Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipsec: Do not allow ipsec_gre tunnel traffic to exit unencrypted
If ipsec_gre tunnel configuration is changed in OVSDB, then GRE packets may sometimes exit unencrypted until per-tunnel IPsec policies are installed by ovs-monitor-ipsec daemon. This patch fixes this issue by installing single, low priority IPsec block policy that drops all GRE packets coming out from ipsec_gre tunnels that do not have yet their own IPsec policies installed. This patch depends on to two other recently committed patches: 1. 574ff4aa (tunneling: get skb marking to work properly with tunnels) 2. ca3574d (IPsec: refactor out some code in OVS_MONITOR_IPSEC_START macro) Signed-off-by: Ansis Atteka <aatteka@ovn.org> Reported-by: Steffen Birkeland <Steffefb@stud.ntnu.no> Acked-by: Jesse Gross <jesse@kernel.org>
- Loading branch information
Ansis Atteka
committed
Sep 1, 2016
1 parent
8275398
commit 87e731f
Showing
3 changed files
with
22 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters