revision.
Great to hear you figured this out.
>
> > 2. the strongSwan/Ubuntu and libreswan/Fedora compatibility issue due
> > to integrity check. I know that this could be strongswan or libreswan
> > bug, but perhaps we could use some alternate configuration that works?
> > Did you find one?
>
> I didn't find alternate configuration that works. I might just send a
> email to the upstream mailing list.
ok
>
> > Other than that see small implementation details
> >
> >> Makefile.am |1 +
> >> ipsec/automake.mk | 10 +
> >> ipsec/ovs-monitor-ipsec | 1173 +++
> >> 3 files changed, 1184 insertions(+)
> >> create mode 100644 ipsec/automake.mk
> >> create mode 100755 ipsec/ovs-monitor-ipsec
> >>
> >> diff --git a/Makefile.am b/Makefile.am
> >> index 788972804..aeb2d108f 100644
> >> --- a/Makefile.am
> >> +++ b/Makefile.am
> >> @@ -481,6 +481,7 @@ include tests/automake.mk
> >> include include/automake.mk
> >> include third-party/automake.mk
> >> include debian/automake.mk
> >> +include ipsec/automake.mk
> >> include vswitchd/automake.mk
> >> include ovsdb/automake.mk
> >> include rhel/automake.mk
> >> diff --git a/ipsec/automake.mk b/ipsec/automake.mk
> >> new file mode 100644
> >> index 0..1e530cb42
> >> --- /dev/null
> >> +++ b/ipsec/automake.mk
> >> @@ -0,0 +1,10 @@
> >> +# Copyright (C) 2017 Nicira, Inc.
> >> +#
> >> +# Copying and distribution of this file, with or without modification,
> >> +# are permitted in any medium without royalty provided the copyright
> >> +# notice and this notice are preserved. This file is offered as-is,
> >> +# without warranty of any kind.
> >> +
> >> +EXTRA_DIST += \
> >> +ipsec/ovs-monitor-ipsec
> >> +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec
> >> diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec
> >> new file mode 100755
> >> index 0..163b04004
> >> --- /dev/null
> >> +++ b/ipsec/ovs-monitor-ipsec
> >> @@ -0,0 +1,1173 @@
> >> +#!/usr/bin/env python
> >> +# Copyright (c) 2017 Nicira, Inc.
> >> +#
> >> +# Licensed under the Apache License, Version 2.0 (the "License");
> >> +# you may not use this file except in compliance with the License.
> >> +# You may obtain a copy of the License at:
> >> +#
> >> +# http://www.apache.org/licenses/LICENSE-2.0
> >> +#
> >> +# Unless required by applicable law or agreed to in writing, software
> >> +# distributed under the License is distributed on an "AS IS" BASIS,
> >> +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> >> +# See the License for the specific language governing permissions and
> >> +# limitations under the License.
> >> +
> >> +import argparse
> >> +import re
> >> +import subprocess
> >> +import sys
> >> +import copy
> >> +from string import Template
> >> +
> >> +import ovs.daemon
> >> +import ovs.db.idl
> >> +import ovs.dirs
> >> +import ovs.unixctl
> >> +import ovs.unixctl.server
> >> +import ovs.util
> >> +import ovs.vlog
> >> +
> >> +
> >> +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by
> >> hand!\n\n"
> >> +SHUNT_POLICY = """conn prevent_unencrypted_gre
> >> +type=drop
> >> +leftprotoport=gre
> >> +mark={0}
> >> +
> >> +conn prevent_unencrypted_geneve
> >> +type=drop
> >> +leftprotoport=udp/6081
> >> +mark={0}
> >> +
> >> +conn prevent_unencrypted_stt
> >> +type=drop
> >> +leftprotoport=tcp/7471
> >> +mark={0}
> >> +
> >> +conn prevent_unencrypted_vxlan
> >> +type=drop
> >> +leftproto
Re: [ovs-dev] [patch v2] datapath: Fix builds on older kernels.
Thanks for the fix.
Tested-by: Yifeng Sun
Reviewed-by: Yifeng Sun
On Tue, Aug 28, 2018 at 7:54 PM Darrell Ball wrote:
> On older kernels, for example 3.19, the function rt6_get_cookie() is
> not available and used with ipv6 config enabled; it was introduced in
> 4.2. Put back the replacement function if it does not exist.
> Add a 3.19 version to travis.
>
> CC: Yifeng Sun
> Fixes: bf61b8b1c1db ("datapath: Add support for kernel 4.16.x & 4.17.x.")
> Signed-off-by: Darrell Ball
> ---
>
> v1->v2: add 3.19 to travis per Yifeng's suggestion.
