diff options
| author | Pravin B Shelar <pshelar@ovn.org> | 2016-09-24 11:44:53 -0700 |
|---|---|---|
| committer | Pravin B Shelar <pshelar@ovn.org> | 2016-09-27 11:06:09 -0700 |
| commit | 2b02d770c4cb381ec32cd4b7b1e991c42b448884 (patch) | |
| tree | 2ffe1064105f5cb7f20f4b884a66af7d7158a586 /ofproto/tunnel.c | |
| parent | 5e8bc3c549ca9bfa02c5525c02cb4ee12ef1f06e (diff) | |
| download | openvswitch-2b02d770c4cb381ec32cd4b7b1e991c42b448884.tar.gz | |
openvswitch: Allow external IPsec tunnel management.
OVS GRE IPsec tunnel support has multiple issues, Therefore
it was deprecated in OVS 2.6.
Following patch removes support for GRE IPsec and allows external
IPsec tunnel management for any type of tunnel not just GRE.
e.g. user can encrypt Geneve or VxLan traffic.
It can be done by using openflow pipeline to set skb-mark
and using IPsec keying daemons to implement IPsec tunnels.
This packet can be matched for the skb-mark to encrypt
selective tunnel traffic.
VMware-BZ: 1710701
Signed-off-by: Pravin B Shelar <pshelar@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Diffstat (limited to 'ofproto/tunnel.c')
| -rw-r--r-- | ofproto/tunnel.c | 13 |
1 files changed, 0 insertions, 13 deletions
diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 9a69071c0..97de59e0d 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -41,15 +41,11 @@ VLOG_DEFINE_THIS_MODULE(tunnel); -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - struct tnl_match { ovs_be64 in_key; struct in6_addr ipv6_src; struct in6_addr ipv6_dst; odp_port_t odp_port; - uint32_t pkt_mark; bool in_key_flow; bool ip_src_flow; bool ip_dst_flow; @@ -164,7 +160,6 @@ tnl_port_add__(const struct ofport_dpif *ofport, const struct netdev *netdev, tnl_port->match.ipv6_dst = cfg->ipv6_dst; tnl_port->match.ip_src_flow = cfg->ip_src_flow; tnl_port->match.ip_dst_flow = cfg->ip_dst_flow; - tnl_port->match.pkt_mark = cfg->ipsec ? IPSEC_MARK : 0; tnl_port->match.in_key_flow = cfg->in_key_flow; tnl_port->match.odp_port = odp_port; @@ -357,7 +352,6 @@ tnl_process_ecn(struct flow *flow) flow->nw_tos |= IP_ECN_CE; } - flow->pkt_mark &= ~IPSEC_MARK; return true; } @@ -383,8 +377,6 @@ tnl_wc_init(struct flow *flow, struct flow_wildcards *wc) wc->masks.tunnel.tp_src = 0; wc->masks.tunnel.tp_dst = 0; - memset(&wc->masks.pkt_mark, 0xff, sizeof wc->masks.pkt_mark); - if (is_ip_any(flow) && IP_ECN_is_ce(flow->tunnel.ip_tos)) { wc->masks.nw_tos |= IP_ECN_MASK; @@ -435,9 +427,6 @@ tnl_port_send(const struct ofport_dpif *ofport, struct flow *flow, flow->tunnel.ipv6_dst = in6addr_any; } } - flow->pkt_mark |= tnl_port->match.pkt_mark; - wc->masks.pkt_mark |= tnl_port->match.pkt_mark; - if (!cfg->out_key_flow) { flow->tunnel.tun_id = cfg->out_key; } @@ -561,7 +550,6 @@ tnl_find(const struct flow *flow) OVS_REQ_RDLOCK(rwlock) match.ipv6_dst = flow_tnl_src(&flow->tunnel); } match.odp_port = flow->in_port.odp_port; - match.pkt_mark = flow->pkt_mark; match.in_key_flow = in_key_flow; match.ip_dst_flow = ip_dst_flow; match.ip_src_flow = ip_src == IP_SRC_FLOW; @@ -616,7 +604,6 @@ tnl_match_fmt(const struct tnl_match *match, struct ds *ds) } ds_put_format(ds, ", dp port=%"PRIu32, match->odp_port); - ds_put_format(ds, ", pkt mark=%"PRIu32, match->pkt_mark); } static void |