mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-30 05:47:55 +00:00
Code Issues Releases Wiki Activity

ovs-monitor-ipsec: Allow custom options per tunnel.

Browse Source 
Tunnels in LibreSwan and OpenSwan allow for many options to be set on a
per tunnel basis. Pass through any options starting with ipsec_ to the
connection in the configuration file. Administrators are responsible for
picking valid key/value pairs.

Signed-off-by: Andreas Karis <ak.karis@gmail.com>
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Andreas Karis 2022-03-02 14:40:05 +01:00 committed by Ilya Maximets
parent af864cedb0
commit e8515c8cc0
4 changed files with 67 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
Documentation/tutorials/ipsec.rst
View File

@ -303,6 +303,50 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
You should be able to see that ESP packets are being sent from `host_1` to You should be able to see that ESP packets are being sent from `host_1` to
`host_2`. `host_2`.
Custom options
--------------
Any parameter prefixed with `ipsec_` will be added to the connection profile.
For example::
# ovs-vsctl set interface tun options:ipsec_encapsulation=yes
Will result in::
# ovs-appctl -t ovs-monitor-ipsec tunnels/show
Interface name: tun v7 (CONFIGURED)
Tunnel Type: vxlan
Local IP: 192.0.0.1
Remote IP: 192.0.0.2
Address Family: IPv4
SKB mark: None
Local cert: None
Local name: None
Local key: None
Remote cert: None
Remote name: None
CA cert: None
PSK: swordfish
Custom Options: {'encapsulation': 'yes'}
And in the following connection profiles::
conn tun-in-7
left=192.0.0.1
right=192.0.0.2
authby=secret
encapsulation=yes
leftprotoport=udp/4789
rightprotoport=udp
conn tun-out-7
left=192.0.0.1
right=192.0.0.2
authby=secret
encapsulation=yes
leftprotoport=udp
rightprotoport=udp/4789
Troubleshooting Troubleshooting
--------------- ---------------
@ -329,6 +373,7 @@ For example::
Remote name: None Remote name: None
CA cert: None CA cert: None
PSK: swordfish PSK: swordfish
Custom Options: {}
Ofport: 1 <--- Whether ovs-vswitchd has assigned Ofport Ofport: 1 <--- Whether ovs-vswitchd has assigned Ofport
number to this Tunnel Port number to this Tunnel Port
CFM state: Up <--- Whether CFM declared this tunnel healthy CFM state: Up <--- Whether CFM declared this tunnel healthy

3
NEWS
View File

@ -23,6 +23,9 @@ Post-v2.17.0
OpenFlow versions 1.0-1.2 with Nicira Extensions OpenFlow versions 1.0-1.2 with Nicira Extensions
OpenFlow versions 1.3 with Open Network Foundation extension OpenFlow versions 1.3 with Open Network Foundation extension
OpenFlow versions 1.4+, as defined in the OpenFlow specification OpenFlow versions 1.4+, as defined in the OpenFlow specification
- IPsec:
* Added support for custom per-tunnel options via 'options:ipsec_*' knobs.
See Documentation/tutorials/ipsec.rst for details.
- Windows: - Windows:
* Conntrack support for TCPv6, UDPv6, ICMPv6, FTPv6. * Conntrack support for TCPv6, UDPv6, ICMPv6, FTPv6.
* IPv6 Geneve tunnel support. * IPv6 Geneve tunnel support.

17
ipsec/ovs-monitor-ipsec.in
View File

@ -313,6 +313,10 @@ conn prevent_unencrypted_vxlan
tmpl = self.auth_tmpl["pki_ca"] tmpl = self.auth_tmpl["pki_ca"]
auth_section = tmpl.substitute(tunnel.conf) auth_section = tmpl.substitute(tunnel.conf)
if "custom_options" in tunnel.conf:
for key, value in tunnel.conf["custom_options"].items():
auth_section += "\n " + key + "=" + value
vals = tunnel.conf.copy() vals = tunnel.conf.copy()
vals["auth_section"] = auth_section vals["auth_section"] = auth_section
vals["version"] = tunnel.version vals["version"] = tunnel.version
@ -550,6 +554,10 @@ conn prevent_unencrypted_vxlan
if tunnel.conf["address_family"] == "IPv6": if tunnel.conf["address_family"] == "IPv6":
auth_section = self.IPV6_CONN + auth_section auth_section = self.IPV6_CONN + auth_section
if "custom_options" in tunnel.conf:
for key, value in tunnel.conf["custom_options"].items():
auth_section += "\n " + key + "=" + value
vals = tunnel.conf.copy() vals = tunnel.conf.copy()
vals["auth_section"] = auth_section vals["auth_section"] = auth_section
vals["version"] = tunnel.version vals["version"] = tunnel.version
@ -831,6 +839,7 @@ class IPsecTunnel(object):
Remote name: $remote_name Remote name: $remote_name
CA cert: $ca_cert CA cert: $ca_cert
PSK: $psk PSK: $psk
Custom Options: $custom_options
""") """)
unixctl_status_tmpl = Template("""\ unixctl_status_tmpl = Template("""\
@ -874,7 +883,13 @@ class IPsecTunnel(object):
"remote_cert": remote_cert, "remote_cert": remote_cert,
"remote_name": remote_name, "remote_name": remote_name,
"local_name": monitor.conf["pki"]["local_name"], "local_name": monitor.conf["pki"]["local_name"],
"psk": options.get("psk")} "psk": options.get("psk"),
"custom_options": {}}
# add custom ipsec options to the connection
for key, value in options.items():
if key.startswith("ipsec_"):
new_conf["custom_options"][key[len("ipsec_"):]] = value
if self.conf != new_conf: if self.conf != new_conf:
# Configuration was updated in OVSDB. Validate it and figure # Configuration was updated in OVSDB. Validate it and figure

4
vswitchd/vswitch.xml
View File

@ -1046,7 +1046,9 @@
<p> <p>
These settings control the global configuration of IPsec tunnels. The These settings control the global configuration of IPsec tunnels. The
<code>options</code> column of the <code>Interface</code> table <code>options</code> column of the <code>Interface</code> table
configures IPsec for individual tunnels. configures IPsec for individual tunnels. The <code>options</code>
column also allows for custom options prefixed with <code>ipsec_</code>
to be passed to the individual connections.
</p> </p>
<p> <p>
OVS IPsec supports the following three forms of authentication. OVS IPsec supports the following three forms of authentication.