>
> .travis.yml | 1 +
> acinclude.m4| 5
> datapath/linux/Modules.mk | 1 +
> datapath/linux/compat/include/net/ip6_fib.h | 43
> +
> 4 files changed, 50 insertions(+)
> create mode 100644 datapath/linux/compat/include/net/ip6_fib.h
>
> diff --git a/.travis.yml b/.travis.yml
> index 21447b5..a2ef8bd 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -41,6 +41,7 @@ env:
>- KERNEL=4.14.63
>- KERNEL=4.9.120
>- KERNEL=4.4.148
> + - KERNEL=3.19.8
>- KERNEL=3.16.57
>- TESTSUITE=1 LIBS=-ljemalloc
>
> diff --git a/acinclude.m4 b/acinclude.m4
> index ab141bd..0690bae 100644
> --- a/acinclude.m4
> +++ b/acinclude.m4
> @@ -459,6 +459,9 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
>OVS_GREP_IFELSE([$KSRC/arch/x86/include/asm/checksum_32.h], [src_err,],
>[OVS_DEFINE([HAVE_CSUM_COPY_DBG])])
>
> + OVS_GREP_IFELSE([$KSRC/include/net/ip6_fib.h], [rt6_get_cookie],
> + [OVS_DEFINE([HAVE_RT6_GET_COOKIE])])
> +
>OVS_GREP_IFELSE([$KSRC/include/net/addrconf.h], [ipv6_dst_lookup.*net],
>[OVS_DEFINE([HAVE_IPV6_DST_LOOKUP_NET])])
>OVS_GREP_IFELSE([$KSRC/include/net/addrconf.h], [ipv6_stub])
> @@ -803,6 +806,8 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
>[OVS_DEFINE(HAVE_NF_CONNTRACK_HELPER_PUT)])
>
>
> OVS_GREP_IFELSE([$KSRC/include/linux/skbuff.h],:space:]]]SKB_GSO_UDP[[[:space:,
>[OVS_DEFINE([HAVE_SKB_GSO_UDP])])
> + OVS_GREP_IFELSE([$KSRC/include/net/dst.h],[DST_NOCACHE],
> + [OVS_DEFINE([HAVE_DST_NOCACHE])])
>OVS_FIND_FIELD_IFELSE([$KSRC/include/net/rtnetlink.h], [rtnl_link_ops],
> [extack],
>[OVS_DEFINE([HAVE_EXT_ACK_IN_RTNL_LINKOPS])])
> diff --git a/datapath/linux/Modules.mk b/datapath/linux/Modules.mk
> index b06ca15..e31d784 100644
> --- a/datapath/linux/Modules.mk
> +++ b/datapath/linux/Modules.mk
> @@ -82,6 +82,7 @@ openvswitch_headers += \
> linux/compat/include/net/inetpeer.h \
> linux/compat/include/net/ip.h \
> linux/compat/include/net/ip_tunnels.h \
> +linux/compat/include/net/ip6_fib.h \
> linux/compat/include/net/ip6_route.h \
> linux/compat/include/net/ip6_tunnel.h \
> linux/compat/include/net/ipv6.h \
> diff --git a/datapath/linux/compat/include/net/ip6_fib.h
> b/datapath/linux/compat/include/net/ip6_fib.h
> new file mode 100644
> index 000..0cc4358
> --- /dev/null
> +++ b/datapath/linux/compat/include/net/ip6_fib.h
> @@ -0,0 +1,43 @@
> +/*
> + * Linux INET6 implementation
> + *
> + * Authors:
> + * Pedro Roque
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License
> + * as published by the Free Software Foundation; either version
> + * 2 of the License, or (at your option) any later version.
> + */
> +
> +#ifndef _IP6_FIB_WRAPPER_H
> +#define _IP6_FIB_WRAPPER_H
> +
> +#include_next
> +
> +#ifndef HAVE_RT6_GET_COOKIE
> +
> +#ifndef RTF_PCPU
> +#define RTF_PCPU0x4000
> +#endif
> +
> +#ifndef RTF_LOCAL
> +#define RTF_LOCAL 0x8000
> +#endif
> +
> +#define rt6_get_cookie rpl_rt6_get_cookie
> +static inline u32 rt6_get_cookie(const struct rt6_info *rt)
> +{
> + if (rt->rt6i_flags & RTF_PCPU ||
> +#ifdef HAVE_DST_NOCACHE
> + (unlikely(rt->dst.flags & DST_NOCACHE) && rt->dst.from))
> +#else
> + (unlikely(!list_empty(&rt->rt6i_uncached)) && rt->dst.from))
> +#endif
> + rt = (struct rt6_info *)(rt->dst.from);
> +
> + return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
> +}
> +#endif
> +
> +#endif
> --
> 1.9.1
>
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 6/6] system-dpdk: Connect network namespaces via dpdkvhostuser ports
Hi Bala, Thanks to both you and Aaron for working on this. Seems to be a great addition. As a general comment I agree with Ian that running everything on v17.11 would be preferable, as this would enable us to run this test on any given system, and not only when v18.11 is installed. But after reading through your thread on the DPDK users list on the 2MB hugepages limitations around virtio_user, it seems this will have to be a dependency until OvS-DPDK moves to v18.11. On 28/08/2018 18:47, Bala Sankaran wrote: > This adds a new test to the 'check-dpdk' subsystem that will exercise > allocations, PMDs, and the vhost-user code path. > > Signed-off-by: Bala Sankaran > Co-authored-by: Aaron Conole > Signed-off-by: Aaron Conole > --- > tests/system-dpdk.at | 77 > 1 file changed, 77 insertions(+) > > diff --git a/tests/system-dpdk.at b/tests/system-dpdk.at > index 58dc8aaae..914a1b644 100644 > --- a/tests/system-dpdk.at > +++ b/tests/system-dpdk.at > @@ -1,3 +1,6 @@ > +m4_define([CONFIGURE_VETH_OFFLOADS], > + [AT_CHECK([ethtool -K $1 tx off], [0], [ignore], [ignore])]) > + > AT_BANNER([OVS-DPDK unit tests]) > > dnl > -- > @@ -74,3 +77,77 @@ OVS_VSWITCHD_STOP(["\@does not exist. The Open vSwitch > kernel module is probably > \@EAL: No free hugepages reported in hugepages-1048576kB@d"]) > AT_CLEANUP > dnl > -- > + > + > + > +dnl > -- > +dnl Ping vhost-user-client port > +AT_SETUP([OVS-DPDK datapath - ping vhost-user-client ports]) Any reason why you're using vhost-user instead of vhost-user-client? If we change it to "type=dpdkvhostuserclient" in the vhu0 interface added to OvS and append ",server=1" to the net_virtio_user --vdev in the testpmd arguments, doesn't it just work the same? > +AT_KEYWORDS([dpdk]) > +OVS_DPDK_PRE_CHECK() > +OVS_DPDK_START() > + > +dnl Add userspace bridge and attach it