From d1984028446c334c33569127f6db98a423569f2d Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Thu, 23 Sep 2010 16:25:25 -0700 Subject: [PATCH 1/1] vswitch: Disable header-caching when IPsec is enabled Header caching speeds up sending tunneled traffic by bypassing the Linux IP stack. This also causes it to bypass IPsec processing, which will break connectivity. This commit disables header caching when IPsec is enabled. --- lib/netdev-tunnel.c | 15 +++++++++++++++ vswitchd/bridge.c | 14 ++++++++++++++ vswitchd/vswitch.xml | 4 +++- 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/lib/netdev-tunnel.c b/lib/netdev-tunnel.c index fdc1d976a..079830e63 100644 --- a/lib/netdev-tunnel.c +++ b/lib/netdev-tunnel.c @@ -62,6 +62,8 @@ parse_config(const char *name, const char *type, const struct shash *args, struct tnl_port_config *config) { struct shash_node *node; + bool ipsec_ip_set = false; + bool ipsec_mech_set = false; memset(config, 0, sizeof *config); @@ -126,11 +128,24 @@ parse_config(const char *name, const char *type, const struct shash *args, if (!strcmp(node->data, "false")) { config->flags &= ~TNL_F_HDR_CACHE; } + } else if (!strcmp(node->name, "ipsec_local_ip")) { + ipsec_ip_set = true; + } else if (!strcmp(node->name, "ipsec_cert") + || !strcmp(node->name, "ipsec_psk")) { + ipsec_mech_set = true; } else { VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name); } } + /* IPsec doesn't work when header caching is enabled. Disable it if + * the IPsec local IP address and authentication mechanism have been + * defined. */ + if (ipsec_ip_set && ipsec_mech_set) { + VLOG_INFO("%s: header caching disabled due to use of IPsec", name); + config->flags &= ~TNL_F_HDR_CACHE; + } + if (!config->daddr) { VLOG_WARN("%s: %s type requires valid 'remote_ip' argument", name, type); return EINVAL; diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c index c86e4d5bc..6c271fb7a 100644 --- a/vswitchd/bridge.c +++ b/vswitchd/bridge.c @@ -374,6 +374,20 @@ set_up_iface(const struct ovsrec_interface *iface_cfg, struct iface *iface, xstrdup(iface_cfg->value_options[i])); } + /* Include 'other_config' keys in hash of netdev options. The + * namespace of 'other_config' and 'options' must be disjoint. + * Prefer 'options' keys over 'other_config' keys. */ + for (i = 0; i < iface_cfg->n_other_config; i++) { + char *value = xstrdup(iface_cfg->value_other_config[i]); + if (!shash_add_once(&options, iface_cfg->key_other_config[i], + value)) { + VLOG_WARN("%s: \"other_config\" key %s conflicts with existing " + "\"other_config\" or \"options\" entry...ignoring", + iface_cfg->name, iface_cfg->key_other_config[i]); + free(value); + } + } + if (create) { struct netdev_options netdev_options; diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 141c5fe53..242106d0d 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -661,7 +661,9 @@ bypass certain components of the IP stack (such as IP tables) and it may be useful to disable it if these features are required or as a debugging measure. Default is enabled, set to - false to disable. + false to disable. If IPsec is enabled through the + parameters, header caching will be + automatically disabled.
capwap
-- 2.43.0