On 23/10/2020 15:24, Mark Gray wrote: > On 21/10/2020 16:07, Stokes, Ian wrote: >>> F32 requires the "python3-openvswitch" package now. Also, the >>> iptables chain "IN_FedoraServer_allow" does not exist on Fedora 32. >>> >> >> Hi Mark, thanks for the patch, some minor comments below. >> >>> Signed-off-by: Mark Gray <[email protected]> >>> --- >>> Documentation/tutorials/ipsec.rst | 27 ++++++++++++--------------- >>> 1 file changed, 12 insertions(+), 15 deletions(-) >>> >>> diff --git a/Documentation/tutorials/ipsec.rst >>> b/Documentation/tutorials/ipsec.rst >>> index b4c323513..ea0b6a63f 100644 >>> --- a/Documentation/tutorials/ipsec.rst >>> +++ b/Documentation/tutorials/ipsec.rst >>> @@ -42,7 +42,7 @@ Installing OVS and IPsec Packages >>> --------------------------------- >>> >>> OVS IPsec has .deb and .rpm packages. You should use the right package >>> -based on your Linux distribution. This tutorial uses Ubuntu 16.04 and >>> Fedora 27 >>> +based on your Linux distribution. This tutorial uses Ubuntu 16.04 and >>> Fedora 32 >>> as examples. >> >> Given that the instructions change between Fedora versions, is it worth >> adding a note that for Fedora versions older than Fedora 32, users should >> consult the previous OVS release tutorial? > > This is just a tutorial so I am not making any statement about > availability of the IPsec feature in different distros only that, as of > F32, the instructions are correct. >
Fedora 31 will be EOL next month. For Fedora in particular, I don't think there's any point in writing anything for older releases. > The main difference is regarding the iptables instructions below. I > think Eric has cleared that up and I will update the documentation to > reflect as that seems to be the most generic way to enable the firewall > across multiple Fedora releases. > > >> >> The alternative would be to maintain another section here for fedora 27 but >> that seems like a pain and TBH I'm not sure if Fedora 27 is still active? As >> such a note might suffice. >> >>> >>> Ubuntu >>> @@ -71,21 +71,18 @@ Ubuntu >>> Fedora >>> ~~~~~~ >>> >>> -1. Follow :doc:`/intro/install/fedora` to build RPM packages. >>> +1. Install the related packages. Fedora 32 does not require installation of >>> + the out-of-tree kernel module:: >>> >>> -2. Install the related packages:: >>> - >>> - $ dnf install python2-openvswitch libreswan \ >>> - "kernel-devel-uname-r == $(uname -r)" >>> - $ rpm -i openvswitch-*.rpm openvswitch-kmod-*.rpm \ >>> - openvswitch-openvswitch-ipsec-*.rpm >>> + $ dnf install python3-openvswitch libreswan \ >>> + openvswitch openvswitch-ipsec >>> >>> -3. Install firewall rules to allow ESP and IKE traffic:: >>> +2. Install firewall rules to allow ESP and IKE traffic:: >>> >>> - $ iptables -A IN_FedoraServer_allow -p esp -j ACCEPT >>> - $ iptables -A IN_FedoraServer_allow -p udp --dport 500 -j ACCEPT >>> + $ iptables -A INPUT -p esp -j ACCEPT >>> + $ iptables -A INPUT -p udp --dport 500 -j ACCEPT >> >> Same as above, again maybe a line at the beginning the tutorial would help >> point people in the right direction depending on the version they are using? > > Will update as per Eric's comments >> >>> >>> -4. Run the openvswitch-ipsec service:: >>> +3. Run the openvswitch-ipsec service:: >>> >>> $ systemctl start openvswitch-ipsec.service >>> >>> @@ -97,7 +94,7 @@ Fedora >>> Configuring IPsec tunnel >>> ------------------------ >>> >>> -Suppose you want to build IPsec tunnel between two hosts. Assume `host_1`'s >>> +Suppose you want to build an IPsec tunnel between two hosts. Assume >>> `host_1`'s >>> external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure >>> `host_1` and `host_2` can ping each other via these external IPs. >>> >>> @@ -123,8 +120,8 @@ external IP is 1.1.1.1, and `host_2`'s external IP is >>> 2.2.2.2. Make sure >>> >>> 2. Set up IPsec tunnel. >>> >>> - There are three authentication methods. You can choose one to set up >>> your >>> - IPsec tunnel. >>> + There are three authentication methods. Choose one method to set up >>> your >>> + IPsec tunnel and follow the steps below. >>> >>> a) Using pre-shared key: >>> >> >> Other than that LGTM. Did you have any thoughts on requirements for >> backporting it? > > No need for the documentation - 2/2 is a bug though so probably should be. >> >> Regards >> Ian >>> -- >>> 2.26.2 >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