to OVS > +AT_CHECK([ovs-vsctl add-br br10 -- set bridge br10 datapath_type=netdev]) > +AT_CHECK([ovs-vsctl add-port br10 vhu0 -- set Interface vhu0 \ > + type=dpdkvhostuser], [], > + [stdout], [stderr]) > +AT_CHECK([ovs-vsctl show], [], [stdout]) > + > +dnl Parse log file > +AT_CHECK([grep "VHOST_CONFIG: vhost-user server: socket created" \ > + ovs-vswitchd.log], [], [stdout]) > +AT_CHECK([grep "Socket $OVS_RUNDIR/vhu0 created for vhost-user port vhu0" \ > + ovs-vswitchd.log], [], [stdout]) > +AT_CHECK([grep "VHOST_CONFIG: bind to $OVS_RUNDIR/vhu0" ovs-vswitchd.log], > [], > + [stdout]) > + > +dnl Set up namespaces > +ADD_NAMESPACES(ns1, ns2) > + > +dnl execute testpmd in background > +on_exit "pkill -f -x -9 'tail -f /dev/null'" > +tail -f /dev/null | testpmd --socket-mem=512 \ > + --vdev="net_virtio_user,path=$OVS_RUNDIR/vhu0" \ > + --vdev="net_tap0,iface=tap0" --file-prefix page0 \ > + --single-file-segments -- -a >$OVS_RUNDIR/testpmd-vhu0.log 2>&1 & > + I've seen your reply to Ian's comment on the $PATH environment variable on v2; That could be enough if there wasn't a requirement for DPDK v18.11 for the `testpmd` bin. Since there is a separate environment variable will be needed to guarantee we're executing the correct one (and not the v17.11 that's currently linked with OvS, as an example). It would also enable us to detect if the variable is set or not, and if not, skip the test altogether. At the moment the test will just fail, if the binary doesn't exist. > +dnl add veth device > +ADD_VETH(tap1, ns2, br10, "172.31.110.12/24") The ADD_VETH() macro skips the test if $1 already exists. It would be better to set up tap1 at the beginning, thus skipping the test if it can't b set up, and this way it wouldn't be starting the `testpmd` process unnecessarily. > + > +dnl give settling time to the testpmd processes - NOTE: this is bad form. > +sleep 10 > + > +dnl move the tap devices to the namespaces > +AT_CHECK([ps aux | grep testpmd], [], [stdout], [stderr]) > +AT_CHECK([ip link show], [], [stdout], [stderr]) > +AT_CHECK([ip link set tap0 netns ns1], [], [stdout], [stderr]) > + > +AT_CHECK([ip netns exec ns1 ip link show], [], [stdout], [stderr]) > +AT_CHECK([ip netns exec ns1 ip link show | grep tap0], [], [stdout], > [stderr]) > +AT_CHECK([ip netns exec ns1 ip link set tap0 up], [], [stdout], [stderr]) > +AT_CHECK([ip netns exec ns1 ip addr add 172.31.110.11/24 dev tap0], [], > + [stdout], [stderr]) > + > +AT_CHECK([ip netns exec ns1 ip link show], [], [stdout], [stderr]) > +AT_CHECK([ip netns exec ns2 ip link show], [], [stdout], [stderr]) > +AT_CHECK([ip netns exec ns1 arping -c 4 -I tap0 172.31.110.12], [], [stdout], > + [stderr]) Any specific requirement on arping? I for one didn't have it installed on my system. Tiago. > + > +dnl clean u
[ovs-dev] Ingeniería del Software
--- Este correo electrónico ha sido comprobado en busca de virus por AVG. http://www.avg.com ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v6 0/6] IPsec support for tunneling
Two main issues remain to be resolved. 1) The GENEVE and VXLAN IPsec tunnel configuration don't work in LibreSwan. I reported this bug to the LibreSwan mailing list, which is confirmed by the maintainer. (https://lists.libreswan.org/pipermail/swan/2018/002700.html). 2) In order to match XFRM policies in the kernel, L4 port information needs to be added before route lookup. The upstream VXLAN kernel module already had this patch since 4.10. The upstream GENEVE module is not patched, so the GENEVE IPsec tunnel doesn't work in OVS. Some other minor issues: 3) When a StrongSwan daemon interoperates with a LibreSwan daemon, the IKE connection can be only initiated from LibreSwan to StrongSwan but not the other way around. 4) In LibreSwan, the plaintext policy cannot be installed without restarting the LibreSwan daemon. But restarting the daemon lost existing IKE connections. A quick solution to 1), 3), and 4) is using StrongSwan in Fedora. The interface is a little bit different from StrongSwan in Debian, but hopefully, these problems will go away. Any feedbacks are welcomed! -Qiuyu On Wed, Aug 29, 2018 at 10:14 AM Qiuyu Xiao wrote: > > This patch series reintroduce IPsec support for OVS tunneling and enable > OVN to > use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are > supported. > StrongSwan and LibreSwan IKE daemons are supported. > > Changes from v1 to v2 > - > 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE > daemon support. > 2. Add ovs-monitor-ipsec to flake8 check. > 3. Use openssl to extract CN from certificate so that users don't need > to > specify the CN information in the configuration interface. > 4. Improve documentations as suggested. > > Changes from v2 to v3 > - > 1. Add scripts and rules to create ovs-ipsec RPM package. > 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS > IPsec > tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed > description on OVS IPsec configuration modes. > 3. Modify ovs-pki to generate x.509 version 3 certificate when do > self-sign. > 4. IPsec tunnel interface needs 'local_ip' information. Modify > ovn-controller > to add 'local_ip' when IPsec is enabled. > 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. > > Changes