On Fri, Sep 23, 2016 at 11:27 PM, Ansis Atteka <ansisatt...@gmail.com> wrote: > > > On 21 September 2016 at 03:26, Pravin B Shelar <pshe...@ovn.org> wrote: >> >> OVS IPsec tunnel support has issues: >> 1. It only works for GRE. >> 2. only works on Debian. >> 3. It does not allow user to match on packet-mark >> on packet received on tunnel ports. >> >> This patch deprecates support for IPsec tunnel port. >> >> Signed-off-by: Pravin B Shelar <pshe...@ovn.org> >> --- >> After discussing this patch with Jesse, I have decided to >> just deprecate this feature and not provide any option >> to allow external IPsec tunnel management. The reason is >> that this the option would again cause compatibility >> issues when IPsec tunnel port support is removed. Considering >> this feature is not much used it is better to just >> deprecate it for OVS 2.6. >> --- >> NEWS | 1 + >> debian/changelog | 1 + >> debian/control | 1 + >> lib/netdev-vport.c | 2 ++ >> vswitchd/vswitch.xml | 3 +++ >> 5 files changed, 8 insertions(+) >> >> diff --git a/NEWS b/NEWS >> index 21ab538..9363e91 100644 >> --- a/NEWS >> +++ b/NEWS >> @@ -149,6 +149,7 @@ v2.6.0 - xx xxx xxxx >> * Flow based tunnel match and action can be used for IPv6 address >> using >> tun_ipv6_src, tun_ipv6_dst fields. >> * Added support for IPv6 tunnels, for details checkout FAQ. >> + * Deprecated support for IPsec tunnels ports. >> - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port >> and >> watch with tcpdump >> - Introduce --no-self-confinement flag that allows daemons to work >> with >> diff --git a/debian/changelog b/debian/changelog >> index d73e636..13aae36 100644 >> --- a/debian/changelog >> +++ b/debian/changelog >> @@ -108,6 +108,7 @@ openvswitch (2.6.0-1) unstable; urgency=low >> * Flow based tunnel match and action can be used for IPv6 address >> using >> tun_ipv6_src, tun_ipv6_dst fields. >> * Added support for IPv6 tunnels, for details checkout FAQ. >> + * Deprecated support for IPsec tunnels ports. >> - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port >> and >> watch with tcpdump >> - Introduce --no-self-confinement flag that allows daemons to work >> with >> diff --git a/debian/control b/debian/control >> index 6e704f1..da86fe9 100644 >> --- a/debian/control >> +++ b/debian/control >> @@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support >> . >> The ovs-monitor-ipsec script provides support for encrypting GRE >> tunnels with IPsec. >> + IPsec tunnels support is deprecated. >> >> Package: openvswitch-pki >> Architecture: all >> diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c >> index 8d22cf5..ac31da6 100755 >> --- a/lib/netdev-vport.c >> +++ b/lib/netdev-vport.c >> @@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct >> smap *args) >> static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER; >> static pid_t pid = 0; >> >> + VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name); >> + >> #ifndef _WIN32 >> ovs_mutex_lock(&mutex); >> if (pid <= 0) { >> diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml >> index e73023d..6381cc8 100644 >> --- a/vswitchd/vswitch.xml >> +++ b/vswitchd/vswitch.xml >> @@ -2008,6 +2008,9 @@ >> <dd> >> An Ethernet over RFC 2890 Generic Routing Encapsulation over >> IPv4/IPv6 >> IPsec tunnel. >> + IPsec tunnel port are deprecated. The support will be >> completely > > > > Here is a small typo that you may want to fix "tunnel port*s* are". Just > squash it in and push. > Thanks for the review. I fixed the patch and pushed it to master and branch 2.6.
> Acked-by: Ansis Atteka <aatt...@ovn.org> > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev