Header caching speeds up sending tunneled traffic by bypassing the Linux
IP stack. This also causes it to bypass IPsec processing, which will
break connectivity. This commit disables header caching when IPsec is
enabled.
struct tnl_port_config *config)
{
struct shash_node *node;
struct tnl_port_config *config)
{
struct shash_node *node;
+ bool ipsec_ip_set = false;
+ bool ipsec_mech_set = false;
memset(config, 0, sizeof *config);
memset(config, 0, sizeof *config);
if (!strcmp(node->data, "false")) {
config->flags &= ~TNL_F_HDR_CACHE;
}
if (!strcmp(node->data, "false")) {
config->flags &= ~TNL_F_HDR_CACHE;
}
+ } else if (!strcmp(node->name, "ipsec_local_ip")) {
+ ipsec_ip_set = true;
+ } else if (!strcmp(node->name, "ipsec_cert")
+ || !strcmp(node->name, "ipsec_psk")) {
+ ipsec_mech_set = true;
} else {
VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name);
}
}
} else {
VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name);
}
}
+ /* IPsec doesn't work when header caching is enabled. Disable it if
+ * the IPsec local IP address and authentication mechanism have been
+ * defined. */
+ if (ipsec_ip_set && ipsec_mech_set) {
+ VLOG_INFO("%s: header caching disabled due to use of IPsec", name);
+ config->flags &= ~TNL_F_HDR_CACHE;
+ }
+
if (!config->daddr) {
VLOG_WARN("%s: %s type requires valid 'remote_ip' argument", name, type);
return EINVAL;
if (!config->daddr) {
VLOG_WARN("%s: %s type requires valid 'remote_ip' argument", name, type);
return EINVAL;
xstrdup(iface_cfg->value_options[i]));
}
xstrdup(iface_cfg->value_options[i]));
}
+ /* Include 'other_config' keys in hash of netdev options. The
+ * namespace of 'other_config' and 'options' must be disjoint.
+ * Prefer 'options' keys over 'other_config' keys. */
+ for (i = 0; i < iface_cfg->n_other_config; i++) {
+ char *value = xstrdup(iface_cfg->value_other_config[i]);
+ if (!shash_add_once(&options, iface_cfg->key_other_config[i],
+ value)) {
+ VLOG_WARN("%s: \"other_config\" key %s conflicts with existing "
+ "\"other_config\" or \"options\" entry...ignoring",
+ iface_cfg->name, iface_cfg->key_other_config[i]);
+ free(value);
+ }
+ }
+
if (create) {
struct netdev_options netdev_options;
if (create) {
struct netdev_options netdev_options;
bypass certain components of the IP stack (such as IP tables)
and it may be useful to disable it if these features are
required or as a debugging measure. Default is enabled, set to
bypass certain components of the IP stack (such as IP tables)
and it may be useful to disable it if these features are
required or as a debugging measure. Default is enabled, set to
- <code>false</code> to disable.</dd>
+ <code>false</code> to disable. If IPsec is enabled through the
+ <ref column="other_config"/> parameters, header caching will be
+ automatically disabled.</dd>
</dl>
</dd>
<dt><code>capwap</code></dt>
</dl>
</dd>
<dt><code>capwap</code></dt>