from v3 to v4 > - > 1. Split the datapath patch to three patches (geneve, vxlan, stt). > 2. Add tutorial for OVN RBAC and OVN IPsec. > > Changes from v4 to v5 > - > 1. Fix coding style issues in ovs-monitor-ipsec. > 2. Improve IPsec and OVN-IPsec tutorials as suggested. > 3. Change the description of setting skb_mark in documentation to > reflect the > real situation. > > Changes from v5 to v6 > - > 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove > the 'local_ip' requirement when setting IPsec tunnel interface. > 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE > daemon, either LibreSwan or StrongSwan. The init script chooses which > IKE daemon to use. Currently, Debian init script chooses StrongSwan. > Fedora init script chooses LibreSwan. > 3. Check illegal name before removing a file in > '_import_local_certs_and_key()'. > 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This > version fixes it. > 5. The plaintext policy syntax was wrong when using LibreSwan. This version > corrects it. > 6. Add comments and explanations about the 'remote_name' > check in '_is_valid_tunnel_conf()'. > 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE > daemon. > > *** BLURB HERE *** > > Qiuyu Xiao (6): > datapath: add transport ports in route lookup for geneve > ipsec: reintroduce IPsec support for tunneling > debian and rhel: Create IPsec package. > Documentation: IPsec tunnel tutorial and documentation. > OVN: native support for tunnel encryption > Documentation: OVN RBAC and IPsec tutorial > > Documentation/automake.mk |4 + > Documentation/howto/index.rst |1 + > Documentation/howto/ipsec.rst | 194 > Documentation/index.rst|5 +- > Documentation/tutorials/index.rst |3 + > Documentation/tutorials/ipsec.rst | 347 ++ > Documentation/tutorials/ovn-ipsec.rst | 146 +++ > Documentation/tutorials/ovn-rbac.rst | 134 +++ > Makefile.am|1 + > datapath/linux/compat/geneve.c | 29 +- > debian/automake.mk |3 + > debian/control | 21 + > debian/openvswitch-ipsec.dirs |1 + > debian/openvswitch-ipsec.init | 181 +++ > debian/openvswitch-ipsec.install |1 + > ipsec/automake.mk
[ovs-dev] [PATCH v6 4/6] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 194 + Documentation/index.rst | 3 +- Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 347 ++ vswitchd/vswitch.xml | 156 - 7 files changed, 694 insertions(+), 10 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 244479490..5401b9bad 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -60,6 +61,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..17153ac2b --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,194 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and plaintext tunnel policies based on your requirements. + +OVS does not currently provide any support for IPsec encryption for traffic not +encapsulated in a tunnel. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:remote_ip=2.2.2.2 \ + options:psk=swordfish
[ovs-dev] [PATCH v6 6/6] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/index.rst | 4 +- Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 146 ++ Documentation/tutorials/ovn-rbac.rst | 134 +++ 5 files changed, 287 insertions(+), 1 deletion(-) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1..46261235c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive --- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..feb695ea3 --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,146 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate separate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_config:ca_cert=/path/to/cacert
[ovs-dev] [PATCH v6 2/6] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that
was previously removed by commit 2b02d770 ("openvswitch:
Allow external IPsec tunnel management.")
After this patch, there are no IPsec flavored tunnels anymore.
IPsec is enabled by setting up the right values in:
1. OVSDB:Interface:options column;
2. OVSDB:Open_vSwitch:other_config column;
3. OpenFlow pipeline.
GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and
StrongSwan IKE daemons are supported. User can choose pre-shared key,
self-signed peer certificate, or CA-signed certificate as authentication
methods.
Signed-off-by: Qiuyu Xiao
Signed-off-by: Ansis Atteka
Co-authored-by: Ansis Atteka
---
Makefile.am |1 +
ipsec/automake.mk | 10 +
ipsec/ovs-monitor-ipsec | 1211 +++
3 files changed, 1222 insertions(+)
create mode 100644 ipsec/automake.mk
create mode 100755 ipsec/ovs-monitor-ipsec
diff --git a/Makefile.am b/Makefile.am
index ff472ad81..64725654c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -482,6 +482,7 @@ include tests/automake.mk
include include/automake.mk
include third-party/automake.mk
include debian/automake.mk
+include ipsec/automake.mk
include vswitchd/automake.mk
include ovsdb/automake.mk
include rhel/automake.mk
diff --git a/ipsec/automake.mk b/ipsec/automake.mk
new file mode 100644
index 0..1e530cb42
--- /dev/null
+++ b/ipsec/automake.mk
@@ -0,0 +1,10 @@
+# Copyright (C) 2017 Nicira, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# are permitted in any medium without royalty provided the copyright
+# notice and this notice are preserved. This file is offered as-is,
+# without warranty of any kind.
