On 21 September 2016 at 03:26, Pravin B Shelar <pshe...@ovn.org> wrote:
> OVS IPsec tunnel support has issues:
> 1. It only works for GRE.
> 2. only works on Debian.
> 3. It does not allow user to match on packet-mark
> on packet received on tunnel ports.
>
> This patch deprecates support for IPsec tunnel port.
>
> Signed-off-by: Pravin B Shelar <pshe...@ovn.org>
> ---
> After discussing this patch with Jesse, I have decided to
> just deprecate this feature and not provide any option
> to allow external IPsec tunnel management. The reason is
> that this the option would again cause compatibility
> issues when IPsec tunnel port support is removed. Considering
> this feature is not much used it is better to just
> deprecate it for OVS 2.6.
> ---
> NEWS | 1 +
> debian/changelog | 1 +
> debian/control | 1 +
> lib/netdev-vport.c | 2 ++
> vswitchd/vswitch.xml | 3 +++
> 5 files changed, 8 insertions(+)
>
> diff --git a/NEWS b/NEWS
> index 21ab538..9363e91 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -149,6 +149,7 @@ v2.6.0 - xx xxx xxxx
> * Flow based tunnel match and action can be used for IPv6 address
> using
> tun_ipv6_src, tun_ipv6_dst fields.
> * Added support for IPv6 tunnels, for details checkout FAQ.
> + * Deprecated support for IPsec tunnels ports.
> - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port
> and
> watch with tcpdump
> - Introduce --no-self-confinement flag that allows daemons to work with
> diff --git a/debian/changelog b/debian/changelog
> index d73e636..13aae36 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -108,6 +108,7 @@ openvswitch (2.6.0-1) unstable; urgency=low
> * Flow based tunnel match and action can be used for IPv6 address
> using
> tun_ipv6_src, tun_ipv6_dst fields.
> * Added support for IPv6 tunnels, for details checkout FAQ.
> + * Deprecated support for IPsec tunnels ports.
> - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port
> and
> watch with tcpdump
> - Introduce --no-self-confinement flag that allows daemons to work with
> diff --git a/debian/control b/debian/control
> index 6e704f1..da86fe9 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
> .
> The ovs-monitor-ipsec script provides support for encrypting GRE
> tunnels with IPsec.
> + IPsec tunnels support is deprecated.
>
> Package: openvswitch-pki
> Architecture: all
> diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
> index 8d22cf5..ac31da6 100755
> --- a/lib/netdev-vport.c
> +++ b/lib/netdev-vport.c
> @@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct
> smap *args)
> static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
> static pid_t pid = 0;
>
> + VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
> +
> #ifndef _WIN32
> ovs_mutex_lock(&mutex);
> if (pid <= 0) {
> diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
> index e73023d..6381cc8 100644
> --- a/vswitchd/vswitch.xml
> +++ b/vswitchd/vswitch.xml
> @@ -2008,6 +2008,9 @@
> <dd>
> An Ethernet over RFC 2890 Generic Routing Encapsulation over
> IPv4/IPv6
> IPsec tunnel.
> + IPsec tunnel port are deprecated. The support will be
> completely
>
Here is a small typo that you may want to fix "tunnel port*s* are". Just
squash it in and push.
Acked-by: Ansis Atteka <aatt...@ovn.org>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
