On Thu, Aug 9, 2018 at 4:13 PM, Qiuyu Xiao <[email protected]> wrote:
> I have one question. In "datapath/linux/compat/include/net/geneve.h", > USE_UPSTREAM_TUNNEL > decides whether to use Linux upstream kernel function or OVS kernel > function to transmit Geneve packet. Currently, it chooses Linux upstream > kernel function. How to set USE_UPSTREAM_TUNNEL to use OVS kernel function? > you can't set USE_UPSTREAM_TUNNEL, it is detected by acinclude by looking at the kernel header files. > Otherwise, even though this patch is applied, IPsec won't work for Geneve > tunnel without Linux upstream also being patched? > another way is to test on different kernel version, for example, 4.8 kernel the USE_UPSTREAM_TUNNEL should be no. --William > > Thanks, > Qiuyu > > On Thu, Aug 9, 2018 at 3:41 PM, William Tu <[email protected]> wrote: > >> >> >> On Thu, Aug 9, 2018 at 3:28 PM, Qiuyu Xiao <[email protected]> >> wrote: >> >>> Hi William, >>> >>> ip_route_output_key() calls xfrm_lookup(). xfrm_lookup() needs L4 ports >>> so that the packet can match IPsec's security policy based on L4 ports. >>> IPsec security policy for Geneve selects udp packets with dst port >>> 6081. If no port information, the IPsec stack won't know the packet is >>> a Geneve packet and the packet won't be encrypted. >>> >>> Different dport and sport affect `struct xfrm_state` in the `struct >>> dst_entry`. >>> But this structure only matters to the xfrm module. The Linux upstream >>> VXLAN module already included L4 ports for VXLAN route look up. >>> >>> >> I see, thanks! >> >> --William >> > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
