mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 01:51:26 +00:00
Code Issues Releases Wiki Activity

ovs-monitor-ipsec: LibreSwan v5 support.

Browse Source 
In version 5, LibreSwan made significant command line interface changes.
This includes changing the order or command line parameters and removing
the "ipsec auto" command.

To maintain compatibility with previous versions, the ipsec.d version
check is repurposed for this. Checking the version proved simpler than
removing use of auto.

There was also a change to ipsec status command that effected the tests.
However, this change was backwards compatible.

Reported-at: https://issues.redhat.com/browse/FDP-645
Reported-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Simon Horman <horms@ovn.org>
This commit is contained in:
Mike Pattrick 2024-06-28 00:24:06 -04:00 committed by Simon Horman
parent 802df1e37b
commit 239b59bdfb
2 changed files with 30 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
ipsec/ovs-monitor-ipsec.in
View File

@ -459,6 +459,7 @@ conn prevent_unencrypted_vxlan
def __init__(self, libreswan_root_prefix, args):
# Collect version infromation
self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec"
self.IPSEC_AUTO = [self.IPSEC]
proc = subprocess.Popen([self.IPSEC, "--version"],
stdout=subprocess.PIPE,
encoding="latin1")
@ -470,6 +471,11 @@ conn prevent_unencrypted_vxlan
except:
version = 0
if version < 5:
# With v5, LibreSWAN removed the auto command, however, it is
# still required for older versions
self.IPSEC_AUTO.append("auto")
if version >= 4:
ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss"
else:
@ -593,7 +599,7 @@ conn prevent_unencrypted_vxlan
def refresh(self, monitor):
vlog.info("Refreshing LibreSwan configuration")
subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL,
subprocess.call(self.IPSEC_AUTO + ["--ctlsocket", self.IPSEC_CTL,
"--config", self.IPSEC_CONF, "--rereadsecrets"])
tunnels = set(monitor.tunnels.keys())
@ -621,7 +627,7 @@ conn prevent_unencrypted_vxlan
if not tunnel or tunnel.version != ver:
vlog.info("%s is outdated %u" % (conn, ver))
subprocess.call([self.IPSEC, "auto", "--ctlsocket",
subprocess.call(self.IPSEC_AUTO + ["--ctlsocket",
self.IPSEC_CTL, "--config",
self.IPSEC_CONF, "--delete", conn])
elif ifname in tunnels:
@ -643,44 +649,44 @@ conn prevent_unencrypted_vxlan
# Update shunt policy if changed
if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]:
if monitor.conf["skb_mark"]:
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--add",
"--asynchronous", "prevent_unencrypted_gre"])
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--add",
"--asynchronous", "prevent_unencrypted_geneve"])
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--add",
"--asynchronous", "prevent_unencrypted_stt"])
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--add",
"--asynchronous", "prevent_unencrypted_vxlan"])
else:
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--delete",
"--asynchronous", "prevent_unencrypted_gre"])
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--delete",
"--asynchronous", "prevent_unencrypted_geneve"])
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--delete",
"--asynchronous", "prevent_unencrypted_stt"])
subprocess.call([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
subprocess.call(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--delete",
"--asynchronous", "prevent_unencrypted_vxlan"])
@ -726,8 +732,8 @@ conn prevent_unencrypted_vxlan
# the "ipsec auto --start" command is lost. Just retry to make sure
# the command is received by LibreSwan.
while True:
proc = subprocess.Popen([self.IPSEC, "auto",
"--config", self.IPSEC_CONF,
proc = subprocess.Popen(self.IPSEC_AUTO +
["--config", self.IPSEC_CONF,
"--ctlsocket", self.IPSEC_CTL,
"--start",
"--asynchronous", conn],

8
tests/system-ipsec.at
View File

@ -110,16 +110,16 @@ m4_define([CHECK_LIBRESWAN],
dnl IPSEC_STATUS_LOADED([])
dnl
dnl Get number of loaded connections from ipsec status
m4_define([IPSEC_STATUS_LOADED], [ipsec status --rundir $ovs_base/$1 | \
m4_define([IPSEC_STATUS_LOADED], [ipsec --rundir $ovs_base/$1 status | \
grep "Total IPsec connections" | \
sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m'])
sed 's/[[0-9]]* *Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m'])
dnl IPSEC_STATUS_ACTIVE([])
dnl
dnl Get number of active connections from ipsec status
m4_define([IPSEC_STATUS_ACTIVE], [ipsec status --rundir $ovs_base/$1 | \
m4_define([IPSEC_STATUS_ACTIVE], [ipsec --rundir $ovs_base/$1 status | \
grep "Total IPsec connections" | \
sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m'])
sed 's/[[0-9]]* *Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m'])
dnl CHECK_ESP_TRAFFIC()
dnl