Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On Mon, Sep 26, 2016 at 1:15 PM, pravin shelar wrote: > On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka wrote: >> >> >> On 26 September 2016 at 03:48, Pravin B Shelar wrote: >>> >>> OVS GRE IPsec tunnel support has multiple issues, Therefore >> >> s/issues,/issues. >>> >>> it was deprecated in OVS 2.6. >>> >>> Following patch removes support GRE IPsec and allow external >> >> s/support/support for >> s/allow/allows >>> >>> IPsec tunnel management for any type of tunnel not just GRE. >>> >>> e.g. user can encrpt Geneve or VxLan traffic. >> >> s/encrpt/encrypt >>> >>> >>> It can be done by using openflow pipeline to set skb-mark >>> and using xfrm to implement IPsec tunnels. xfrm can match >>> on the skb-mark to encrypt selective tunnel traffic. >> >> >> Some folks may misinterpret the paragraph above that we are recommending >> them to use XFRM *directly* as an alternative. XFRM is just NetLink >> interface to linux kernel to install IPsec keys after these keys have been >> negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or >> racoon. >> >> Instead I would recommend users to use one of the IPsec keying daemons >> rather than XFRM directly. >> > ok, sounds good, I will update commit msg. > >>> VMware-BZ: 1710701 >>> Signed-off-by: Pravin B Shelar >>> --- >>> This is targeted for OVS master branch only. >>> --- >>> NEWS | 1 + >>> README.md| 2 +- >>> >>> debian/automake.mk | 7 - >>> debian/control | 24 -- >>> debian/openvswitch-ipsec.dirs| 1 - >>> debian/openvswitch-ipsec.init| 203 >>> debian/openvswitch-ipsec.install | 1 - >>> debian/ovs-monitor-ipsec | 507 >>> --- >>> lib/netdev-vport.c | 67 +- >>> lib/netdev.h | 1 - >>> ofproto/ofproto-dpif-ipfix.c | 15 -- >>> ofproto/ofproto-dpif-sflow.c | 7 - >>> ofproto/tunnel.c | 13 - >>> tests/automake.mk| 1 - >>> tests/ofproto-macros.at | 49 >>> tests/ovn-controller.at | 2 +- >>> tests/ovs-monitor-ipsec.at | 271 - >>> tests/testsuite.at | 1 - >>> tests/tunnel-push-pop-ipv6.at| 2 +- >>> tests/tunnel-push-pop.at | 2 +- >>> tests/tunnel.at | 87 +-- >>> utilities/bugtool/ovs-bugtool.in | 2 +- >>> utilities/ovs-appctl.8.in| 4 +- >>> vswitchd/vswitch.xml | 57 + >>> 24 files changed, 23 insertions(+), 1304 deletions(-) >>> delete mode 100644 debian/openvswitch-ipsec.dirs >>> delete mode 100755 debian/openvswitch-ipsec.init >>> delete mode 100644 debian/openvswitch-ipsec.install >>> delete mode 100755 debian/ovs-monitor-ipsec >>> delete mode 100644 tests/ovs-monitor-ipsec.at >> >> >> Assuming you were able to build all other debian packages with "fakeroot >> debian/rules binary" after removing and editing those files, then >> Acked-by: Ansis Atteka >> > Thanks for review. > >> Let me know, if you want me to independently verify that as well? > > I will test this but it will be nice if you verify it independently. I tested it on Debian, It was pretty straight forward to build Debian packages. I did not see any issue with the patch. so I pushed the patch to master. Thanks. ___ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka wrote: > > > On 26 September 2016 at 03:48, Pravin B Shelar wrote: >> >> OVS GRE IPsec tunnel support has multiple issues, Therefore > > s/issues,/issues. >> >> it was deprecated in OVS 2.6. >> >> Following patch removes support GRE IPsec and allow external > > s/support/support for > s/allow/allows >> >> IPsec tunnel management for any type of tunnel not just GRE. >> >> e.g. user can encrpt Geneve or VxLan traffic. > > s/encrpt/encrypt >> >> >> It can be done by using openflow pipeline to set skb-mark >> and using xfrm to implement IPsec tunnels. xfrm can match >> on the skb-mark to encrypt selective tunnel traffic. > > > Some folks may misinterpret the paragraph above that we are recommending > them to use XFRM *directly* as an alternative. XFRM is just NetLink > interface to linux kernel to install IPsec keys after these keys have been > negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or > racoon. > > Instead I would recommend users to use one of the IPsec keying daemons > rather than XFRM directly. > ok, sounds good, I will update commit msg. >> VMware-BZ: 1710701 >> Signed-off-by: Pravin B Shelar >> --- >> This is targeted for OVS master branch only. >> --- >> NEWS | 1 + >> README.md| 2 +- >> >> debian/automake.mk | 7 - >> debian/control | 24 -- >> debian/openvswitch-ipsec.dirs| 1 - >> debian/openvswitch-ipsec.init| 203 >> debian/openvswitch-ipsec.install | 1 - >> debian/ovs-monitor-ipsec | 507 >> --- >> lib/netdev-vport.c | 67 +- >> lib/netdev.h | 1 - >> ofproto/ofproto-dpif-ipfix.c | 15 -- >> ofproto/ofproto-dpif-sflow.c | 7 - >> ofproto/tunnel.c | 13 - >> tests/automake.mk| 1 - >> tests/ofproto-macros.at | 49 >> tests/ovn-controller.at | 2 +- >> tests/ovs-monitor-ipsec.at | 271 - >> tests/testsuite.at | 1 - >> tests/tunnel-push-pop-ipv6.at| 2 +- >> tests/tunnel-push-pop.at | 2 +- >> tests/tunnel.at | 87 +-- >> utilities/bugtool/ovs-bugtool.in | 2 +- >> utilities/ovs-appctl.8.in| 4 +- >> vswitchd/vswitch.xml | 57 + >> 24 files changed, 23 insertions(+), 1304 deletions(-) >> delete mode 100644 debian/openvswitch-ipsec.dirs >> delete mode 100755 debian/openvswitch-ipsec.init >> delete mode 100644 debian/openvswitch-ipsec.install >> delete mode 100755 debian/ovs-monitor-ipsec >> delete mode 100644 tests/ovs-monitor-ipsec.at > > > Assuming you were able to build all other debian packages with "fakeroot > debian/rules binary" after removing and editing those files, then > Acked-by: Ansis Atteka > Thanks for review. > Let me know, if you want me to independently verify that as well? I will test this but it will be nice if you verify it independently. ___ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On 26 September 2016 at 03:48, Pravin B Shelar wrote: > OVS GRE IPsec tunnel support has multiple issues, Therefore > s/issues,/issues. > it was deprecated in OVS 2.6. > > Following patch removes support GRE IPsec and allow external > s/support/support for s/allow/allows > IPsec tunnel management for any type of tunnel not just GRE. e.g. user can encrpt Geneve or VxLan traffic. > s/encrpt/encrypt > > It can be done by using openflow pipeline to set skb-mark > and using xfrm to implement IPsec tunnels. xfrm can match > on the skb-mark to encrypt selective tunnel traffic. > Some folks may misinterpret the paragraph above that we are recommending them to use XFRM *directly* as an alternative. XFRM is just NetLink interface to linux kernel to install IPsec keys after these keys have been negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or racoon. Instead I would recommend users to use one of the IPsec keying daemons rather than XFRM directly. VMware-BZ: 1710701 > Signed-off-by: Pravin B Shelar > --- > This is targeted for OVS master branch only. > --- > NEWS | 1 + > README.md| 2 +- debian/automake.mk | 7 - > debian/control | 24 -- > debian/openvswitch-ipsec.dirs| 1 - > debian/openvswitch-ipsec.init| 203 > debian/openvswitch-ipsec.install | 1 - > debian/ovs-monitor-ipsec | 507 -- > - > lib/netdev-vport.c | 67 +- > lib/netdev.h | 1 - > ofproto/ofproto-dpif-ipfix.c | 15 -- > ofproto/ofproto-dpif-sflow.c | 7 - > ofproto/tunnel.c | 13 - > tests/automake.mk| 1 - > tests/ofproto-macros.at | 49 > tests/ovn-controller.at | 2 +- > tests/ovs-monitor-ipsec.at | 271 - > tests/testsuite.at | 1 - > tests/tunnel-push-pop-ipv6.at| 2 +- > tests/tunnel-push-pop.at | 2 +- > tests/tunnel.at | 87 +-- > utilities/bugtool/ovs-bugtool.in | 2 +- > utilities/ovs-appctl.8.in| 4 +- > vswitchd/vswitch.xml | 57 + > 24 files changed, 23 insertions(+), 1304 deletions(-) > delete mode 100644 debian/openvswitch-ipsec.dirs > delete mode 100755 debian/openvswitch-ipsec.init > delete mode 100644 debian/openvswitch-ipsec.install > delete mode 100755 debian/ovs-monitor-ipsec > delete mode 100644 tests/ovs-monitor-ipsec.at Assuming you were able to build all other debian packages with "fakeroot debian/rules binary" after removing and editing those files, then Acked-by: Ansis Atteka Let me know, if you want me to independently verify that as well? > > > diff --git a/NEWS b/NEWS > index 6e284aa..069ab42 100644 > --- a/NEWS > +++ b/NEWS > @@ -25,6 +25,7 @@ Post-v2.6.0 > * TLV mappings for protocols such as Geneve are now segregated on > a per-OpenFlow bridge basis rather than globally. (The interface > has not changed.) > + * Removed support for IPsec tunnels. > > v2.6.0 - xx xxx > - > diff --git a/README.md b/README.md > index cf53437..53b0faf 100644 > --- a/README.md > +++ b/README.md > @@ -30,7 +30,7 @@ vSwitch supports the following features: > * NIC bonding with or without LACP on upstream switch > * NetFlow, sFlow(R), and mirroring for increased visibility > * QoS (Quality of Service) configuration, plus policing > -* Geneve, GRE, GRE over IPSEC, VXLAN, and LISP tunneling > +* Geneve, GRE, VXLAN, STT, and LISP tunneling > * 802.1ag connectivity fault management > * OpenFlow 1.0 plus numerous extensions > * Transactional configuration database with C and Python bindings > diff --git a/debian/automake.mk b/debian/automake.mk > index 73b4d00..2da7055 100644 > --- a/debian/automake.mk > +++ b/debian/automake.mk > @@ -19,9 +19,6 @@ EXTRA_DIST += \ > debian/openvswitch-datapath-source.dirs \ > debian/openvswitch-datapath-source.install \ > debian/openvswitch-dev.install \ > - debian/openvswitch-ipsec.dirs \ > - debian/openvswitch-ipsec.init \ > - debian/openvswitch-ipsec.install \ > debian/openvswitch-pki.dirs \ > debian/openvswitch-pki.postinst \ > debian/openvswitch-pki.postrm \ > @@ -71,7 +68,6 @@ EXTRA_DIST += \ > debian/ovn-host.postinst \ > debian/ovn-host.postrm \ > debian/ovn-host.template \ > - debian/ovs-monitor-ipsec \ > debian/python-openvswitch.dirs \ > debian/python-openvswitch.install \ > debian/rules \ > @@ -79,9 +75,6 @@ EXTRA_DIST += \ > debian/ifupdown.sh \ > debian/source/format > > -FLAKE8_PYFILES += \ > - debian/ovs-monitor-ipsec > - > check-debian-changelog-version: > @DEB_VERSION=`echo '$(VERSION)' | sed 's/pre/~pre/'`; > \ > if $(FGREP) '($(DEB_VERSION)' $(srcdir)/
Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On Fri, Sep 23, 2016 at 12:54 PM, Ansis Atteka wrote: > On Fri, Sep 23, 2016 at 1:12 AM, pravin shelar wrote: >> On Thu, Sep 22, 2016 at 11:59 AM, Ansis Atteka wrote: >>> >>> >>> On 20 September 2016 at 20:52, Pravin B Shelar wrote: OVS IPsec tunnel support has issues: 1. It only works for GRE. 2. only works on Debian. 3. It does not allow user to match on packet-mark on packet received on tunnel ports. Therefore following patch provide alternative to completely disable ipsec-tunnel support by vswitchd command line option. This way user can use external daemon to manage IPsec tunnel traffic and stir it using skb-mark match action in OVS bridge. This patch deprecates support for IPsec tunnel port. >>> >>> >>> There are other alternative solutions worth to mention: >>> 1) remove the special meaning of skb_mark bit #0 and update >>> ovs-monitor-ipsec not to depend on harcoded skb_mark value at all (I think >>> this can be done with some trickery); >> >> I am not sure what does this mean. How are you going match on IPsec traffic? >> >>> 2) allow users to chose OVS mode where OVS can be explicitly told to either >>> use skb_mark for its own needs (e.g. IPsec) OR to pass skb_mark to OpenFlow >>> pipeline as-is; >> >> This was basically this patch does but I have sent another patch to >> just deprecate IPsec support. I have mentioned reasoning for the >> change there. >> >> http://openvswitch.org/pipermail/dev/2016-September/079770.html >> >>> 3) leave bit #0 assigned to IPsec and let OpenFlow to match only on bits >>> #1-32. >>> >>> Your solutions is kinda like 2), except it discourages uses to configure OVS >>> in a way where it consumes skb_mark for itself. >>> >>> I think