On Mon, Jan 20, 2014 at 5:55 PM, Ansis Atteka <aatt...@nicira.com> wrote: > Without these two iptables rules (one for UDP encapsulated IPsec and > another for direct IPsec), ovs-vswitchd would incorrectly conclude > that GRE packet belonged to a plain GRE tunnel instead of IPsec GRE > tunnel. > > Reported-by: Aryan TaheriMonfared <aryan.taherimonfa...@uis.no> > Reported-by: Daniel Hiltgen <dan...@netkine.com> > Signed-off-by: Ansis Atteka <aatt...@nicira.com> > --- Looks good to me. Should you be adding the reporters to AUTHORS?
Thanks, Guru > debian/openvswitch-ipsec.init | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init > index 8e5c7b2..a39dd40 100755 > --- a/debian/openvswitch-ipsec.init > +++ b/debian/openvswitch-ipsec.init > @@ -70,11 +70,23 @@ running() { > return 0 > } > > +uninstall_mark_rule() { > + iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0 > +} > + > +install_mark_rule() { > + if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> > /dev/null); then > + iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1 > + fi > +} > + > start_server() { > if [ ! -d /var/run/openvswitch ]; then > install -d -m 755 -o root -g root /var/run/openvswitch > fi > > + install_mark_rule "-p esp" > + install_mark_rule "-p udp --dport 4500" > /usr/share/openvswitch/scripts/ovs-monitor-ipsec \ > --pidfile=$PIDFILE --log-file --detach --monitor \ > unix:/var/run/openvswitch/db.sock > @@ -86,6 +98,8 @@ stop_server() { > if [ -e $PIDFILE ]; then > kill `cat $PIDFILE` > fi > + uninstall_mark_rule "-p esp" > + uninstall_mark_rule "-p udp --dport 4500" > > return 0 > } > -- > 1.8.1.2 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev