If ipsec_gre tunnel configuration is changed in OVSDB,
then GRE packets may sometimes exit unencrypted until
per-tunnel IPsec policies are installed by ovs-monitor-ipsec
daemon.
This patch fixes this issue by installing single, low
priority IPsec block policy that drops all GRE packets
coming out from ipsec_gre tunnels that do not have yet
their own IPsec policies installed.
This patch depends on to two other recently committed
patches:
1. 574ff4aa (tunneling: get skb marking to work
properly with tunnels)
2. ca3574d5 (IPsec: refactor out some code in
OVS_MONITOR_IPSEC_START macro)
Signed-off-by: Ansis Atteka <aatt...@ovn.org>
Reported-by: Steffen Birkeland <steff...@stud.ntnu.no>
---
debian/control | 1 +
debian/ovs-monitor-ipsec | 16 ++++++++++++++--
tests/ofproto-macros.at | 7 +++++++
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/debian/control b/debian/control
index 480ff5c..6e704f1 100644
--- a/debian/control
+++ b/debian/control
@@ -181,6 +181,7 @@ Description: OVN Docker drivers
Package: openvswitch-ipsec
Architecture: linux-any
Depends: ipsec-tools (>=0.8~alpha20101208),
+ iproute2,
openvswitch-common (= ${binary:Version}),
openvswitch-switch (= ${binary:Version}),
python,
diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index 091896d..e6617b0 100755
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -45,7 +45,9 @@ import six
vlog = ovs.vlog.Vlog("ovs-monitor-ipsec")
root_prefix = '' # Prefix for absolute file names, for testing.
SETKEY = "/usr/sbin/setkey"
+IP = "/sbin/ip"
exiting = False
+IPSEC_MARK = "1"
def unixctl_exit(conn, unused_argv, unused_aux):
@@ -281,6 +283,12 @@ class IPsec(object):
p.stdin.write(cmds)
return p.communicate()[0]
+ def call_ip_xfrm(self, cmds):
+ exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds)
+ if exitcode != 0:
+ vlog.err("couldn't install IPsec policy that prevents "
+ "traffic from exiting unencrypted")
+
def get_spi(self, local_ip, remote_ip, proto="esp"):
# Run the setkey dump command to retrieve the SAD. Then, parse
# the output looking for SPI buried in the output. Note that
@@ -322,6 +330,10 @@ class IPsec(object):
def spd_flush(self):
self.call_setkey("spdflush;\n")
+ self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst",
+ "0.0.0.0/0", "proto", "gre", "dir", "out",
+ "mark", IPSEC_MARK, "mask", IPSEC_MARK,
+ "action", "block", "priority", "4294967295"]);
def spd_add(self, local_ip, remote_ip):
cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" %
@@ -413,6 +425,8 @@ def main():
schema_helper.register_columns("SSL", ["certificate", "private_key"])
idl = ovs.db.idl.Idl(remote, schema_helper)
+ ipsec = IPsec()
+
ovs.daemon.daemonize()
ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None)
@@ -420,8 +434,6 @@ def main():
if error:
ovs.util.ovs_fatal(error, "could not create unixctl server", vlog)
- ipsec = IPsec()
-
interfaces = {}
seqno = idl.change_seqno # Sequence number when we last processed the db
while True:
diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index 2709efb..79dedf4 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -480,6 +480,7 @@ on_exit 'kill `cat pid ovs-monitor-ipsec.pid`'
mkdir etc etc/init.d etc/racoon etc/racoon/certs
mkdir usr usr/sbin
+mkdir sbin
AT_DATA([etc/init.d/racoon], [dnl
#! /bin/sh
@@ -498,6 +499,12 @@ done
])
chmod +x usr/sbin/setkey
+AT_DATA([sbin/ip], [dnl
+#! /bin/sh
+exit 0
+])
+chmod +x sbin/ip
+
touch etc/racoon/certs/ovs-stale.pem
###
--
2.7.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
