openvswitch: deprecates support for IPsec tunnel port.

OVS IPsec tunnel support has issues: 1. It only works for GRE. 2. only works on Debian. 3. It does not allow user to match on packet-mark on packet received on tunnel ports. This patch deprecates support for IPsec tunnel port. Signed-off-by: Pravin B Shelar <pshelar@ovn.org> Acked-by: Ansis Atteka <aatteka@ovn.org>
openvswitch · Sep 24, 2016 · da92e4d · da92e4d
1 parent c708088
commit da92e4d
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -125,6 +125,7 @@ v2.6.0 - xx xxx xxxx
      * Flow based tunnel match and action can be used for IPv6 address using
        tun_ipv6_src, tun_ipv6_dst fields.
      * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
    - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with

diff --git a/debian/changelog b/debian/changelog
@@ -111,6 +111,7 @@ openvswitch (2.6.0-1) unstable; urgency=low
      * Flow based tunnel match and action can be used for IPv6 address using
        tun_ipv6_src, tun_ipv6_dst fields.
      * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
    - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with

diff --git a/debian/control b/debian/control
@@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
  .
  The ovs-monitor-ipsec script provides support for encrypting GRE
  tunnels with IPsec.
+ IPsec tunnels support is deprecated.
 
 Package: openvswitch-pki
 Architecture: all

diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
@@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
         static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
         static pid_t pid = 0;
 
+        VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
+
 #ifndef _WIN32
         ovs_mutex_lock(&mutex);
         if (pid <= 0) {

diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
@@ -2008,6 +2008,9 @@
           <dd>
             An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6
             IPsec tunnel.
+            IPsec tunnel ports are deprecated. The support will be completely
+            removed in next version.
+
           </dd>
 
           <dt><code>vxlan</code></dt>