On Mon, Jan 20, 2014 at 5:55 PM, Ansis Atteka <aatt...@nicira.com> wrote:
> Without these two iptables rules (one for UDP encapsulated IPsec and
> another for direct IPsec), ovs-vswitchd would incorrectly conclude
> that GRE packet belonged to a plain GRE tunnel instead of IPsec GRE
> tunnel.
>
> Reported-by: Aryan TaheriMonfared <aryan.taherimonfa...@uis.no>
> Reported-by: Daniel Hiltgen <dan...@netkine.com>
> Signed-off-by: Ansis Atteka <aatt...@nicira.com>
> ---
Looks good to me. Should you be adding the reporters to AUTHORS?
Thanks,
Guru
> debian/openvswitch-ipsec.init | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
> index 8e5c7b2..a39dd40 100755
> --- a/debian/openvswitch-ipsec.init
> +++ b/debian/openvswitch-ipsec.init
> @@ -70,11 +70,23 @@ running() {
> return 0
> }
>
> +uninstall_mark_rule() {
> + iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
> +}
> +
> +install_mark_rule() {
> + if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2>
> /dev/null); then
> + iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
> + fi
> +}
> +
> start_server() {
> if [ ! -d /var/run/openvswitch ]; then
> install -d -m 755 -o root -g root /var/run/openvswitch
> fi
>
> + install_mark_rule "-p esp"
> + install_mark_rule "-p udp --dport 4500"
> /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
> --pidfile=$PIDFILE --log-file --detach --monitor \
> unix:/var/run/openvswitch/db.sock
> @@ -86,6 +98,8 @@ stop_server() {
> if [ -e $PIDFILE ]; then
> kill `cat $PIDFILE`
> fi
> + uninstall_mark_rule "-p esp"
> + uninstall_mark_rule "-p udp --dport 4500"
>
> return 0
> }
> --
> 1.8.1.2
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