+
+EXTRA_DIST += \
+ipsec/ovs-monitor-ipsec
+FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec
diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec
new file mode 100755
index 0..dfe412dbb
--- /dev/null
+++ b/ipsec/ovs-monitor-ipsec
@@ -0,0 +1,1211 @@
+#!/usr/bin/env python
+# Copyright (c) 2017 Nicira, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import re
+import subprocess
+import sys
+import copy
+import os
+from string import Template
+
+import ovs.daemon
+import ovs.db.idl
+import ovs.dirs
+import ovs.unixctl
+import ovs.unixctl.server
+import ovs.util
+import ovs.vlog
+
+
+FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n"
+transp_tmpl = {"gre": Template("""\
+conn $ifname-$version
+$auth_section
+leftprotoport=gre
+rightprotoport=gre
+
+"""), "gre64": Template("""\
+conn $ifname-$version
+$auth_section
+leftprotoport=gre
+rightprotoport=gre
+
+"""), "geneve": Template("""\
+conn $ifname-in-$version
+$auth_section
+leftprotoport=udp/6081
+rightprotoport=udp
+
+conn $ifname-out-$version
+$auth_section
+leftprotoport=udp
+rightprotoport=udp/6081
+
+"""), "stt": Template("""\
+conn $ifname-in-$version
+$auth_section
+leftprotoport=tcp/7471
+rightprotoport=tcp
+
+conn $ifname-out-$version
+$auth_section
+leftprotoport=tcp
+rightprotoport=tcp/7471
+
+"""), "vxlan": Template("""\
+conn $ifname-in-$version
+$auth_section
+leftprotoport=udp/4789
+rightprotoport=udp
+
+conn $ifname-out-$version
+$auth_section
+leftprotoport=udp
+rightprotoport=udp/4789
+
+""")}
+vlog = ovs.vlog.Vlog("ovs-monitor-ipsec")
+exiting = False
+monitor = None
+xfrm = None
+
+class XFRM(object):
+"""This class is a simple wrapper around ip-xfrm (8) command line
+utility. We are using this class only for informational purposes
+so that ovs-monitor-ipsec could verify that IKE keying daemon has
+installed IPsec policies and security associations into kernel as
+expected."""
+
+def __init__(self, ip_root_prefix):
+self.IP = ip_root_prefix + "/sbin/ip"
+
+def get_policies(self):
+"""This function returns IPsec policies (from kernel) in a dictionary
+where is destination IPv4 address and is SELECTOR of
+the IPsec policy."""
+policies = {}
+proc = subprocess.Popen([self.IP, 'xfrm', 'policy'],
+stdout=subprocess.PIPE)
+while True:
+line = proc.stdout.readline().strip()
+if line == '':
+break
+a = line.split(" ")
+if len(a) >= 4 and a[0] == "src" and a[2] == "dst":
+dst = (a[3].split("/"))[0]
+
[ovs-dev] [PATCH v6 5/6] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
binary option to its user for encryption configuration. If the IPsec
option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
will be encrypted.
The changes are summarized as below:
1) Added a ipsec column on the NB_Global table and SB_Global table. The
value of ipsec column is propagated by ovn-northd from NB_Global to
SB_Global.
2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
value is true, ovn-controller sets options of the tunnel interface by
specifying "options:remote_name=". If the ipsec
value is false, ovn-controller removes these options.
3) ovs-monitor-ipsec daemon
(https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
monitors the tunnel interface options and configures IKE daemon
accordingly for IPsec encryption.
Signed-off-by: Qiuyu Xiao
---
ovn/controller/encaps.c | 14 ++
ovn/controller/encaps.h | 6 +-
ovn/controller/ovn-controller.c | 3 ++-
ovn/northd/ovn-northd.c | 8 ++--
ovn/ovn-architecture.7.xml | 39 +++
ovn/ovn-nb.ovsschema| 7 ---
ovn/ovn-nb.xml | 6 ++
ovn/ovn-sb.ovsschema| 7 ---
ovn/ovn-sb.xml | 6 ++
9 files changed, 82 insertions(+), 14 deletions(-)
diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c
index fde017586..0495b25c2 100644
--- a/ovn/controller/encaps.c
+++ b/ovn/controller/encaps.c
@@ -79,8 +79,8 @@ tunnel_create_name(struct tunnel_ctx *tc, const char
*chassis_id)
}
static void
-tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id,
- const struct sbrec_encap *encap)
+tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg,
+ const char *new_chassis_id, const struct sbrec_encap *encap)
{
struct smap options = SMAP_INITIALIZER(&options);
smap_add(&options, "remote_ip", encap->ip);
@@ -90,6 +90,11 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id,
smap_add(&options, "csum", csum);
}
+/* Add auth info if ipsec is enabled. */
+if (sbg->ipsec) {
+smap_add(&options, "remote_name", new_chassis_id);
+}
+
/* If there's an existing chassis record that does not need any change,
* keep it. Otherwise, create a new record (if there was an existing
* record, the new record will supplant it and encaps_run() will delete
@@ -157,7 +162,8 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn,
const struct ovsrec_bridge_table *bridge_table,
const struct ovsrec_bridge *br_int,
const struct sbrec_chassis_table *chassis_table,
- const char *chassis_id)
+ const char *chassis_id,
+ const struct sbrec_sb_global *sbg)
{
if (!ovs_idl_txn || !br_int) {
return;
@@ -209,7 +215,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn,
VLOG_INFO("No supported encaps for '%s'", chassis_rec->name);
continue;
}
