diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | debian/automake.mk | 7 | ||||
| -rw-r--r-- | debian/control | 24 | ||||
| -rw-r--r-- | debian/openvswitch-ipsec.dirs | 1 | ||||
| -rwxr-xr-x | debian/openvswitch-ipsec.init | 203 | ||||
| -rw-r--r-- | debian/openvswitch-ipsec.install | 1 | ||||
| -rwxr-xr-x | debian/ovs-monitor-ipsec | 507 | ||||
| -rw-r--r-- | lib/netdev-vport.c | 67 | ||||
| -rw-r--r-- | lib/netdev.h | 1 | ||||
| -rw-r--r-- | ofproto/ofproto-dpif-ipfix.c | 15 | ||||
| -rw-r--r-- | ofproto/ofproto-dpif-sflow.c | 7 | ||||
| -rw-r--r-- | ofproto/tunnel.c | 13 | ||||
| -rw-r--r-- | tests/automake.mk | 1 | ||||
| -rw-r--r-- | tests/ofproto-macros.at | 50 | ||||
| -rw-r--r-- | tests/ovn-controller.at | 2 | ||||
| -rw-r--r-- | tests/ovs-monitor-ipsec.at | 271 | ||||
| -rw-r--r-- | tests/testsuite.at | 1 | ||||
| -rw-r--r-- | tests/tunnel-push-pop-ipv6.at | 2 | ||||
| -rw-r--r-- | tests/tunnel-push-pop.at | 2 | ||||
| -rw-r--r-- | tests/tunnel.at | 87 | ||||
| -rwxr-xr-x | utilities/bugtool/ovs-bugtool.in | 2 | ||||
| -rw-r--r-- | utilities/ovs-appctl.8.in | 4 | ||||
| -rw-r--r-- | vswitchd/vswitch.xml | 57 |
24 files changed, 23 insertions, 1305 deletions
@@ -25,6 +25,7 @@ Post-v2.6.0 * TLV mappings for protocols such as Geneve are now segregated on a per-OpenFlow bridge basis rather than globally. (The interface has not changed.) + * Removed support for IPsec tunnels. v2.6.0 - xx xxx xxxx --------------------- @@ -30,7 +30,7 @@ vSwitch supports the following features: * NIC bonding with or without LACP on upstream switch * NetFlow, sFlow(R), and mirroring for increased visibility * QoS (Quality of Service) configuration, plus policing -* Geneve, GRE, GRE over IPSEC, VXLAN, and LISP tunneling +* Geneve, GRE, VXLAN, STT, and LISP tunneling * 802.1ag connectivity fault management * OpenFlow 1.0 plus numerous extensions * Transactional configuration database with C and Python bindings diff --git a/debian/automake.mk b/debian/automake.mk index 73b4d00f2..2da7055f0 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -19,9 +19,6 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ debian/openvswitch-dev.install \ - debian/openvswitch-ipsec.dirs \ - debian/openvswitch-ipsec.init \ - debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ @@ -71,7 +68,6 @@ EXTRA_DIST += \ debian/ovn-host.postinst \ debian/ovn-host.postrm \ debian/ovn-host.template \ - debian/ovs-monitor-ipsec \ debian/python-openvswitch.dirs \ debian/python-openvswitch.install \ debian/rules \ @@ -79,9 +75,6 @@ EXTRA_DIST += \ debian/ifupdown.sh \ debian/source/format -FLAKE8_PYFILES += \ - debian/ovs-monitor-ipsec - check-debian-changelog-version: @DEB_VERSION=`echo '$(VERSION)' | sed 's/pre/~pre/'`; \ if $(FGREP) '($(DEB_VERSION)' $(srcdir)/debian/changelog >/dev/null; \ diff --git a/debian/control b/debian/control index da86fe9fd..813721a91 100644 --- a/debian/control +++ b/debian/control @@ -178,30 +178,6 @@ Description: OVN Docker drivers . ovn-docker provides the docker drivers for OVN. -Package: openvswitch-ipsec -Architecture: linux-any -Depends: ipsec-tools (>=0.8~alpha20101208), - iproute2, - openvswitch-common (= ${binary:Version}), - openvswitch-switch (= ${binary:Version}), - python, - python-openvswitch (= ${source:Version}), - racoon (>=0.8~alpha20101208), - ${misc:Depends}, - ${shlibs:Depends} -Description: Open vSwitch GRE-over-IPsec support - Open vSwitch is a production quality, multilayer, software-based, - Ethernet virtual switch. It is designed to enable massive network - automation through programmatic extension, while still supporting - standard management interfaces and protocols (e.g. NetFlow, IPFIX, - sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed - to support distribution across multiple physical servers similar to - VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. - . - The ovs-monitor-ipsec script provides support for encrypting GRE - tunnels with IPsec. - IPsec tunnels support is deprecated. - Package: openvswitch-pki Architecture: all Depends: openvswitch-common (<< ${source:Version}.1~), diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs deleted file mode 100644 index 02130d0e9..000000000 --- a/debian/openvswitch-ipsec.dirs +++ /dev/null @@ -1 +0,0 @@ -usr/share/openvswitch/scripts diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init deleted file mode 100755 index a39dd40e6..000000000 --- a/debian/openvswitch-ipsec.init +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org> -# -# This is free software; you may redistribute it and/or modify -# it under the terms of the GNU General Public License as -# published by the Free Software Foundation; either version 2, -# or (at your option) any later version. -# -# This is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License with -# the Debian operating system, in /usr/share/common-licenses/GPL; if -# not, write to the Free Software Foundation, Inc., 59 Temple Place, -# Suite 330, Boston, MA 02111-1307 USA -# -### BEGIN INIT INFO -# Provides: openvswitch-ipsec -# Required-Start: $network $local_fs $remote_fs openvswitch-switch -# Required-Stop: $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Open vSwitch GRE-over-IPsec daemon -# Description: The ovs-monitor-ipsec script provides support for encrypting GRE -# tunnels with IPsec. -### END INIT INFO - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location -NAME=ovs-monitor-ipsec # Introduce the short server's name here -LOGDIR=/var/log/openvswitch # Log directory to use - -PIDFILE=/var/run/openvswitch/$NAME.pid - -test -x $DAEMON || exit 0 - -. /lib/lsb/init-functions - -DODTIME=10 # Time to wait for the server to die, in seconds - # If this value is set too low you might not - # let some servers to die gracefully and - # 'restart' will not work - -set -e - -running_pid() { -# Check if a given process pid's cmdline matches a given name - pid=$1 - name=$2 - [ -z "$pid" ] && return 1 - [ ! -d /proc/$pid ] && return 1 - cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2` - # Is this the expected server - [ "$cmd" != "$name" ] && return 1 - return 0 -} - -running() { -# Check if the process is running looking at /proc -# (works for all users) - - # No pidfile, probably no daemon present - [ ! -f "$PIDFILE" ] && return 1 - pid=`cat $PIDFILE` - running_pid $pid $DAEMON || return 1 - return 0 -} - -uninstall_mark_rule() { - iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0 -} - -install_mark_rule() { - if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then - iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1 - fi -} - -start_server() { - if [ ! -d /var/run/openvswitch ]; then - install -d -m 755 -o root -g root /var/run/openvswitch - fi - - install_mark_rule "-p esp" - install_mark_rule "-p udp --dport 4500" - /usr/share/openvswitch/scripts/ovs-monitor-ipsec \ - --pidfile=$PIDFILE --log-file --detach --monitor \ - unix:/var/run/openvswitch/db.sock - - return 0 -} - -stop_server() { - if [ -e $PIDFILE ]; then - kill `cat $PIDFILE` - fi - uninstall_mark_rule "-p esp" - uninstall_mark_rule "-p udp --dport 4500" - - return 0 -} - -force_stop() { -# Force the process to die killing it manually - [ ! -e "$PIDFILE" ] && return - if running ; then - kill -15 $pid - # Is it really dead? - sleep "$DODTIME" - if running ; then - kill -9 $pid - sleep "$DODTIME" - if running ; then - echo "Cannot kill $NAME (pid=$pid)!" - exit 1 - fi - fi - fi - rm -f $PIDFILE -} - - -case "$1" in - start) - log_daemon_msg "Starting $NAME" - # Check if it's running first - if running ; then - log_progress_msg "apparently already running" - log_end_msg 0 - exit 0 - fi - if start_server && running ; then - # It's ok, the server started and is running - log_end_msg 0 - else - # Either we could not start it or it is not running - # after we did - # NOTE: Some servers might die some time after they start, - # this code does not try to detect this and might give - # a false positive (use 'status' for that) - log_end_msg 1 - fi - ;; - stop) - log_daemon_msg "Stopping $NAME" - if running ; then - # Only stop the server if we see it running - stop_server - log_end_msg $? - else - # If it's not running don't do anything - log_progress_msg "apparently not running" - log_end_msg 0 - exit 0 - fi - ;; - force-stop) - # First try to stop gracefully the program - $0 stop - if running; then - # If it's still running try to kill it more forcefully - log_daemon_msg "Stopping (force) $NAME" - force_stop - log_end_msg $? - fi - ;; - restart|force-reload) - log_daemon_msg "Restarting $NAME" - stop_server - # Wait some sensible amount, some server need this - [ -n "$DODTIME" ] && sleep $DODTIME - start_server - running - log_end_msg $? - ;; - status) - log_daemon_msg "Checking status of $NAME" - if running ; then - log_progress_msg "running" - log_end_msg 0 - else - log_progress_msg "apparently not running" - log_end_msg 1 - exit 1 - fi - ;; - # Use this if the daemon cannot reload - reload) - log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon" - log_warning_msg "cannot re-read the config file (use restart)." - ;; - *) - N=/etc/init.d/openvswitch-ipsec - echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install deleted file mode 100644 index 72cacfa25..000000000 --- a/debian/openvswitch-ipsec.install +++ /dev/null @@ -1 +0,0 @@ -debian/ovs-monitor-ipsec usr/share/openvswitch/scripts diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec deleted file mode 100755 index 6bc26aa8d..000000000 --- a/debian/ovs-monitor-ipsec +++ /dev/null @@ -1,507 +0,0 @@ -#! /usr/bin/env python -# Copyright (c) 2009, 2010, 2011, 2012 Nicira, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# A daemon to monitor attempts to create GRE-over-IPsec tunnels. -# Uses racoon and setkey to support the configuration. Assumes that -# OVS has complete control over IPsec configuration for the box. - -# xxx To-do: -# - Doesn't actually check that Interface is connected to bridge -# - If a certificate is badly formed, Racoon will refuse to start. We -# should do a better job of verifying certificates are valid before -# adding an interface to racoon.conf. - - -import argparse -import glob -import os -import subprocess -import sys - -import ovs.dirs -from ovs.db import error -import ovs.util -import ovs.daemon -import ovs.db.idl -import ovs.unixctl -import ovs.unixctl.server -import ovs.vlog -from six.moves import range -import six - -vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") -root_prefix = '' # Prefix for absolute file names, for testing. -SETKEY = "/usr/sbin/setkey" -IP = "/sbin/ip" -exiting = False -IPSEC_MARK = "1" - - -def unixctl_exit(conn, unused_argv, unused_aux): - global exiting - exiting = True - conn.reply(None) - - -# Class to configure the racoon daemon, which handles IKE negotiation -class Racoon(object): - # Default locations for files - conf_file = "/etc/racoon/racoon.conf" - cert_dir = "/etc/racoon/certs" - psk_file = "/etc/racoon/psk.txt" - - # Racoon configuration header we use for IKE - conf_header = """# Configuration file generated by Open vSwitch -# -# Do not modify by hand! - -path pre_shared_key "%s"; -path certificate "%s"; - -""" - - # Racoon configuration footer we use for IKE - conf_footer = """sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} - -""" - - # Certificate entry template. - cert_entry = """remote %s { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "%s" "%s"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "%s"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} - -""" - - # Pre-shared key template. - psk_entry = """remote %s { - exchange_mode main; - nat_traversal on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} - -""" - - def __init__(self): - self.psk_hosts = {} - self.cert_hosts = {} - - if not os.path.isdir(root_prefix + self.cert_dir): - os.mkdir(self.cert_dir) - - # Clean out stale peer certs from previous runs - for ovs_cert in glob.glob("%s%s/ovs-*.pem" - % (root_prefix, self.cert_dir)): - try: - os.remove(ovs_cert) - except OSError: - vlog.warn("couldn't remove %s" % ovs_cert) - - # Replace racoon's conf file with our template - self.commit() - - def reload(self): - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", - "reload"]) - if exitcode != 0: - # Racoon is finicky about its configuration file and will - # refuse to start if it sees something it doesn't like - # (e.g., a certificate file doesn't exist). Try restarting - # the process before giving up. - vlog.warn("attempting to restart racoon") - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", - "restart"]) - if exitcode != 0: - vlog.warn("couldn't reload racoon") - - def commit(self): - # Rewrite the Racoon configuration file - conf_file = open(root_prefix + self.conf_file, 'w') - conf_file.write(Racoon.conf_header % (self.psk_file, self.cert_dir)) - - for host, vals