solutions 1) could be implemented even after your patch. Except, >>> maybe then we should not mention that IPsec will be deprecated in the next >>> release. Also, I would need to think how to address corner cases if >>> ovs-monitor-ipsec can't use skb_mark anymore. >>> >>> Solution 3) would be great from ovs-monitor-ipsec perspective because it >>> would not need to change. However, it possibly would make OpenFlow skb_mark >>> matching look weird compared to other fields that OVS can match on. >>> >> >> I do not like solution 3. It does not allows OVS user to use all bits >> of skb-mark even when there is no IPSEC involved which is what linux >> networking stack provide. > > The reason why IPsec needed this one skb mark bit was because, > otherwise, Linux IP stack (in particular "xfrm lookup" hook - > https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) > really does not have slightest idea whether GRE packet came from gre > or ipsec_gre port. > > If this bit is taken away from ovs-monitor-ipsec, because we want OVS > users to be able to use all 32 bits of skb mark in an arbitrary > manner, then, yes, ipsec_* tunnel support must be removed, because, > then from Linux IP stack point of view ipsec_gre and gre would look > the same. So let's just move on with your patch then. > I am not objecting to use one bit for IPsec tunnels. That is required to make IPsec tunnel work on linux. My proposal is to let user set skb mark using open-flow pipeline. So that he has complete control over all bits in skb-mark. In this scheme user configure skb-mark and xfrm to implement IPsec tunnels. OVS does not need to support this port type. > I guess you will send V2 after addressing implementation related > comments that I had? I have posted another patch to deprecate IPsec. http://openvswitch.org/pipermail/dev/2016-September/079770.html ___ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On Fri, Sep 23, 2016 at 1:12 AM, pravin shelar wrote: > On Thu, Sep 22, 2016 at 11:59 AM, Ansis Atteka wrote: >> >> >> On 20 September 2016 at 20:52, Pravin B Shelar wrote: >>> >>> OVS IPsec tunnel support has issues: >>> 1. It only works for GRE. >>> >>> 2. only works on Debian. >>> >>> 3. It does not allow user to match on packet-mark >>>on packet received on tunnel ports. >>> >>> >>> >>> >>> Therefore following patch provide alternative to completely >>> disable ipsec-tunnel support by vswitchd command line option. >>> This way user can use external daemon to manage IPsec tunnel >>> traffic and stir it using skb-mark match action in OVS bridge. >>> >>> >>> This patch deprecates support for IPsec tunnel port. >> >> >> There are other alternative solutions worth to mention: >> 1) remove the special meaning of skb_mark bit #0 and update >> ovs-monitor-ipsec not to depend on harcoded skb_mark value at all (I think >> this can be done with some trickery); > > I am not sure what does this mean. How are you going match on IPsec traffic? > >> 2) allow users to chose OVS mode where OVS can be explicitly told to either >> use skb_mark for its own needs (e.g. IPsec) OR to pass skb_mark to OpenFlow >> pipeline as-is; > > This was basically this patch does but I have sent another patch to > just deprecate IPsec support. I have mentioned reasoning for the > change there. > > http://openvswitch.org/pipermail/dev/2016-September/079770.html > >> 3) leave bit #0 assigned to IPsec and let OpenFlow to match only on bits >> #1-32. >> >> Your solutions is kinda like 2), except it discourages uses to configure OVS >> in a way where it consumes skb_mark for itself. >> >> I think solutions 1) could be implemented even after your patch. Except, >> maybe then we should not mention that IPsec will be deprecated in the next >> release. Also, I would need to think how to address corner cases if >> ovs-monitor-ipsec can't use skb_mark anymore. >> >> Solution 3) would be great from ovs-monitor-ipsec perspective because it >> would not need to change. However, it possibly would make OpenFlow skb_mark >> matching look weird compared to other fields that OVS can match on. >> > > I do not like solution 3. It does not allows OVS user to use all bits > of skb-mark even when there is no IPSEC involved which is what linux > networking stack provide. The reason why IPsec needed this one skb mark bit was because, otherwise, Linux IP stack (in particular "xfrm lookup" hook - https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) really does not have slightest idea whether GRE packet came from gre or ipsec_gre port. If this bit is taken away from ovs-monitor-ipsec, because we want OVS users to be able to use all 32 bits of skb mark in an arbitrary manner, then, yes, ipsec_* tunnel support must be removed, because, then from Linux IP stack point of view ipsec_gre and gre would look the same. So let's just move on with your patch then. I guess you will send V2 after addressing implementation related comments that I had? ___ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On Thu, Sep 22, 2016 at 11:59 AM, Ansis Atteka wrote: > > > On 20 September 2016 at 20:52, Pravin B Shelar wrote: >> >> OVS IPsec tunnel support has issues: >> 1. It only works for GRE. >> >> 2. only works on Debian. >> >> 3. It does not allow user to match on packet-mark >>on packet received on tunnel ports. >> >> >> >> >> Therefore following patch provide alternative to completely >> disable ipsec-tunnel support by vswitchd command line option. >> This way user can use external daemon to manage IPsec tunnel >> traffic and stir it using skb-mark match action in OVS bridge. >> >> >> This patch deprecates support for IPsec tunnel port. > > > There are other alternative solutions worth to mention: > 1) remove the special meaning of skb_mark bit #0 and update > ovs-monitor-ipsec not to depend on harcoded skb_mark value at all (I think > this can be done with some trickery); I am not sure what does this mean. How are you going match on IPsec traffic? > 2) allow users to chose OVS mode where OVS can be explicitly told to either > use skb_mark for its own needs (e.g. IPsec) OR to pass skb_mark to OpenFlow > pipeline as-is; This was basically this patch does but I have sent another patch to just deprecate IPsec support. I have mentioned reasoning for the change there. http://openvswitch.org/pipermail/dev/2016-September/079770.html > 3) leave bit #0 assigned to IPsec and let OpenFlow to match only on bits > #1-32. > > Your solutions is kinda like 2), except it discourages uses to configure OVS > in a way where it consumes skb_mark for itself. > > I think solutions 1) could be implemented even after your patch. Except, > maybe then we should not mention that IPsec will be deprecated in the next > release. Also, I would need to think how to address corner cases if > ovs-monitor-ipsec can't use skb_mark anymore. > > Solution 3) would be great from ovs-monitor-ipsec perspective because it > would not need to change. However, it possibly would make OpenFlow skb_mark > matching look weird compared to other fields that OVS can match on. > I do not like solution 3. It does not allows OVS user to use all bits of skb-mark even when there is no IPSEC involved which is what linux networking stack provide. ___ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] openvswitch: Allow external IPsec tunnel management.
On 20 September 2016 at 20:52, Pravin B Shelar wrote:
> OVS IPsec tunnel support has issues:
> 1. It only works for GRE.
2. only works on Debian.
3. It does not allow user to match on packet-mark
>on packet received on tunnel ports.
> Therefore following patch provide alternative to completely
> disable ipsec-tunnel support by vswitchd command line option.
> This way user can use external daemon to manage IPsec tunnel
> traffic and stir it using skb-mark match action in OVS bridge.
> This patch deprecates support for IPsec tunnel port.
