ovs-monitor-ipsec: Add support for tunnel 'local_ip'.

In the libreswan case, 'ovs-monitor-ipsec' sets 'left' to '%defaultroute' which will use the local address of the default route interface as the source IP address. In multihomed environments, this may not be correct if the user wants to specify what the source IP address is. In OVS, this can be set for tunnel ports using the 'local_ip' option. This patch also uses that option to populate the 'ipsec.conf' configuration. If the 'local_ip' option is not present, it will default to the previous behaviour of using '%defaultroute' Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1906280 Signed-off-by: Mark Gray <mark.d.gray@redhat.com> Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
openvswitch · Jan 5, 2021 · 6e1f4ad · 6e1f4ad
1 parent 03ee746
commit 6e1f4ad
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
@@ -298,6 +298,7 @@ For example::
                                              Otherwise, error message will
                                              be provided
    Tunnel Type:    gre
+   Local IP:       %defaultroute
    Remote IP:      2.2.2.2
    SKB mark:       None
    Local cert:     None

diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
@@ -416,19 +416,19 @@ conn prevent_unencrypted_vxlan
 """
 
     auth_tmpl = {"psk": Template("""\
-    left=%defaultroute
+    left=$local_ip
     right=$remote_ip
     authby=secret"""),
                  "pki_remote": Template("""\
-    left=%defaultroute
+    left=$local_ip
     right=$remote_ip
     leftid=@$local_name
     rightid=@$remote_name
     leftcert="$local_name"
     rightcert="$remote_name"
     leftrsasigkey=%cert"""),
                  "pki_ca": Template("""\
-    left=%defaultroute
+    left=$local_ip
     right=$remote_ip
     leftid=@$local_name
     rightid=@$remote_name
@@ -751,6 +751,7 @@ class IPsecTunnel(object):
 
     unixctl_config_tmpl = Template("""\
   Tunnel Type:    $tunnel_type
+  Local IP:       $local_ip
   Remote IP:      $remote_ip
   SKB mark:       $skb_mark
   Local cert:     $certificate
@@ -791,6 +792,7 @@ class IPsecTunnel(object):
         new_conf = {
             "ifname": self.name,
             "tunnel_type": row.type,
+            "local_ip": options.get("local_ip", "%defaultroute"),
             "remote_ip": options.get("remote_ip"),
             "skb_mark": monitor.conf["skb_mark"],
             "certificate": monitor.conf["pki"]["certificate"],