in six.iteritems(self.cert_hosts): - conf_file.write(Racoon.cert_entry % (host, vals["certificate"], - vals["private_key"], vals["peer_cert_file"])) - - for host in self.psk_hosts: - conf_file.write(Racoon.psk_entry % host) - - conf_file.write(Racoon.conf_footer) - conf_file.close() - - # Rewrite the pre-shared keys file; it must only be readable by root. - orig_umask = os.umask(0o077) - psk_file = open(root_prefix + Racoon.psk_file, 'w') - os.umask(orig_umask) - - psk_file.write("# Generated by Open vSwitch...do not modify by hand!") - psk_file.write("\n\n") - for host, vals in six.iteritems(self.psk_hosts): - psk_file.write("%s %s\n" % (host, vals["psk"])) - psk_file.close() - - self.reload() - - def _add_psk(self, host, psk): - if host in self.cert_hosts: - raise error.Error("host %s already defined for cert" % host) - - self.psk_hosts[host] = psk - self.commit() - - def _verify_certs(self, vals): - # Racoon will refuse to start if the certificate files don't - # exist, so verify that they're there. - if not os.path.isfile(root_prefix + vals["certificate"]): - raise error.Error("'certificate' file does not exist: %s" - % vals["certificate"]) - elif not os.path.isfile(root_prefix + vals["private_key"]): - raise error.Error("'private_key' file does not exist: %s" - % vals["private_key"]) - - # Racoon won't start if a given certificate or private key isn't - # valid. This is a weak test, but will detect the most flagrant - # errors. - if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1: - raise error.Error("'peer_cert' is not in valid PEM format") - - cert = open(root_prefix + vals["certificate"]).read() - if cert.find("-----BEGIN CERTIFICATE-----") == -1: - raise error.Error("'certificate' is not in valid PEM format") - - cert = open(root_prefix + vals["private_key"]).read() - if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1: - raise error.Error("'private_key' is not in valid PEM format") - - def _add_cert(self, host, vals): - if host in self.psk_hosts: - raise error.Error("host %s already defined for psk" % host) - - if vals["certificate"] is None: - raise error.Error("'certificate' not defined for %s" % host) - elif vals["private_key"] is None: - # Assume the private key is stored in the same PEM file as - # the certificate. We make a copy of "vals" so that we don't - # modify the original "vals", which would cause the script - # to constantly think that the configuration has changed - # in the database. - vals = vals.copy() - vals["private_key"] = vals["certificate"] - - self._verify_certs(vals) - - # The peer's certificate comes to us in PEM format as a string. - # Write that string to a file for Racoon to use. - f = open(root_prefix + vals["peer_cert_file"], "w") - f.write(vals["peer_cert"]) - f.close() - - self.cert_hosts[host] = vals - self.commit() - - def _del_cert(self, host): - peer_cert_file = self.cert_hosts[host]["peer_cert_file"] - del self.cert_hosts[host] - self.commit() - try: - os.remove(root_prefix + peer_cert_file) - except OSError: - pass - - def add_entry(self, host, vals): - if vals["peer_cert"]: - self._add_cert(host, vals) - elif vals["psk"]: - self._add_psk(host, vals) - - def del_entry(self, host): - if host in self.cert_hosts: - self._del_cert(host) - elif host in self.psk_hosts: - del self.psk_hosts[host] - self.commit() - - -# Class to configure IPsec on a system using racoon for IKE and setkey -# for maintaining the Security Association Database (SAD) and Security -# Policy Database (SPD). Only policies for GRE are supported. -class IPsec(object): - def __init__(self): - self.sad_flush() - self.spd_flush() - self.racoon = Racoon() - self.entries = [] - - def call_setkey(self, cmds): - try: - p = subprocess.Popen([root_prefix + SETKEY, "-c"], - stdin=subprocess.PIPE, - stdout=subprocess.PIPE) - except: - vlog.err("could not call %s%s" % (root_prefix, SETKEY)) - sys.exit(1) - - # xxx It is safer to pass the string into the communicate() - # xxx method, but it didn't work for slightly longer commands. - # xxx An alternative may need to be found. - p.stdin.write(cmds) - return p.communicate()[0] - - def call_ip_xfrm(self, cmds): - exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds) - if exitcode != 0: - vlog.err("couldn't install IPsec policy that prevents " - "traffic from exiting unencrypted") - - def get_spi(self, local_ip, remote_ip, proto="esp"): - # Run the setkey dump command to retrieve the SAD. Then, parse - # the output looking for SPI buried in the output. Note that - # multiple SAD entries can exist for the same "flow", since an - # older entry could be in a "dying" state. - spi_list = [] - host_line = "%s %s" % (local_ip, remote_ip) - results = self.call_setkey("dump ;\n").split("\n") - for i in range(len(results)): - if results[i].strip() == host_line: - # The SPI is in the line following the host pair - spi_line = results[i + 1] - if (spi_line[1:4] == proto): - spi = spi_line.split()[2] - spi_list.append(spi.split('(')[1].rstrip(')')) - return spi_list - - def sad_flush(self): - self.call_setkey("flush;\n") - - def sad_del(self, local_ip, remote_ip): - # To delete all SAD entries, we should be able to use setkey's - # "deleteall" command. Unfortunately, it's fundamentally broken - # on Linux and not documented as such. - cmds = "" - - # Delete local_ip->remote_ip SAD entries - spi_list = self.get_spi(local_ip, remote_ip) - for spi in spi_list: - cmds += "delete %s %s esp %s;\n" % (local_ip, remote_ip, spi) - - # Delete remote_ip->local_ip SAD entries - spi_list = self.get_spi(remote_ip, local_ip) - for spi in spi_list: - cmds += "delete %s %s esp %s;\n" % (remote_ip, local_ip, spi) - - if cmds: - self.call_setkey(cmds) - - def spd_flush(self): - self.call_setkey("spdflush;\n") - self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst", - "0.0.0.0/0", "proto", "gre", "dir", "out", - "mark", IPSEC_MARK, "mask", IPSEC_MARK, - "action", "block", "priority", "4294967295"]) - - def spd_add(self, local_ip, remote_ip): - cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" % - (local_ip, remote_ip)) - cmds += ("spdadd %s %s gre -P in ipsec esp/transport//require;\n" % - (remote_ip, local_ip)) - self.call_setkey(cmds) - - def spd_del(self, local_ip, remote_ip): - cmds = "spddelete %s %s gre -P out;\n" % (local_ip, remote_ip) - cmds += "spddelete %s %s gre -P in;\n" % (remote_ip, local_ip) - self.call_setkey(cmds) - - def add_entry(self, local_ip, remote_ip, vals): - if