>
There are other alternative solutions worth to mention:
1) remove the special meaning of skb_mark bit #0 and update
ovs-monitor-ipsec not to depend on harcoded skb_mark value at all (I think
this can be done with some trickery);
2) allow users to chose OVS mode where OVS can be explicitly told to either
use skb_mark for its own needs (e.g. IPsec) OR to pass skb_mark to OpenFlow
pipeline as-is;
3) leave bit #0 assigned to IPsec and let OpenFlow to match only on bits
#1-32.
Your solutions is kinda like 2), except it discourages uses to configure
OVS in a way where it consumes skb_mark for itself.
I think solutions 1) could be implemented even after your patch. Except,
maybe then we should not mention that IPsec will be deprecated in the next
release. Also, I would need to think how to address corner cases if
ovs-monitor-ipsec can't use skb_mark anymore.
Solution 3) would be great from ovs-monitor-ipsec perspective because it
would not need to change. However, it possibly would make OpenFlow skb_mark
matching look weird compared to other fields that OVS can match on.
> Signed-off-by: Pravin B Shelar
> ---
> NEWS| 2 ++
> debian/changelog| 2 ++
> debian/control | 1 +
> lib/netdev-vport.c | 3 +++
> lib/netdev.c| 1 +
> lib/netdev.h| 1 +
> ofproto/tunnel.c| 30 ++
> ofproto/tunnel.h| 2 ++
> vswitchd/ovs-vswitchd.c | 7 +++
> vswitchd/vswitch.xml| 8
> 10 files changed, 49 insertions(+), 8 deletions(-)
>
> diff --git a/NEWS b/NEWS
> index 21ab538..057edfd 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -149,6 +149,8 @@ v2.6.0 - xx xxx
> * Flow based tunnel match and action can be used for IPv6 address
> using
> tun_ipv6_src, tun_ipv6_dst fields.
> * Added support for IPv6 tunnels, for details checkout FAQ.
> + * Allow external IPsec tunnel management. Deprecated support for
> IPsec
> + tunnels ports.
>
s/tunnels/tunnel
- A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
> watch with tcpdump
> - Introduce --no-self-confinement flag that allows daemons to work with
> diff --git a/debian/changelog b/debian/changelog
> index d73e636..8add140 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -108,6 +108,8 @@ openvswitch (2.6.0-1) unstable; urgency=low
> * Flow based tunnel match and action can be used for IPv6 address
> using
> tun_ipv6_src, tun_ipv6_dst fields.
> * Added support for IPv6 tunnels, for details checkout FAQ.
> + * Allow external IPsec tunnel management. Deprecated support for
> IPsec
> + tunnels ports.
>
same here
> - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port
> and
> watch with tcpdump
> - Introduce --no-self-confinement flag that allows daemons to work with
> diff --git a/debian/control b/debian/control
> index 6e704f1..da86fe9 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
> .
> The ovs-monitor-ipsec script provides support for encrypting GRE
> tunnels with IPsec.
> + IPsec tunnels support is deprecated.
>
s/tunnels/tunneling
>
> Package: openvswitch-pki
> Architecture: all
> diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
> index 8d22cf5..6bf4d2d 100755
> --- a/lib/netdev-vport.c
> +++ b/lib/netdev-vport.c
> @@ -543,6 +543,9 @@ set_tunnel_config(struct netdev *dev_, const struct
> smap *args)
> static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
> static pid_t pid = 0;
>
> +VLOG_ERR("%s: OVS IPsec tunnel support is deprecated. "
> + "See man page for details", name);
> +
>
I believe IPsec does not work anymore with the command line argument you
introduced. Should you give a special warning message in that case?
> #ifndef _WIN32
> ovs_mutex_lock(&mutex);
> if (pid <= 0) {
> diff --git a/lib/netdev.c b/lib/netdev.c
> index 6c4c657..a626f18 100644
> --- a/lib/netdev.c
> +++ b/lib/netdev.c
> @@ -98,6 +98,7 @@ static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 20);
>
> static void restore_all_flags(void *aux OVS_UNUSED);
> void update_device_args(struct netdev *, const struct shash *args);
> +bool enable_ipsec_tnl = true;
>
Wouldn't it be preferred that enable_ipsec_tnl is set to false by default?
Otherwi
