Add ability to pass any nb_global option with the ipsec prefix to sb, which ovs-monitor-ipsec will use to configure IPsec backend. For example
ovn-nbctl set nb_global . options:ipsec_replay-window=128 ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s ovn-nbctl set nb_global . options:ipsec_salifetime=8h Reported-at: https://redhat.atlassian.net/browse/FDP-3029 Signed-off-by: Mairtin O'Loingsigh <[email protected]> --- Changes since v1: - Make prefix string static const. - Fix documentation. - Update news entry to reference NB_Global. Documentation/tutorials/ovn-ipsec.rst | 5 +++++ NEWS | 2 ++ controller/encaps.c | 13 +++++++++++++ ovn-nb.xml | 6 ++++++ tests/ovn-ipsec.at | 12 ++++++++++++ 5 files changed, 38 insertions(+) diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index aebd3e848..2b4f026d6 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -166,6 +166,11 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to ``/var/log/openvswitch/ovs-monitor-ipsec.log``. +Any "ipsec_*" option such as the one below can be set to configure the +underlying IPsec backend, which can simplify debug. + + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 + Bug Reporting ------------- diff --git a/NEWS b/NEWS index e34a219ad..c7cec2c33 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ Post v26.03.0 ------------- + - Added ability to set any "ipsec_*" NB_Global option to configure the + IPsec backend. - Documented missing ovn-nbctl commands: "mirror-rule-add", "mirror-rule-del", "lr-nat-update-ext-ip", "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", diff --git a/controller/encaps.c b/controller/encaps.c index 081fbe671..99a75c15d 100644 --- a/controller/encaps.c +++ b/controller/encaps.c @@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc, if (forceencaps) { smap_add(&options, "ipsec_forceencaps", "yes"); } + + struct smap_node *node; + SMAP_FOR_EACH (node, &sbg->options) { + static const char ipsec_prefix[] = "ipsec_"; + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) && + strcmp("ipsec_encapsulation", node->key) && + strcmp("ipsec_forceencaps", node->key)) { + const char *ipsec_option = smap_get(&sbg->options, node->key); + if (ipsec_option) { + smap_add(&options, node->key, ipsec_option); + } + } + } } if (is_ramp_tunnel(&chassis_rec->other_config)) { diff --git a/ovn-nb.xml b/ovn-nb.xml index 442657018..6566c77ee 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -603,6 +603,12 @@ </column> </group> + <column name="options" key="ipsec_*"> + IPsec configuration paramaters are passed to IPsec backend by prefixing + libreswan/strongswan options with ipsec_. Please reference the backends + documentation for a complete list of options. + </column> + <group title="Read-only Options"> <column name="options" key="max_tunid"> <p> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at index 961fc643f..05fbced28 100644 --- a/tests/ovn-ipsec.at +++ b/tests/ovn-ipsec.at @@ -45,6 +45,10 @@ ovs-vsctl \ # Enable IPsec check ovn-nbctl set nb_global . ipsec=true check ovn-nbctl set nb_global . options:ipsec_encapsulation=true +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h check ovn-nbctl --wait=hv sync @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'` = x192.168.0.2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) AT_CLEANUP -- 2.54.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