remote_ip in self.entries: - raise error.Error("host %s already configured for ipsec" - % remote_ip) - - self.racoon.add_entry(remote_ip, vals) - self.spd_add(local_ip, remote_ip) - - self.entries.append(remote_ip) - - def del_entry(self, local_ip, remote_ip): - if remote_ip in self.entries: - self.racoon.del_entry(remote_ip) - self.spd_del(local_ip, remote_ip) - self.sad_del(local_ip, remote_ip) - - self.entries.remove(remote_ip) - - -def update_ipsec(ipsec, interfaces, new_interfaces): - for name, vals in six.iteritems(interfaces): - if name not in new_interfaces: - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) - - for name, vals in six.iteritems(new_interfaces): - orig_vals = interfaces.get(name) - if orig_vals: - # Configuration for this host already exists. Check if it's - # changed. We use set difference, since we want to ignore - # any local additions to "orig_vals" that we've made - # (e.g. the "peer_cert_file" key). - if set(vals.items()) - set(orig_vals.items()): - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) - else: - continue - - try: - ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals) - except error.Error as msg: - vlog.warn("skipping ipsec config for %s: %s" % (name, msg)) - - -def get_ssl_cert(data): - for ovs_rec in data["Open_vSwitch"].rows.values(): - if ovs_rec.ssl: - ssl = ovs_rec.ssl[0] - if ssl.certificate and ssl.private_key: - return (ssl.certificate, ssl.private_key) - - return None - - -def main(): - - parser = argparse.ArgumentParser() - parser.add_argument("database", metavar="DATABASE", - help="A socket on which ovsdb-server is listening.") - parser.add_argument("--root-prefix", metavar="DIR", - help="Use DIR as alternate root directory" - " (for testing).") - - ovs.vlog.add_args(parser) - ovs.daemon.add_args(parser) - args = parser.parse_args() - ovs.vlog.handle_args(args) - ovs.daemon.handle_args(args) - - global root_prefix - if args.root_prefix: - root_prefix = args.root_prefix - - remote = args.database - schema_helper = ovs.db.idl.SchemaHelper() - schema_helper.register_columns("Interface", ["name", "type", "options"]) - schema_helper.register_columns("Open_vSwitch", ["ssl"]) - schema_helper.register_columns("SSL", ["certificate", "private_key"]) - idl = ovs.db.idl.Idl(remote, schema_helper) - - ipsec = IPsec() - - ovs.daemon.daemonize() - - ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None) - error, unixctl_server = ovs.unixctl.server.UnixctlServer.create(None) - if error: - ovs.util.ovs_fatal(error, "could not create unixctl server", vlog) - - interfaces = {} - seqno = idl.change_seqno # Sequence number when we last processed the db - while True: - unixctl_server.run() - if exiting: - break - - idl.run() - if seqno == idl.change_seqno: - poller = ovs.poller.Poller() - unixctl_server.wait(poller) - idl.wait(poller) - poller.block() - continue - seqno = idl.change_seqno - - ssl_cert = get_ssl_cert(idl.tables) - - new_interfaces = {} - for rec in six.itervalues(idl.tables["Interface"].rows): - if rec.type == "ipsec_gre": - name = rec.name - options = rec.options - peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip")) - entry = { - "remote_ip": options.get("remote_ip"), - "local_ip": options.get("local_ip", "0.0.0.0/0"), - "certificate": options.get("certificate"), - "private_key": options.get("private_key"), - "use_ssl_cert": options.get("use_ssl_cert"), - "peer_cert": options.get("peer_cert"), - "peer_cert_file": Racoon.cert_dir + "/" + peer_cert_name, - "psk": options.get("psk")} - - if entry["peer_cert"] and entry["psk"]: - vlog.warn("both 'peer_cert' and 'psk' defined for %s" - % name) - continue - elif not entry["peer_cert"] and not entry["psk"]: - vlog.warn("no 'peer_cert' or 'psk' defined for %s" % name) - continue - - # The "use_ssl_cert" option is deprecated and will - # likely go away in the near future. - if entry["use_ssl_cert"] == "true": - if not ssl_cert: - vlog.warn("no valid SSL entry for %s" % name) - continue - - entry["certificate"] = ssl_cert[0] - entry["private_key"] = ssl_cert[1] - - new_interfaces[name] = entry - - if interfaces != new_interfaces: - update_ipsec(ipsec, interfaces, new_interfaces) - interfaces = new_interfaces - - unixctl_server.close() - idl.close() - - -if __name__ == '__main__': - try: - main() - except SystemExit: - # Let system.exit() calls complete normally - raise - except: - vlog.exception("traceback") - sys.exit(ovs.daemon.RESTART_EXIT_CODE) diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c index ac31da6a6..02a246aff 100644 --- a/lib/netdev-vport.c +++ b/lib/netdev-vport.c @@ -402,14 +402,13 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) struct netdev_vport *dev = netdev_vport_cast(dev_); const char *name = netdev_get_name(dev_); const char *type = netdev_get_type(dev_); - bool ipsec_mech_set, needs_dst_port, has_csum; + bool needs_dst_port, has_csum; uint16_t dst_proto = 0, src_proto = 0; struct netdev_tunnel_config tnl_cfg; struct smap_node *node; has_csum = strstr(type, "gre") || strstr(type, "geneve") || strstr(type, "stt") || strstr(type, "vxlan"); - ipsec_mech_set = false; memset(&tnl_cfg, 0, sizeof tnl_cfg); /* Add a default destination port for tunnel ports if none specified. */ @@ -430,7 +429,6 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) } needs_dst_port = netdev_vport_needs_dst_port(dev_); - tnl_cfg.ipsec = strstr(type, "ipsec"); tnl_cfg.dont_fragment = true; SMAP_FOR_EACH (node, args) { @@ -485,33 +483,6 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) if (!strcmp(node->value, "false")) { tnl_cfg.dont_fragment = false; } - } else if (!strcmp(node->key, "peer_cert") && tnl_cfg.ipsec) { - if (smap_get(args, "certificate")) { - ipsec_mech_set = true; - } else { - const char *use_ssl_cert; - - /* If the "use_ssl_cert" is true, then "certificate" and - * "private_key" will be pulled from the SSL table. The - * use of this option is strongly discouraged, since it - * will like be removed when multiple SSL configurations - * are supported by OVS. - */ - use_ssl_cert = smap_get(args, "use_ssl_cert"); - if (!use_ssl_cert || strcmp(use_ssl_cert, "true")) { - VLOG_ERR("%s: 'peer_cert' requires 'certificate' argument", - name); - return EINVAL; - } - ipsec_mech_set = true; - } - } else if (!strcmp(node->key, "psk") && tnl_cfg.ipsec) { - ipsec_mech_set = true; - } else if (tnl_cfg.ipsec - && (!strcmp(node->key, "certificate") - || !strcmp(node->key, "private_key") - || !strcmp(node->key, "use_ssl_cert"))) { - /* Ignore options not used by the netdev. */ } else if (!strcmp(node->key, "key") || !strcmp(node->key, "in_key") || !strcmp(node->key, "out_key")) { @@ -539,41 +510,6 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args) } } - if (tnl_cfg.ipsec) { - static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER; - static pid_t pid = 0; - - VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name); - -#ifndef _WIN32 - ovs_mutex_lock(&mutex); - if (pid <= 0) { - char *file_name = xasprintf("%s/%s", ovs_rundir(), - "ovs-monitor-ipsec.pid"); - pid = read_pidfile(file_name); - free(file_name); - } - ovs_mutex_unlock(&mutex); -#endif - - if (pid < 0) { - VLOG_ERR("%s: IPsec requires the ovs-monitor-ipsec daemon", - name); - return EINVAL; - } - - if (smap_get(args, "peer_cert") && smap_get(args, "psk")) { - VLOG_ERR("%s: cannot define both 'peer_cert' and 'psk'", name); - return EINVAL; - } - - if (!ipsec_mech_set) { - VLOG_ERR("%s: IPsec requires an 'peer_cert' or psk' argument", - name); - return EINVAL; - } - } - if (!ipv6_addr_is_set(&tnl_cfg.ipv6_dst) && !tnl_cfg.ip_dst_flow) { VLOG_ERR("%s: %s type requires valid 'remote_ip' argument", name, type); @@ -898,7 +834,6 @@ netdev_vport_tunnel_register(void) TUNNEL_CLASS("gre", "gre_sys", netdev_gre_build_header, netdev_gre_push_header, netdev_gre_pop_header), - TUNNEL_CLASS("ipsec_gre", "gre_sys", NULL, NULL, NULL), TUNNEL_CLASS("vxlan", "vxlan_sys", netdev_vxlan_build_header, netdev_tnl_push_udp_header, netdev_vxlan_pop_header), diff --git a/lib/netdev.h b/lib/netdev.h index 634c665f3..bad28c4c1 100644 --- a/lib/netdev.h +++ b/lib/netdev.h @@ -97,7 +97,6 @@ struct netdev_tunnel_config { bool tos_inherit; bool csum; - bool ipsec; bool dont_fragment; }; diff --git a/ofproto/ofproto-dpif-ipfix.c b/ofproto/ofproto-dpif-ipfix.c index abea49249..6b00b77d8 100644 --- a/ofproto/ofproto-dpif-ipfix.c +++ b/ofproto/ofproto-dpif-ipfix.c @@ -78,7 +78,6 @@ enum dpif_ipfix_tunnel_type { DPIF_IPFIX_TUNNEL_GRE = 0x02, DPIF_IPFIX_TUNNEL_LISP = 0x03, DPIF_IPFIX_TUNNEL_STT = 0x04, - DPIF_IPFIX_TUNNEL_IPSEC_GRE = 0x05, DPIF_IPFIX_TUNNEL_GENEVE = 0x07, NUM_DPIF_IPFIX_TUNNEL }; @@ -311,16 +310,12 @@ struct ipfix_data_record_flow_key_icmp { }); BUILD_ASSERT_DECL(sizeof(struct ipfix_data_record_flow_key_icmp) == 2); -/* For the tunnel type that is on the top of IPSec, the protocol identifier - * of the upper tunnel type is used. - */ static uint8_t tunnel_protocol[NUM_DPIF_IPFIX_TUNNEL] = { 0, /* reserved */ IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_VXLAN */ IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_GRE */ IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_LISP*/ IPPROTO_TCP, /* DPIF_IPFIX_TUNNEL_STT*/ - IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_IPSEC_GRE */ 0 , /* reserved */ IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_GENEVE*/ }; @@ -657,10 +652,6 @@ dpif_ipfix_add_tunnel_port(struct dpif_ipfix *di, struct ofport *ofport, /* 32-bit key gre */ dip->tunnel_type = DPIF_IPFIX_TUNNEL_GRE; dip->tunnel_key_length = 4; - } else if (strcmp(type, "ipsec_gre") == 0) { - /* 32-bit key ipsec_gre */ - dip->tunnel_type = DPIF_IPFIX_TUNNEL_IPSEC_GRE; - dip->tunnel_key_length = 4; } else if (strcmp(type, "vxlan") == 0) { dip->tunnel_type = DPIF_IPFIX_TUNNEL_VXLAN; dip->tunnel_key_length = 3; @@ -1728,12 +1719,6 @@ ipfix_cache_entry_init(struct ipfix_flow_cache_entry *entry, data_tunnel->tunnel_destination_ipv4_address = tunnel_key->ip_dst; /* The tunnel_protocol_identifier is from tunnel_proto array, which * contains protocol_identifiers of each tunnel type. - * For the tunnel type on the top of IPSec, which uses the protocol - * identifier of the upper tunnel type is used, the tcp_src and tcp_dst - * are decided based on the protocol identifiers. - * E.g: - * The protocol identifier of DPIF_IPFIX_TUNNEL_IPSEC_GRE is IPPROTO_GRE, - * and both tp_src and tp_dst are zero. */ data_tunnel->tunnel_protocol_identifier = tunnel_protocol[tunnel_port->tunnel_type]; diff --git a/ofproto/ofproto-dpif-sflow.c b/ofproto/ofproto-dpif-sflow.c index 11d3a53d2..9ea885141 100644 --- a/ofproto/ofproto-dpif-sflow.c +++ b/ofproto/ofproto-dpif-sflow.c @@ -61,7 +61,6 @@ enum dpif_sflow_tunnel_type { DPIF_SFLOW_TUNNEL_VXLAN, DPIF_SFLOW_TUNNEL_GRE, DPIF_SFLOW_TUNNEL_LISP, - DPIF_SFLOW_TUNNEL_IPSEC_GRE, DPIF_SFLOW_TUNNEL_GENEVE }; @@ -582,8 +581,6 @@ dpif_sflow_tunnel_type(struct ofport *ofport) { if (type) { if (strcmp(type, "gre") == 0) { return DPIF_SFLOW_TUNNEL_GRE; - } else if (strcmp(type, "ipsec_gre") == 0) { - return DPIF_SFLOW_TUNNEL_IPSEC_GRE; } else if (strcmp(type, "vxlan") == 0) { return DPIF_SFLOW_TUNNEL_VXLAN; } else if (strcmp(type, "lisp") == 0) { @@ -606,10 +603,6 @@ dpif_sflow_tunnel_proto(enum dpif_sflow_tunnel_type tunnel_type) ipproto = IPPROTO_GRE; break; - case DPIF_SFLOW_TUNNEL_IPSEC_GRE: - ipproto = IPPROTO_ESP; - break; - case DPIF_SFLOW_TUNNEL_VXLAN: case DPIF_SFLOW_TUNNEL_LISP: case DPIF_SFLOW_TUNNEL_GENEVE: diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 9a69071c0..97de59e0d 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -41,15 +41,11 @@ VLOG_DEFINE_THIS_MODULE(tunnel); -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - struct tnl_match { ovs_be64 in_key; struct in6_addr ipv6_src; struct in6_addr ipv6_dst; odp_port_t odp_port; - uint32_t pkt_mark; bool in_key_flow; bool ip_src_flow; bool ip_dst_flow; @@ -164,7 +160,6 @@ tnl_port_add__(const struct ofport_dpif *ofport, const struct netdev *netdev, tnl_port->match.ipv6_dst = cfg->ipv6_dst; tnl_port->match.ip_src_flow = cfg->ip_src_flow; tnl_port->match.ip_dst_flow = cfg->ip_dst_flow; - tnl_port->match.pkt_mark = cfg->ipsec ? IPSEC_MARK : 0; tnl_port->match.in_key_flow = cfg->in_key_flow; tnl_port->match.odp_port = odp_port; @@ -357,7 +352,6 @@ tnl_process_ecn(struct flow *flow) flow->nw_tos |= IP_ECN_CE; } - flow->pkt_mark &= ~IPSEC_MARK; return true; } @@ -383,8 +377,6 @@ tnl_wc_init(struct flow *flow, struct flow_wildcards *wc) wc->masks.tunnel.tp_src = 0; wc->masks.tunnel.tp_dst = 0; - memset(&wc->masks.pkt_mark, 0xff, sizeof wc->masks.pkt_mark); - if (is_ip_any(flow) && IP_ECN_is_ce(flow->tunnel.ip_tos)) { wc->masks.nw_tos |= IP_ECN_MASK; @@ -435,9 +427,6 @@ tnl_port_send(const struct ofport_dpif *ofport, struct flow *flow, flow->tunnel.ipv6_dst = in6addr_any; } } - flow->pkt_mark |= tnl_port->match.pkt_mark; - wc->masks.pkt_mark |= tnl_port->match.pkt_mark; - if (!cfg->out_key_flow) { flow->tunnel.tun_id = cfg->out_key; } @@ -561,7 +550,6 @@ tnl_find(const struct flow *flow) OVS_REQ_RDLOCK(rwlock) match.ipv6_dst = flow_tnl_src(&flow->tunnel); } match.odp_port = flow->in_port.odp_port; - match.pkt_mark = flow->pkt_mark; match.in_key_flow = in_key_flow; match.ip_dst_flow = ip_dst_flow; match.ip_src_flow = ip_src == IP_SRC_FLOW; @@ -616,7 +604,6 @@ tnl_match_fmt(const struct tnl_match *match, struct ds *ds) } ds_put_format(ds, ", dp port=%"PRIu32, match->odp_port); - ds_put_format(ds, ", pkt mark=%"PRIu32, match->pkt_mark); } static void diff --git a/tests/automake.mk b/tests/automake.mk index 8ac98bf8a..a2b7786f3 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -82,7 +82,6 @@ TESTSUITE_AT = \ tests/ovsdb-idl.at \ tests/ovsdb-lock.at \ tests/ovs-vsctl.at \ - tests/ovs-monitor-ipsec.at \ tests/ovs-xapi-sync.at \ tests/stp.at \ tests/rstp.at \ diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index a4303dc09..92ab9ab4e 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -370,7 +370,6 @@ check_logs () { done sed -n "$1 -/.*OVS IPsec tunnel support is deprecated./d /timeval.*Unreasonably long [[0-9]]*ms poll interval/d /timeval.*faults: [[0-9]]* minor, [[0-9]]* major/d /timeval.*disk: [[0-9]]* reads, [[0-9]]* writes/d @@ -469,53 +468,4 @@ m4_define([WAIT_FOR_DUMMY_PORTS], \ OVS_WAIT_WHILE([ovs-appctl netdev-dummy/conn-state dummy_port \ | grep 'unknown\|disconnected'])])]) -# OVS_MONITOR_IPSEC_START() -# -# Starts ovs-monitor-ipsec daemon. Use this macro only after testing -# that python is present on the system. -m4_define([OVS_MONITOR_IPSEC_START], -[ -cp "$top_srcdir/vswitchd/vswitch.ovsschema" . - -on_exit 'kill `cat pid ovs-monitor-ipsec.pid`' -mkdir etc etc/init.d etc/racoon etc/racoon/certs -mkdir usr usr/sbin -mkdir sbin - -AT_DATA([etc/init.d/racoon], [dnl -#! /bin/sh -echo "racoon: @S|@@" >&3 -exit 0 -]) -chmod +x etc/init.d/racoon - -AT_DATA([usr/sbin/setkey], [dnl -#! /bin/sh -exec >&3 -echo "setkey:" -while read line; do - echo "> $line" -done -]) -chmod +x usr/sbin/setkey - -AT_DATA([sbin/ip], [dnl -#! /bin/sh -exit 0 -]) -chmod +x sbin/ip - -touch etc/racoon/certs/ovs-stale.pem - -### -### Start ovs-monitor-ipsec and wait for it to delete the stale cert. -### -AT_CHECK( - [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \ - "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \ - unix:$OVS_RUNDIR/db.sock 2>log 3>actions &]) -AT_CAPTURE_FILE([log]) -AT_CAPTURE_FILE([actions]) -OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem]) -]) diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 372db2799..00ee482f3 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -195,7 +195,7 @@ OVS_WAIT_UNTIL([check_datapath_type ""]) # The following will need to be updated as OVS starts to support more # interface types. -expected_iface_types="dummy,dummy-internal,dummy-pmd,geneve,gre,internal,ipsec_gre,lisp,patch,stt,system,tap,vxlan" +expected_iface_types="dummy,dummy-internal,dummy-pmd,geneve,gre,internal,lisp,patch,stt,system,tap,vxlan" chassis_iface_types=$(ovn-sbctl get Chassis ${sysid} external_ids:iface-types | sed -e 's/\"//g') echo "chassis_iface_types = ${chassis_iface_types}" AT_CHECK([test "${expected_iface_types}" = "${chassis_iface_types}"]) diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at deleted file mode 100644 index cae28789e..000000000 --- a/tests/ovs-monitor-ipsec.at +++ /dev/null @@ -1,271 +0,0 @@ -AT_BANNER([ovs-monitor-ipsec]) - -AT_SETUP([ovs-monitor-ipsec]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) - -trim () { # Removes blank lines and lines starting with # from input. - sed -e '/^#/d' -e '/^[ ]*$/d' "$@" -} - -OVS_VSWITCHD_START([]) -OVS_MONITOR_IPSEC_START - -### -### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does -### -AT_CHECK([ovs-vsctl \ - -- add-port br0 gre0 \ - -- set interface gre0 type=ipsec_gre \ - options:remote_ip=1.2.3.4 \ - options:psk=swordfish]) -OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null]) -AT_CHECK([cat actions], [0], [dnl -setkey: -> flush; -setkey: -> spdflush; -racoon: reload -racoon: reload -setkey: -> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require; -> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish -]) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -remote 1.2.3.4 { - exchange_mode main; - nat_traversal on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) - -### -### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does -### -AT_CHECK([ovs-vsctl del-port gre0]) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17]) -AT_CHECK([sed '1,9d' actions], [0], [dnl -racoon: reload -setkey: -> spddelete 0.0.0.0/0 1.2.3.4 gre -P out; -> spddelete 1.2.3.4 0.0.0.0/0 gre -P in; -setkey: -> dump ; -setkey: -> dump ; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) - -### -### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does -### -AT_DATA([cert.pem], [dnl ------BEGIN CERTIFICATE----- -(not a real certificate) ------END CERTIFICATE----- -]) -AT_DATA([key.pem], [dnl ------BEGIN RSA PRIVATE KEY----- -(not a real private key) ------END RSA PRIVATE KEY----- -]) -AT_CHECK([ovs-vsctl \ - -- add-port br0 gre1 \ - -- set Interface gre1 type=ipsec_gre \ - options:remote_ip=2.3.4.5 \ - options:peer_cert='"-----BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -"' \ - options:certificate='"/cert.pem"' \ - options:private_key='"/key.pem"']) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) -AT_CHECK([sed '1,17d' actions], [0], [dnl -racoon: reload -setkey: -> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require; -> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -remote 2.3.4.5 { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "/cert.pem" "/key.pem"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl ------BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -]) - -### -### Delete the ipsec_gre certificate interface. -### -AT_CHECK([ovs-vsctl del-port gre1]) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) -AT_CHECK([sed '1,21d' actions], [0], [dnl -racoon: reload -setkey: -> spddelete 0.0.0.0/0 2.3.4.5 gre -P out; -> spddelete 2.3.4.5 0.0.0.0/0 gre -P in; -setkey: -> dump ; -setkey: -> dump ; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) - -### -### Add an SSL certificate interface. -### -cp cert.pem ssl-cert.pem -cp key.pem ssl-key.pem -AT_DATA([ssl-cacert.pem], [dnl ------BEGIN CERTIFICATE----- -(not a real CA certificate) ------END CERTIFICATE----- -]) -AT_CHECK([ovs-vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ - -- add-port br0 gre2 \ - -- set Interface gre2 type=ipsec_gre \ - options:remote_ip=3.4.5.6 \ - options:peer_cert='"-----BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -"' \ - options:use_ssl_cert='"true"']) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33]) -AT_CHECK([sed '1,29d' actions], [0], [dnl -racoon: reload -setkey: -> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; -> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -remote 3.4.5.6 { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl ------BEGIN CERTIFICATE----- -(not a real peer certificate) ------END CERTIFICATE----- -]) - -### -### Delete the SSL certificate interface. -### -AT_CHECK([ovs-vsctl del-port gre2]) -OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41]) -AT_CHECK([sed '1,33d' actions], [0], [dnl -racoon: reload -setkey: -> spddelete 0.0.0.0/0 3.4.5.6 gre -P out; -> spddelete 3.4.5.6 0.0.0.0/0 gre -P in; -setkey: -> dump ; -setkey: -> dump ; -]) -AT_CHECK([trim etc/racoon/psk.txt], [0], []) -AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} -]) -AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) - -dnl Skip SSL errors reported by Open vSwitch -OVS_VSWITCHD_STOP(["/stream_ssl/d"]) -AT_CLEANUP diff --git a/tests/testsuite.at b/tests/testsuite.at index f5f125315..2123beef4 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -63,7 +63,6 @@ m4_include([tests/bridge.at]) m4_include([tests/netdev-type.at]) m4_include([tests/ovsdb.at]) m4_include([tests/ovs-vsctl.at]) -m4_include([tests/ovs-monitor-ipsec.at]) m4_include([tests/ovs-xapi-sync.at]) m4_include([tests/interface-reconfigure.at]) m4_include([tests/stp.at]) diff --git a/tests/tunnel-push-pop-ipv6.at b/tests/tunnel-push-pop-ipv6.at index c213a85ab..16dc571e2 100644 --- a/tests/tunnel-push-pop-ipv6.at +++ b/tests/tunnel-push-pop-ipv6.at @@ -158,7 +158,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port 5'], [0], [dnl port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=? ]) AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0], [dnl -tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001:cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),skb_mark(0),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) +tunnel(tun_id=0x7b,ipv6_src=2001:cafe::92,ipv6_dst=2001:cafe::88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) ]) OVS_VSWITCHD_STOP diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at index 8245bf137..700ef5508 100644 --- a/tests/tunnel-push-pop.at +++ b/tests/tunnel-push-pop.at @@ -163,7 +163,7 @@ AT_CHECK([ovs-ofctl dump-ports int-br | grep 'port 5'], [0], [dnl port 5: rx pkts=1, bytes=98, drop=?, errs=?, frame=?, over=?, crc=? ]) AT_CHECK([ovs-appctl dpif/dump-flows int-br | grep 'in_port(6081)'], [0], [dnl -tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),skb_mark(0),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) +tunnel(tun_id=0x7b,src=1.1.2.92,dst=1.1.2.88,geneve({class=0xffff,type=0x80,len=4,0xa/0xf}{class=0xffff,type=0,len=4}),flags(-df-csum+key)),recirc_id(0),in_port(6081),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(controller)) ]) OVS_VSWITCHD_STOP diff --git a/tests/tunnel.at b/tests/tunnel.at index dbc6a11ad..647a466df 100644 --- a/tests/tunnel.at +++ b/tests/tunnel.at @@ -82,28 +82,28 @@ AT_CHECK([ovs-appctl dpif/show | tail -n +3], [0], [dnl dnl Tunnel CE and encapsulated packet CE AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=3,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=3,nw_frag=no Datapath actions: 2 ]) dnl Tunnel CE and encapsulated packet ECT(1) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=1,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=1,nw_frag=no Datapath actions: set(ipv4(tos=0x3/0x3)),2 ]) dnl Tunnel CE and encapsulated packet ECT(2) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=2,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=2,nw_frag=no Datapath actions: set(ipv4(tos=0x3/0x3)),2 ]) dnl Tunnel CE and encapsulated packet Non-ECT AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'tunnel(src=1.1.1.1,dst=2.2.2.2,tos=0x3,ttl=64,flags()),in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=0,ttl=64,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=2.2.2.2,tun_tos=3,tun_flags=-df-csum-key,in_port=1,nw_ecn=0,nw_frag=no Datapath actions: drop ]) OVS_VSWITCHD_STOP(["/dropping tunnel packet marked ECN CE but is not ECN capable/d"]) @@ -196,75 +196,6 @@ AT_CHECK([tail -1 stdout], [0], OVS_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([tunnel - encrypted tunnel and not setting skb_mark]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ - options:key=5 ofport_request=1\ - -- add-port br0 p2 -- set Interface p2 type=dummy \ - ofport_request=2 ofport_request=2]) -AT_DATA([flows.txt], [dnl -actions=output:1 -]) -OVS_MONITOR_IPSEC_START -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre options:psk=1234567890]) -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) -AT_CHECK([tail -1 stdout], [0], - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1/0x1)),1 -]) -OVS_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 1]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ - options:key=5 ofport_request=1\ - -- add-port br0 p2 -- set Interface p2 type=dummy \ - ofport_request=2 ofport_request=2]) -AT_DATA([flows.txt], [dnl -actions=load:0x1->NXM_NX_PKT_MARK[[]],output:1 -]) -OVS_MONITOR_IPSEC_START -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre options:psk=1234567890]) -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) -AT_CHECK([tail -1 stdout], [0], - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x1)),1 -]) -OVS_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([tunnel - encrypted tunnel and setting skb_mark to 2]) -AT_SKIP_IF([test $HAVE_PYTHON = no]) -AT_SKIP_IF([test "$IS_WIN32" = "yes"]) -AT_SKIP_IF([$non_ascii_cwd]) -OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ - options:remote_ip=1.1.1.1 options:local_ip=2.2.2.2 \ - options:key=5 ofport_request=1\ - -- add-port br0 p2 -- set Interface p2 type=dummy \ - ofport_request=2 ofport_request=2]) -AT_DATA([flows.txt], [dnl -actions=load:0x2->NXM_NX_PKT_MARK[[]],output:1 -]) -OVS_MONITOR_IPSEC_START -AT_CHECK([ovs-vsctl set