Add ability to pass any nb_global option with the ipsec prefix to sb, which ovs-monitor-ipsec will use to configure IPsec backend. For example
ovn-nbctl set nb_global . options:ipsec_replay-window=128 ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s ovn-nbctl set nb_global . options:ipsec_salifetime=8h Reported-at: https://redhat.atlassian.net/browse/FDP-3029 Signed-off-by: Mairtin O'Loingsigh <[email protected]> --- Changes since v2: - Update ovn-ipsec.rst with the following * encapsulation/forceencaps are boolean and only accept true/yes. * Other ipsec_* options pass through directly. - ipsec_encapsulation=yes works like =true. - Uses node->value not smap_get(). - Move ipsec_* Column inside "Security Configurations" group. - Fix spelling typos. - Add ipsec.conf reference with <code> style. Changes since v1: - Make prefix string static const. - Fix documentation. - Update news entry to reference NB_Global. Documentation/tutorials/ovn-ipsec.rst | 7 +++++++ NEWS | 2 ++ controller/encaps.c | 28 +++++++++++++++++---------- ovn-nb.xml | 7 +++++++ tests/ovn-ipsec.at | 12 ++++++++++++ 5 files changed, 46 insertions(+), 10 deletions(-) diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst index aebd3e848..249d3230a 100644 --- a/Documentation/tutorials/ovn-ipsec.rst +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -166,6 +166,13 @@ You can also check the logs of the ``ovs-monitor-ipsec`` daemon and the IKE daemon to locate issues. ``ovs-monitor-ipsec`` outputs log messages to ``/var/log/openvswitch/ovs-monitor-ipsec.log``. +The ipsec_encapsulation and ipsec_forceencaps options are boolean +and only accept true or yes. Additional "ipsec_*" options such as +the one below can be set to pass configuration directly to the underlying +IPsec backend. + + $ ovn-nbctl set nb_global . options:ipsec_replay-window=128 + Bug Reporting ------------- diff --git a/NEWS b/NEWS index e34a219ad..c7cec2c33 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ Post v26.03.0 ------------- + - Added ability to set any "ipsec_*" NB_Global option to configure the + IPsec backend. - Documented missing ovn-nbctl commands: "mirror-rule-add", "mirror-rule-del", "lr-nat-update-ext-ip", "ha-chassis-group-set-chassis-prio", "lsp-add-router-port", diff --git a/controller/encaps.c b/controller/encaps.c index 081fbe671..048e85c38 100644 --- a/controller/encaps.c +++ b/controller/encaps.c @@ -265,16 +265,24 @@ tunnel_add(struct tunnel_ctx *tc, /* Force NAT-T traversal via configuration */ /* Two ipsec backends are supported: libreswan and strongswan */ /* libreswan param: encapsulation; strongswan param: forceencaps */ - bool encapsulation; - bool forceencaps; - encapsulation = smap_get_bool(&sbg->options, "ipsec_encapsulation", - false); - forceencaps = smap_get_bool(&sbg->options, "ipsec_forceencaps", false); - if (encapsulation) { - smap_add(&options, "ipsec_encapsulation", "yes"); - } - if (forceencaps) { - smap_add(&options, "ipsec_forceencaps", "yes"); + + struct smap_node *node; + SMAP_FOR_EACH (node, &sbg->options) { + static const char ipsec_prefix[] = "ipsec_"; + if (!strncmp(ipsec_prefix, node->key, strlen(ipsec_prefix))) { + if (!strcmp(node->key, "ipsec_encapsulation") || + !strcmp(node->key, "ipsec_forceencaps")) { + if (!strcasecmp(node->value, "true") || + !strcasecmp(node->value, "yes")) { + smap_add(&options, node->key, "yes"); + } + continue; + } + + if (node->value) { + smap_add(&options, node->key, node->value); + } + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 442657018..38c6a84a2 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -601,6 +601,13 @@ Tunnel encryption configuration. If this column is set to be true, all OVN tunnels will be encrypted with IPsec. </column> + + <column name="options" key="ipsec_*"> + IPsec configuration parameters are passed to IPsec backend by prefixing + libreswan/strongswan options with ipsec_. Please reference + <code>ipsec.conf</code>(5) for a comprehensive set of instructions on + IPsec configuration. + </column> </group> <group title="Read-only Options"> diff --git a/tests/ovn-ipsec.at b/tests/ovn-ipsec.at index 961fc643f..05fbced28 100644 --- a/tests/ovn-ipsec.at +++ b/tests/ovn-ipsec.at @@ -45,6 +45,10 @@ ovs-vsctl \ # Enable IPsec check ovn-nbctl set nb_global . ipsec=true check ovn-nbctl set nb_global . options:ipsec_encapsulation=true +check ovn-nbctl set nb_global . options:ipsec_replay-window=100 +check ovn-nbctl set nb_global . options:ipsec_dpd-delay=30s +check ovn-nbctl set nb_global . options:ipsec_dpd-timeout=120s +check ovn-nbctl set nb_global . options:ipsec_salifetime=8h check ovn-nbctl --wait=hv sync @@ -52,9 +56,17 @@ OVS_WAIT_UNTIL([test x`as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_i AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.2]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:remote_name | tr -d '\n'], [0], [hv1]) AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) +AT_CHECK([as hv2 ovs-vsctl get Interface ovn-hv1-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) OVS_WAIT_UNTIL([test x`as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_ip | tr -d '"\n'` = x192.168.0.2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:local_ip | tr -d '"\n'], [0], [192.168.0.1]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:remote_name | tr -d '\n'], [0], [hv2]) AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_encapsulation | tr -d '\n'], [0], [yes]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_replay-window | tr -d '\n'], [0], ["100"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-delay | tr -d '\n'], [0], ["30s"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_dpd-timeout | tr -d '\n'], [0], ["120s"]) +AT_CHECK([as hv1 ovs-vsctl get Interface ovn-hv2-0 options:ipsec_salifetime | tr -d '\n'], [0], ["8h"]) AT_CLEANUP -- 2.54.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
