On 5/25/26 10:17 AM, Mairtin O'Loingsigh via dev wrote:
> Add ability to pass any nb_global option with the ipsec prefix to sb, which
> ovs-monitor-ipsec will use to configure IPsec backend. For example
>
> ovn-nbctl set nb_global . options:ipsec_replay-window=128
> ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s
> ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s
> ovn-nbctl set nb_global . options:ipsec_salifetime=8h
>
> Reported-at: https://redhat.atlassian.net/browse/FDP-3029
> Signed-off-by: Mairtin O'Loingsigh <[email protected]>
> ---
> Changes since v1:
> - Make prefix string static const.
> - Fix documentation.
> - Update news entry to reference NB_Global.
>
> Documentation/tutorials/ovn-ipsec.rst | 5 +++++
> NEWS | 2 ++
> controller/encaps.c | 13 +++++++++++++
> ovn-nb.xml | 6 ++++++
> tests/ovn-ipsec.at | 12 ++++++++++++
> 5 files changed, 38 insertions(+)
>
> diff --git a/Documentation/tutorials/ovn-ipsec.rst
> b/Documentation/tutorials/ovn-ipsec.rst
> index aebd3e848..2b4f026d6 100644
> --- a/Documentation/tutorials/ovn-ipsec.rst
> +++ b/Documentation/tutorials/ovn-ipsec.rst
> @@ -166,6 +166,11 @@ You can also check the logs of the ``ovs-monitor-ipsec``
> daemon and the IKE
> daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to
> ``/var/log/openvswitch/ovs-monitor-ipsec.log``.
>
> +Any "ipsec_*" option such as the one below can be set to configure the
> +underlying IPsec backend,
This is a bit misleading, as neither encapsulation nor forceencaps can be set
this way. Furthermore, ipsec_encapsulation=yes will be silently ignored, while
it is a valid config for libreswan, but ipsec_encapsulation=true will result
with ipsec_encapsulation=yes on the interface.
I think, if we're adding this universal mechanism, then both the original
ipsec_encapsuaton=true and the ipsec_encapsulation=yes should work the same way.
Otherwise, it's very confusing from the user perspective.
However, users that currently have something like ipsec_encapsuaton=false,
should
not get encapsuaton=false in their connection config after upgrade.
> which can simplify debug.
> +
> + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128
> +
> Bug Reporting
> -------------
>
> diff --git a/NEWS b/NEWS
> index e34a219ad..c7cec2c33 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -1,5 +1,7 @@
> Post v26.03.0
> -------------
> + - Added ability to set any "ipsec_*" NB_Global option to configure the
> + IPsec backend.
> - Documented missing ovn-nbctl commands: "mirror-rule-add",
> "mirror-rule-del", "lr-nat-update-ext-ip",
> "ha-chassis-group-set-chassis-prio", "lsp-add-router-port",
> diff --git a/controller/encaps.c b/controller/encaps.c
> index 081fbe671..99a75c15d 100644
> --- a/controller/encaps.c
> +++ b/controller/encaps.c
> @@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc,
> if (forceencaps) {
> smap_add(&options, "ipsec_forceencaps", "yes");
> }
> +
> + struct smap_node *node;
> + SMAP_FOR_EACH (node, &sbg->options) {
> + static const char ipsec_prefix[] = "ipsec_";
> + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) &&
> + strcmp("ipsec_encapsulation", node->key) &&
> + strcmp("ipsec_forceencaps", node->key)) {
> + const char *ipsec_option = smap_get(&sbg->options,
> node->key);
Isn't this just node->value that we already have?
> + if (ipsec_option) {
> + smap_add(&options, node->key, ipsec_option);
> + }
> + }
> + }
> }
>
> if (is_ramp_tunnel(&chassis_rec->other_config)) {
> diff --git a/ovn-nb.xml b/ovn-nb.xml
> index 442657018..6566c77ee 100644
> --- a/ovn-nb.xml
> +++ b/ovn-nb.xml
> @@ -603,6 +603,12 @@
> </column>
> </group>
>
> + <column name="options" key="ipsec_*">
This should be inside the previous group or in a new group.
> + IPsec configuration paramaters are passed to IPsec backend by prefixing
*parameters
> + libreswan/strongswan options with ipsec_. Please reference the backends
> + documentation for a complete list of options.
This paragraph doesn't define what the "IPsec backend" is. It mentions
"IPsec backend" and then separately "libreswan/strongswan", but it doesn't
build a connection between those. So, when the last sentence tells the
user to reference the "backends documentation", the user not already
familiar with the topic would not understand what they need to reference.
One way to solve this might be to point give an example like ipsec.conf(5).
> + </column>
> +
> <group title="Read-only Options">
> <column name="options" key="max_tunid">
> <p>
> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at
> index 961fc643f..05fbced28 100644
> --- a/tests/ovn-ipsec.at
> +++ b/tests/ovn-ipsec.at
> @@ -45,6 +45,10 @@ ovs-vsctl \
> # Enable IPsec
> check ovn-nbctl set nb_global . ipsec=true
> check ovn-nbctl set nb_global . options:ipsec_encapsulation=true
> +check ovn-nbctl set nb_global . options:ipsec_replay-window=100
> +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s
> +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s
> +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h
>
> check ovn-nbctl --wait=hv sync
>
> @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface
> ovn-hv1-0 options:remote_i
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d
> '"\n'], [0], [192.168.0.2])
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr
> -d '\n'], [0], [hv1])
> AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0
> options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0
> options:ipsec_replay-window | tr -d '\n'], [0], ["100"])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay |
> tr -d '\n'], [0], ["30s"])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout
> | tr -d '\n'], [0], ["120s"])
> +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime
> | tr -d '\n'], [0], ["8h"])
> OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0
> options:remote_ip | tr -d '"\n'` = x192.168.0.2])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d
> '"\n'], [0], [192.168.0.1])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr
> -d '\n'], [0], [hv2])
> AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0
> options:ipsec_encapsulation | tr -d '\n'], [0], [yes])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0
> options:ipsec_replay-window | tr -d '\n'], [0], ["100"])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay |
> tr -d '\n'], [0], ["30s"])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout
> | tr -d '\n'], [0], ["120s"])
> +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime
> | tr -d '\n'], [0], ["8h"])
>
> AT_CLEANUP
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
