On 22/10/2020 15:01, Eric Garver wrote: > On Fri, Oct 02, 2020 at 01:33:57PM -0400, Mark Gray wrote: >> F32 requires the "python3-openvswitch" package now. Also, the >> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32. >> >> Signed-off-by: Mark Gray <[email protected]> >> --- >> Documentation/tutorials/ipsec.rst | 27 ++++++++++++--------------- >> 1 file changed, 12 insertions(+), 15 deletions(-) >> >> diff --git a/Documentation/tutorials/ipsec.rst >> b/Documentation/tutorials/ipsec.rst >> index b4c323513..ea0b6a63f 100644 >> --- a/Documentation/tutorials/ipsec.rst >> +++ b/Documentation/tutorials/ipsec.rst >> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages >> --------------------------------- >> >> OVS IPsec has .deb and .rpm packages. You should use the right package >> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and >> Fedora 27 >> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and >> Fedora 32 >> as examples. >> >> Ubuntu >> @@ -71,21 +71,18 @@ Ubuntu >> Fedora >> ~~~~~~ >> >> -1. Follow :doc:`/intro/install/fedora` to build RPM packages. >> +1. Install the related packages. Fedora 32 does not require installation of >> + the out-of-tree kernel module:: >> >> -2. Install the related packages:: >> - >> - $ dnf install python2-openvswitch libreswan \ >> - "kernel-devel-uname-r == $(uname -r)" >> - $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \ >> - openvswitch-openvswitch-ipsec-*.rpm >> + $ dnf install python3-openvswitch libreswan \ >> + openvswitch openvswitch-ipsec >> >> -3. Install firewall rules to allow ESP and IKE traffic:: >> +2. Install firewall rules to allow ESP and IKE traffic:: >> >> - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT >> - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT >> + $ iptables -A INPUT -p esp -j ACCEPT >> + $ iptables -A INPUT -p udp --dport 500 -j ACCEPT > > Fedora uses firewalld by default hence the chain > "IN_FedoraServer_allow". I think adding the rules in iptables will not > work in f32+ because firewalld uses nftables. iptables will accept, but > firewalld/nftables will still drop it. Instead of bypassing firewalld > it's better to open these via firewalld by adding the ipsec service. > This should work for all Fedora versions and firewalld backends. > > # firewall-cmd --add-service ipsec > # firewall-cmd --permanent --add-service ipsec > > First command affects the runtime, the second command affects the > permanent configuration.
Hi Eric, this is a much better approach. I will update the documentation to reflect this. Thanks for your input. > >> -4. Run the openvswitch-ipsec service:: >> +3. Run the openvswitch-ipsec service:: >> >> $ systemctl start openvswitch-ipsec.service >> > [..] > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
