openvswitch: deprecates support for IPsec tunnel port.

OVS IPsec tunnel support has issues: 1. It only works for GRE. 2. only works on Debian. 3. It does not allow user to match on packet-mark on packet received on tunnel ports. This patch deprecates support for IPsec tunnel port. Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Ansis Atteka <aatteka@ovn.org>
2025-08-22 01:51:26 +00:00 · 2016-09-20 10:52:58 -07:00 · 2016-09-20 10:52:58 -07:00 · 9e9d038491
commit 9e9d038491
parent 4196454379
5 changed files with 8 additions and 0 deletions
--- a/1
+++ b/1
@ -150,6 +150,7 @@ v2.6.0 - xx xxx xxxx
     * Flow based tunnel match and action can be used for IPv6 address using
       tun_ipv6_src, tun_ipv6_dst fields.
     * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
   - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
     watch with tcpdump
   - Introduce --no-self-confinement flag that allows daemons to work with
--- a/debian/changelog
+++ b/debian/changelog
@ -118,6 +118,7 @@ openvswitch (2.6.0-1) unstable; urgency=low
     * Flow based tunnel match and action can be used for IPv6 address using
       tun_ipv6_src, tun_ipv6_dst fields.
     * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
   - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
     watch with tcpdump
   - Introduce --no-self-confinement flag that allows daemons to work with
--- a/debian/control
+++ b/debian/control
@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
 .
 The ovs-monitor-ipsec script provides support for encrypting GRE
 tunnels with IPsec.
+ IPsec tunnels support is deprecated.

 Package: openvswitch-pki
 Architecture: all
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
        static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
        static pid_t pid = 0;

+        VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
+
 #ifndef _WIN32
        ovs_mutex_lock(&mutex);
        if (pid <= 0) {
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@ -2008,6 +2008,9 @@
          <dd>
            An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6
            IPsec tunnel.
+            IPsec tunnel ports are deprecated. The support will be completely
+            removed in next version.
+
          </dd>

          <dt><code>vxlan</code></dt>