-tunnel_add(&tc, chassis_rec->name, encap);
+tunnel_add(&tc, sbg, chassis_rec->name, encap);
}
}
diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h
index 054bdfa78..3e0e110ef 100644
--- a/ovn/controller/encaps.h
+++ b/ovn/controller/encaps.h
@@ -23,13 +23,17 @@ struct ovsdb_idl_txn;
struct ovsrec_bridge;
struct ovsrec_bridge_table;
struct sbrec_chassis_table;
+struct sbrec_sb_global;
+struct ovsrec_open_vswitch_table;
void encaps_register_ovs_idl(struct ovsdb_idl *);
void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn,
const struct ovsrec_bridge_table *,
const struct ovsrec_bridge *br_int,
const struct sbrec_chassis_table *,
-const char *chassis_id);
+const char *chassis_id,
+const struct sbrec_sb_global *);
+
bool encaps_cleanup(struct ovsdb_idl_txn *ovs_idl_txn,
const struct ovsrec_bridge *br_int);
diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c
index 85921a03a..759b9da42 100644
--- a/ovn/controller/ovn-controller.c
+++ b/ovn/controller/ovn-controller.c
@@ -702,7 +702,8 @@ main(int argc, char *argv[])
chassis_id, br_int);
encaps_run(ovs_idl_txn,
ovsrec_bridge_table_get(ovs_idl_loop.idl), br_int,
- sbrec_chassis_table_get(ovnsb_idl_loop.idl),
chassis_id);
+ sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id,
+ sbrec_sb_global_first(ovnsb_idl_loop.idl));
bfd_calculate_active_tunnels(br_int, &active_tunnels);
binding_run(ovnsb_idl_txn, ovs_idl_txn, sbrec_chassis_by_name,
sbrec_datapath_binding_by_key,
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd
[ovs-dev] [PATCH v6 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages.
Signed-off-by: Qiuyu Xiao
Signed-off-by: Ansis Atteka
Co-authored-by: Ansis Atteka
---
debian/automake.mk | 3 +
debian/control | 21 +++
debian/openvswitch-ipsec.dirs | 1 +
debian/openvswitch-ipsec.init | 181 +
debian/openvswitch-ipsec.install | 1 +
rhel/automake.mk | 1 +
rhel/openvswitch-fedora.spec.in| 19 ++-
...sr_lib_systemd_system_openvswitch-ipsec.service | 13 ++
utilities/ovs-ctl.in | 27 +++
9 files changed, 266 insertions(+), 1 deletion(-)
create mode 100644 debian/openvswitch-ipsec.dirs
create mode 100644 debian/openvswitch-ipsec.init
create mode 100644 debian/openvswitch-ipsec.install
create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service
diff --git a/debian/automake.mk b/debian/automake.mk
index 4d8e204bb..8a8d43c9f 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -20,6 +20,9 @@ EXTRA_DIST += \
debian/openvswitch-datapath-source.copyright \
debian/openvswitch-datapath-source.dirs \
debian/openvswitch-datapath-source.install \
+ debian/openvswitch-ipsec.dirs \
+ debian/openvswitch-ipsec.init \
+ debian/openvswitch-ipsec.install \
debian/openvswitch-pki.dirs \
debian/openvswitch-pki.postinst \
debian/openvswitch-pki.postrm \
diff --git a/debian/control b/debian/control
index 9ae248f27..cde93f20e 100644
--- a/debian/control
+++ b/debian/control
@@ -322,3 +322,24 @@ Description: Open vSwitch development package
1000V.
.
This package provides openvswitch headers and libopenvswitch for developers.
+
+Package: openvswitch-ipsec
+Architecture: linux-any
+Depends: iproute2,
+ openvswitch-common (= ${binary:Version}),
+ openvswitch-switch (= ${binary:Version}),
+ python,
+ python-openvswitch (= ${source:Version}),
+ strongswan,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Open vSwitch IPsec tunneling support
+ Open vSwitch is a production quality, multilayer, software-based,
+ Ethernet virtual switch. It is designed to enable massive network
+ automation through programmatic extension, while still supporting
+ standard management interfaces and protocols (e.g. NetFlow, IPFIX,
+ sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
+ to support distribution across multiple physical servers similar to
+ VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+ .
+ This package provides IPsec tunneling support for OVS tunnels.
diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
new file mode 100644
index 0..fca44aa7b
--- /dev/null
+++ b/debian/openvswitch-ipsec.dirs
@@ -0,0 +1 @@
+usr/share/openvswitch/scripts
\ No newline at end of file
diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
new file mode 100644
index 0..aa6838454
--- /dev/null
+++ b/debian/openvswitch-ipsec.init
@@ -0,0 +1,181 @@
+#!/bin/sh
+#
+# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides: openvswitch-ipsec
+# Required-Start:$network $local_fs $remote_fs openvswitch-switch
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description: The ovs-monitor-ipsec script provides support for
+#encrypting GRE tunnels with IPsec.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
+NAME=ovs-monitor-ipsec # Introduce the short server's name here
+LOGDIR=/var/log/openvswitch # Log directory to use
+DATADIR=/usr/share/openvswitch
+
+PIDFILE=/var/run/openvswitch/$NAME.pid
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+DODTIME=10 # Time to wait for the server to die, in seconds
+# If this value is set too low you might
[ovs-dev] [PATCH v6 1/6] datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that
IPsec can select geneve tunnel traffic to do encryption.
