On Mon, May 25, 2026 at 12:43:00PM +0200, Ilya Maximets wrote: > On 5/25/26 10:17 AM, Mairtin O'Loingsigh via dev wrote: > > Add ability to pass any nb_global option with the ipsec prefix to sb, which > > ovs-monitor-ipsec will use to configure IPsec backend. For example > > > > ovn-nbctl set nb_global . options:ipsec_replay-window=128 > > ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > > ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > > ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > > > Reported-at: https://redhat.atlassian.net/browse/FDP-3029 > > Signed-off-by: Mairtin O'Loingsigh <[email protected]> > > --- > > Changes since v1: > > - Make prefix string static const. > > - Fix documentation. > > - Update news entry to reference NB_Global. > > > > Documentation/tutorials/ovn-ipsec.rst | 5 +++++ > > NEWS | 2 ++ > > controller/encaps.c | 13 +++++++++++++ > > ovn-nb.xml | 6 ++++++ > > tests/ovn-ipsec.at | 12 ++++++++++++ > > 5 files changed, 38 insertions(+) > > > > diff --git a/Documentation/tutorials/ovn-ipsec.rst > > b/Documentation/tutorials/ovn-ipsec.rst > > index aebd3e848..2b4f026d6 100644 > > --- a/Documentation/tutorials/ovn-ipsec.rst > > +++ b/Documentation/tutorials/ovn-ipsec.rst > > @@ -166,6 +166,11 @@ You can also check the logs of the > > ``ovs-monitor-ipsec`` daemon and the IKE > > daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to > > ``/var/log/openvswitch/ovs-monitor-ipsec.log``. > > > > +Any "ipsec_*" option such as the one below can be set to configure the > > +underlying IPsec backend, > > This is a bit misleading, as neither encapsulation nor forceencaps can be set > this way. Furthermore, ipsec_encapsulation=yes will be silently ignored, > while > it is a valid config for libreswan, but ipsec_encapsulation=true will result > with ipsec_encapsulation=yes on the interface. > > I think, if we're adding this universal mechanism, then both the original > ipsec_encapsuaton=true and the ipsec_encapsulation=yes should work the same > way. > Otherwise, it's very confusing from the user perspective. Ack, Ill include ipsec_encapsulation and ipsec_forceencaps in the new mechanism and include backwards compatibility for ipsec_encapsulation=true. > > However, users that currently have something like ipsec_encapsuaton=false, > should > not get encapsuaton=false in their connection config after upgrade. > > > which can simplify debug. > > + > > + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 > > + > > Bug Reporting > > ------------- > > > > diff --git a/NEWS b/NEWS > > index e34a219ad..c7cec2c33 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -1,5 +1,7 @@ > > Post v26.03.0 > > ------------- > > + - Added ability to set any "ipsec_*" NB_Global option to configure the > > + IPsec backend. > > - Documented missing ovn-nbctl commands: "mirror-rule-add", > > "mirror-rule-del", "lr-nat-update-ext-ip", > > "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", > > diff --git a/controller/encaps.c b/controller/encaps.c > > index 081fbe671..99a75c15d 100644 > > --- a/controller/encaps.c > > +++ b/controller/encaps.c > > @@ -276,6 +276,19 @@ tunnel_add(struct tunnel_ctx *tc, > > if (forceencaps) { > > smap_add(&options, "ipsec_forceencaps", "yes"); > > } > > + > > + struct smap_node *node; > > + SMAP_FOR_EACH (node, &sbg->options) { > > + static const char ipsec_prefix[] = "ipsec_"; > > + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix)) && > > + strcmp("ipsec_encapsulation", node->key) && > > + strcmp("ipsec_forceencaps", node->key)) { > > + const char *ipsec_option = smap_get(&sbg->options, > > node->key); > > Isn't this just node->value that we already have? Ack, Ill use node-value here. > > > + if (ipsec_option) { > > + smap_add(&options, node->key, ipsec_option); > > + } > > + } > > + } > > } > > > > if (is_ramp_tunnel(&chassis_rec->other_config)) { > > diff --git a/ovn-nb.xml b/ovn-nb.xml > > index 442657018..6566c77ee 100644 > > --- a/ovn-nb.xml > > +++ b/ovn-nb.xml > > @@ -603,6 +603,12 @@ > > </column> > > </group> > > > > + <column name="options" key="ipsec_*"> > > This should be inside the previous group or in a new group. Ack, Ill add a IPsec group. > > > + IPsec configuration paramaters are passed to IPsec backend by > > prefixing > > *parameters Ack. > > > + libreswan/strongswan options with ipsec_. Please reference the > > backends > > + documentation for a complete list of options. > > This paragraph doesn't define what the "IPsec backend" is. It mentions > "IPsec backend" and then separately "libreswan/strongswan", but it doesn't > build a connection between those. So, when the last sentence tells the > user to reference the "backends documentation", the user not already > familiar with the topic would not understand what they need to reference. > One way to solve this might be to point give an example like ipsec.conf(5). Ack, Ill add a reference to the ipsec.conf(5) for clarity. > > > + </column> > > + > > <group title="Read-only Options"> > > <column name="options" key="max_tunid"> > > <p> > > diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at > > index 961fc643f..05fbced28 100644 > > --- a/tests/ovn-ipsec.at > > +++ b/tests/ovn-ipsec.at > > @@ -45,6 +45,10 @@ ovs-vsctl \ > > # Enable IPsec > > check ovn-nbctl set nb_global . ipsec=true > > check ovn-nbctl set nb_global . options:ipsec_encapsulation=true > > +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 > > +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s > > +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s > > +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h > > > > check ovn-nbctl --wait=hv sync > > > > @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface > > ovn-hv1-0 options:remote_i > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr > > -d '"\n'], [0], [192.168.0.2]) > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | > > tr -d '\n'], [0], [hv1]) > > AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 > > options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 > > options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay > > | tr -d '\n'], [0], ["30s"]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 > > options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) > > +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 > > options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) > > OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 > > options:remote_ip | tr -d '"\n'` = x192.168.0.2]) > > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr > > -d '"\n'], [0], [192.168.0.1]) > > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | > > tr -d '\n'], [0], [hv2]) > > AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 > > options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 > > options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay > > | tr -d '\n'], [0], ["30s"]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 > > options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) > > +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 > > options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) > > > > AT_CLEANUP >
Hi Ilya, Thanks for the review, comments above. Regards, Mairtin _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
