vswitch: Disable header-caching when IPsec is enabled

Header caching speeds up sending tunneled traffic by bypassing the Linux
IP stack.  This also causes it to bypass IPsec processing, which will
break connectivity.  This commit disables header caching when IPsec is
enabled.

diff --git a/lib/netdev-tunnel.c b/lib/netdev-tunnel.c
index fdc1d97..079830e 100644 (file)
--- a/lib/netdev-tunnel.c
+++ b/lib/netdev-tunnel.c
@@ -62,6 +62,8 @@ parse_config(const char *name, const char *type, const struct shash *args,
              struct tnl_port_config *config)
 {
     struct shash_node *node;
+    bool ipsec_ip_set = false;
+    bool ipsec_mech_set = false;
 
     memset(config, 0, sizeof *config);
 
@@ -126,11 +128,24 @@ parse_config(const char *name, const char *type, const struct shash *args,
             if (!strcmp(node->data, "false")) {
                 config->flags &= ~TNL_F_HDR_CACHE;
             }
+        } else if (!strcmp(node->name, "ipsec_local_ip")) {
+            ipsec_ip_set = true;
+        } else if (!strcmp(node->name, "ipsec_cert")
+                   || !strcmp(node->name, "ipsec_psk")) {
+            ipsec_mech_set = true;
         } else {
             VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name);
         }
     }
 
+    /* IPsec doesn't work when header caching is enabled.  Disable it if
+     * the IPsec local IP address and authentication mechanism have been
+     * defined. */
+    if (ipsec_ip_set && ipsec_mech_set) {
+        VLOG_INFO("%s: header caching disabled due to use of IPsec", name);
+        config->flags &= ~TNL_F_HDR_CACHE;
+    }
+
     if (!config->daddr) {
         VLOG_WARN("%s: %s type requires valid 'remote_ip' argument", name, type);
         return EINVAL;

diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index c86e4d5..6c271fb 100644 (file)
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -374,6 +374,20 @@ set_up_iface(const struct ovsrec_interface *iface_cfg, struct iface *iface,
                   xstrdup(iface_cfg->value_options[i]));
     }
 
+    /* Include 'other_config' keys in hash of netdev options.  The
+     * namespace of 'other_config' and 'options' must be disjoint.
+     * Prefer 'options' keys over 'other_config' keys. */
+    for (i = 0; i < iface_cfg->n_other_config; i++) {
+        char *value = xstrdup(iface_cfg->value_other_config[i]);
+        if (!shash_add_once(&options, iface_cfg->key_other_config[i],
+                            value)) {
+            VLOG_WARN("%s: \"other_config\" key %s conflicts with existing "
+                      "\"other_config\" or \"options\" entry...ignoring",
+                      iface_cfg->name, iface_cfg->key_other_config[i]);
+            free(value);
+        }
+    }
+
     if (create) {
         struct netdev_options netdev_options;
 

diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 141c5fe..242106d 100644 (file)
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -661,7 +661,9 @@
                bypass certain components of the IP stack (such as IP tables)
                and it may be useful to disable it if these features are
                required or as a debugging measure.  Default is enabled, set to
-               <code>false</code> to disable.</dd>
+               <code>false</code> to disable.  If IPsec is enabled through the
+               <ref column="other_config"/> parameters, header caching will be
+               automatically disabled.</dd>
             </dl>
           </dd>
           <dt><code>capwap</code></dt>