Signed-off-by: Qiuyu Xiao
Reviewed-by: Greg Rose
Tested-by: Greg Rose
---
datapath/linux/compat/geneve.c | 29 +++--
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c
index 4ccf7e34f..77632ae11 100644
--- a/datapath/linux/compat/geneve.c
+++ b/datapath/linux/compat/geneve.c
@@ -852,7 +852,8 @@ free_dst:
static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
struct net_device *dev,
struct flowi4 *fl4,
- struct ip_tunnel_info *info)
+ struct ip_tunnel_info *info,
+ __be16 dport, __be16 sport)
{
bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
struct geneve_dev *geneve = netdev_priv(dev);
@@ -866,6 +867,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
memset(fl4, 0, sizeof(*fl4));
fl4->flowi4_mark = skb->mark;
fl4->flowi4_proto = IPPROTO_UDP;
+ fl4->fl4_dport = dport;
+ fl4->fl4_sport = sport;
if (info) {
fl4->daddr = info->key.u.ipv4.dst;
@@ -911,7 +914,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
struct net_device *dev,
struct flowi6 *fl6,
- struct ip_tunnel_info *info)
+ struct ip_tunnel_info *info,
+ __be16 dport, __be16 sport)
{
bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
struct geneve_dev *geneve = netdev_priv(dev);
@@ -927,6 +931,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff
*skb,
memset(fl6, 0, sizeof(*fl6));
fl6->flowi6_mark = skb->mark;
fl6->flowi6_proto = IPPROTO_UDP;
+ fl6->fl6_dport = dport;
+ fl6->fl6_sport = sport;
if (info) {
fl6->daddr = info->key.u.ipv6.dst;
@@ -1021,13 +1027,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb,
struct net_device *dev,
goto tx_error;
}
- rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ rt = geneve_get_v4_rt(skb, dev, &fl4, info, geneve->dst_port, sport);
if (IS_ERR(rt)) {
err = PTR_ERR(rt);
goto tx_error;
}
- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
skb_reset_mac_header(skb);
iip = ip_hdr(skb);
@@ -1113,13 +1119,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff
*skb, struct net_device *dev,
}
}
- dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ dst = geneve_get_v6_dst(skb, dev, &fl6, info, geneve->dst_port, sport);
if (IS_ERR(dst)) {
err = PTR_ERR(dst);
goto tx_error;
}
- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
skb_reset_mac_header(skb);
iip = ip_hdr(skb);
@@ -1248,13 +1254,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device
*dev, struct sk_buff *skb)
struct geneve_dev *geneve = netdev_priv(dev);
struct rtable *rt;
struct flowi4 fl4;
+ __be16 sport;
#if IS_ENABLED(CONFIG_IPV6)
struct dst_entry *dst;
struct flowi6 fl6;
#endif
+ sport = udp_flow_src_port(geneve->net, skb,
+1, USHRT_MAX, true);
+
if (ip_tunnel_info_af(info) == AF_INET) {
- rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+ rt = geneve_get_v4_rt(skb, dev, &fl4, info, geneve->dst_port,
sport);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -1262,7 +1272,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev,
struct sk_buff *skb)
info->key.u.ipv4.src = fl4.saddr;
#if IS_ENABLED(CONFIG_IPV6)
} else if (ip_tunnel_info_af(info) == AF_INET6) {
- dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+ dst = geneve_get_v6_dst(skb, dev, &fl6, info, geneve->dst_port,
sport);
if (IS_ERR(dst))
return PTR_ERR(dst);
@@ -1273,8 +1283,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev,
struct sk_buff *skb)
return -EINVAL;
}
- info->key.tp_src = udp_flow_src_port(geneve->net, skb,
-1, USHRT_MAX, true);
+ info-
[ovs-dev] [PATCH v6 0/6] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 - 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 - 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Changes from v4 to v5 - 1. Fix coding style issues in ovs-monitor-ipsec. 2. Improve IPsec and OVN-IPsec tutorials as suggested. 3. Change the description of setting skb_mark in documentation to reflect the real situation. Changes from v5 to v6 - 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove the 'local_ip' requirement when setting IPsec tunnel interface. 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE daemon, either LibreSwan or StrongSwan. The init script chooses which IKE daemon to use. Currently, Debian init script chooses StrongSwan. Fedora init script chooses LibreSwan. 3. Check illegal name before removing a file in '_import_local_certs_and_key()'. 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This version fixes it. 5. The plaintext policy syntax was wrong when using LibreSwan. This version corrects it. 6. Add comments and explanations about the 'remote_name' check in '_is_valid_tunnel_conf()'. 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE daemon. *** BLURB HERE *** Qiuyu Xiao (6): datapath: add transport ports in route lookup for geneve ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk |4 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 194 Documentation/index.rst|5 +- Documentation/tutorials/index.rst |3 + Documentation/tutorials/ipsec.rst | 347 ++ Documentation/tutorials/ovn-ipsec.rst | 146 +++ Documentation/tutorials/ovn-rbac.rst | 134 +++ Makefile.am|1 + datapath/linux/compat/geneve.c | 29 +- debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec| 1211 ovn/controller/encaps.c| 14 +- ovn/controller/encaps.h|6 +- ovn/controller/ovn-controller.c|3 +- ovn/northd/ovn-northd.c|8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml |6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml |6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in| 19 +- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 + utilities/ovs-ctl.in | 27 + vswitchd/vswitch.xml | 156 ++- 31 files changed, 2569 insertions(+), 35 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debi
[ovs-dev] toutes urgences
Bonjour,l'entreprise METAPRO.fr intervient dans toute la Région ParisienneParis + 77 + 78 + 91 + 92 + 93 + 94 + 957 jours sur 7 et 24h sur 24Promotion forfait dépannage incluant déplacement + main d'oeuvre + petites fournitures = 159€/TTCPour tous vos dépannages (et installations) CHAUFFAGE (chaudière fioul, gaz, électriques ...) PLOMBERIE, ELECTRICITE, DOMOTIQUE ... Intervention dans la journée (3h en moyenne). Avec ou sans contrat de maintenance. ARTISAN en activité depuis 2005 Plomberie, Chauffage, Electricité, Interphonie, Automatisme ... dépannage EXPRESS et INSTALLATION, Maintenance ... METAPRO, 38 rue Bénard - 75014 PARIS - Siret : 480.334.085.00010 Si vous ne souhaitez plus avoir de mails de ma part, je vous prie de "répondre" simplement en mettant le mot STOP dans l'objet Cet envoi est effectué par L.M.B. 798604690 - Vous pouvez nous écrire : LMB CONSULT - BP 22 - 77251 BRIE COMTE ROBERT CEDEXConformément à l'article 34 de la loi Informatique et Liberté du 6 janvier 1978, vous disposez d'un droit d'accès, de modification, de rectification et de suppression des données vous concernant. Notez que, nous ne disposons d'aucune autre donnée vous concernant, mise à part l'adresse mail à laquelle vous avez reçu ce courriel. Nous n'avons aucun fichier d'adresse postales, de nom, de prénoms ... ...Déclaration CNIL 2182562 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [patch v2 1/2] conntrack: Fix nat_clean.
nat_clean has a defunct optimization for calculating a hash outside the
scope of a bucket lock which can lead to a race in referencing a freed
conntrack entry. Adjust to avoid this. Needs backporting to 2.8.
Reported-at:
https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/351629.html
Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.")
Signed-off-by: Darrell Ball
---
lib/conntrack.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/lib/conntrack.c b/lib/conntrack.c
index be8debb..692f2b8 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -778,20 +778,22 @@ nat_clean(struct conntrack *ct, struct conn *conn,
{
ct_rwlock_wrlock(&ct->resources_lock);
nat_conn_keys_remove(&ct->nat_conn_keys, &conn->rev_key, ct->hash_basis);
-ct_rwlock_unlock(&ct->resources_lock);
-ct_lock_unlock(&ctb->lock);
unsigned bucket_rev_conn =
hash_to_bucket(conn_key_hash(&conn->rev_key, ct->hash_basis));
+struct conn_key rev_key = conn->rev_key;
+ct_rwlock_unlock(&ct->resources_lock);
+ct_lock_unlock(&ctb->lock);
+
ct_lock_lock(&ct->buckets[bucket_rev_conn].lock);
ct_rwlock_wrlock(&ct->resources_lock);
long long now = time_msec();
-struct conn *rev_conn = conn_lookup(ct, &conn->rev_key, now);
+struct conn *rev_conn = conn_lookup(ct, &rev_key, now);
struct nat_conn_key_node *nat_conn_key_node =
-nat_conn_keys_lookup(&ct->nat_conn_keys, &conn->rev_key,
+nat_conn_keys_lookup(&ct->nat_conn_keys, &rev_key,
ct->hash_basis);
-/* In the unlikely event, rev conn was recreated, then skip
- * rev_conn cleanup. */
+/* In the unlikely event, 'rev_conn' was recreated, then skip
+ * 'rev_conn' cleanup. */
if (rev_conn && (!nat_conn_key_node ||
conn_key_cmp(&nat_conn_key_node->value,
&rev_conn->rev_key))) {
--
1.9.1
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [patch v2 2/2] conntrack: Skip ephemeral ports fallback for DNAT.
Ephemeral port fallback is being done for DNAT and the code could be hit in
some special cases, with some test challenges. This is incorrect at any rate,
so filter this out.
Also, rename the variable used for checking whether ephemeral ports
need to be checked.
Needs backporting to 2.8.
Reported-at:
https://mail.openvswitch.org/pipermail/ovs-dev/2018-August/351629.html
Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.")
Signed-off-by: Darrell Ball
---
lib/conntrack.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/conntrack.c b/lib/conntrack.c
index 692f2b8..be6c8fc 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -2183,7 +2183,9 @@ nat_select_range_tuple(struct conntrack *ct, const struct
conn *conn,
uint16_t port = first_port;
bool all_ports_tried = false;
-bool original_ports_tried = false;
+/* For DNAT, we don't try ephemeral ports. */
+bool ephemeral_ports_tried =
+conn->nat_info->nat_action & NAT_ACTION_DST ? true : false;
struct ct_addr first_addr = ct_addr;
while (true) {
@@ -2229,8 +2231,8 @@ nat_select_range_tuple(struct conntrack *ct, const struct
conn *conn,
ct_addr = conn->nat_info->min_addr;
}
if (!memcmp(&ct_addr, &first_addr, sizeof ct_addr)) {
-if (!original_ports_tried) {
-original_ports_tried = true;
+if (!ephemeral_ports_tried) {
+ephemeral_ports_tried = true;
ct_addr = conn->nat_info->min_addr;
min_port = MIN_NAT_EPHEMERAL_PORT;
max_port = MAX_NAT_EPHEMERAL_PORT;
--
1.9.1
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