interface p1 type=ipsec_gre options:psk=1234567890]) -OVS_VSWITCHD_DISABLE_TUNNEL_PUSH_POP -AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(2),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=6,tos=4,ttl=128,frag=no),tcp(src=8,dst=9)'], [0], [stdout]) -AT_CHECK([tail -1 stdout], [0], - [Datapath actions: set(tunnel(tun_id=0x5,src=2.2.2.2,dst=1.1.1.1,ttl=64,flags(df|key))),set(skb_mark(0x3)),1 -]) -OVS_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([tunnel - ToS and TTL inheritance]) OVS_VSWITCHD_START([add-port br0 p1 -- set Interface p1 type=gre \ options:remote_ip=1.1.1.1 options:tos=inherit \ @@ -559,14 +490,14 @@ AT_CHECK([tail -1 stdout], [0], dnl Option match AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=0,len=4,0xb}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no Datapath actions: 2 ]) dnl Skip unknown option AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=0,len=4,0xb}{class=0xffff,type=2,len=4,0xc}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0=0xb/0xf,in_port=1,nw_frag=no Datapath actions: 2 ]) @@ -600,7 +531,7 @@ AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=3,len=8}->tun_metadata3" AT_CHECK([ovs-ofctl add-flow br0 tun_metadata3=0x1234567890abcdef,actions=2]) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=3,len=8,0x1234567890abcdef}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata3=0x1234567890abcdef,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata3=0x1234567890abcdef,in_port=1,nw_frag=no Datapath actions: 2 ]) @@ -635,13 +566,13 @@ NXST_FLOW reply: AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=0,len=4,0x12345678}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata0,tun_metadata1=NP,tun_metadata2=NP,in_port=1,nw_frag=no Datapath actions: 2 ]) AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'recirc_id(0),tunnel(tun_id=0x0,src=1.1.1.1,dst=1.1.1.2,ttl=64,geneve({class=0xffff,type=1,len=0}),flags(df|key)),in_port(6081),skb_mark(0),eth_type(0x0800),ipv4(frag=no)'], [0], [stdout]) AT_CHECK([tail -2 stdout], [0], - [Megaflow: pkt_mark=0,recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no + [Megaflow: recirc_id=0,ip,tun_id=0,tun_src=1.1.1.1,tun_dst=1.1.1.2,tun_tos=0,tun_flags=+df-csum+key,tun_metadata1,tun_metadata2=NP,in_port=1,nw_ecn=0,nw_frag=no Datapath actions: set(tunnel(tun_id=0x0,dst=1.1.1.1,ttl=64,geneve({class=0xffff,type=0x1,len=0}),flags(df|key))),6081 ]) diff --git a/utilities/bugtool/ovs-bugtool.in b/utilities/bugtool/ovs-bugtool.in index 2ec2f2a05..963c50cc3 100755 --- a/utilities/bugtool/ovs-bugtool.in +++ b/utilities/bugtool/ovs-bugtool.in @@ -630,7 +630,7 @@ exclude those logs from the archive. ovs_logs = ([OPENVSWITCH_LOG_DIR + x for x in ['ovs-vswitchd.log', 'ovsdb-server.log', - 'ovs-xapi-sync.log', 'ovs-monitor-ipsec.log', 'ovs-ctl.log']]) + 'ovs-xapi-sync.log', 'ovs-ctl.log']]) for log in ovs_logs: prefix_output(CAP_OPENVSWITCH_LOGS, log, last_mod_time=log_last_mod_time) diff --git a/utilities/ovs-appctl.8.in b/utilities/ovs-appctl.8.in index 0eda7f222..645b62b4b 100644 --- a/utilities/ovs-appctl.8.in +++ b/utilities/ovs-appctl.8.in @@ -254,8 +254,8 @@ The default pattern for console and file output is \fB%D{%Y-%m-%dT %H:%M:%SZ}|%05N|%c|%p|%m\fR; for syslog output, \fB%05N|%c|%p|%m\fR. . .IP -Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR, -\fBovs\-monitor\-ipsec) do not allow control over the log pattern. +Daemons written in Python (e.g. \fBovs\-xapi\-sync\fR) do not allow +control over the log pattern. . .IP "\fBvlog/set\fR FACILITY:\fIfacility\fR" Sets the RFC5424 facility of the log message. \fIfacility\fR can be one of diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 976f3ca3f..8ff385300 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -2004,15 +2004,6 @@ tunnel. </dd> - <dt><code>ipsec_gre</code></dt> - <dd> - An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6 - IPsec tunnel. - IPsec tunnel ports are deprecated. The support will be completely - removed in next version. - - </dd> - <dt><code>vxlan</code></dt> <dd> <p> @@ -2075,8 +2066,8 @@ <group title="Tunnel Options"> <p> These options apply to interfaces with <ref column="type"/> of - <code>geneve</code>, <code>gre</code>, <code>ipsec_gre</code>, - <code>vxlan</code>, <code>lisp</code> and <code>stt</code>. + <code>geneve</code>, <code>gre</code>, <code>vxlan</code>, + <code>lisp</code> and <code>stt</code>. </p> <p> @@ -2253,9 +2244,9 @@ </group> - <group title="Tunnel Options: gre, ipsec_gre, geneve, and vxlan"> + <group title="Tunnel Options: gre, geneve, and vxlan"> <p> - <code>gre</code>, <code>ipsec_gre</code>, <code>geneve</code>, and + <code>gre</code>, <code>geneve</code>, and <code>vxlan</code> interfaces support these options. </p> @@ -2277,43 +2268,6 @@ is compatible with. </p> - <p> - This option is supported for <code>ipsec_gre</code>, but not useful - because GRE checksums are weaker than, and redundant with, IPsec - payload authentication. - </p> - </column> - </group> - - <group title="Tunnel Options: ipsec_gre only"> - <p> - Only <code>ipsec_gre</code> interfaces support these options. - </p> - - <column name="options" key="peer_cert"> - Required for certificate authentication. A string containing the - peer's certificate in PEM format. Additionally the host's - certificate must be specified with the <code>certificate</code> - option. - </column> - - <column name="options" key="certificate"> - Required for certificate authentication. The name of a PEM file - containing a certificate that will be presented to the peer during - authentication. - </column> - - <column name="options" key="private_key"> - Optional for certificate authentication. The name of a PEM file - containing the private key associated with <code>certificate</code>. - If <code>certificate</code> contains the private key, this option may - be omitted. - </column> - - <column name="options" key="psk"> - Required for pre-shared key authentication. Specifies a pre-shared - key for authentication that must be identical on both sides of the - tunnel. </column> </group> </group> @@ -4774,8 +4728,7 @@ <p>type: unsigned 8-bit integer.</p> <p>data type semantics: identifier.</p> <p>description: Identifier of the layer 2 network overlay network - encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 IPsec+GRE, - 0x07 GENEVE.</p> + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x07 GENEVE.</p> </dd> <dt>tunnelKey:</dt> <dd> |