ovs-monitor-ipsec: Allow custom options per tunnel.

Tunnels in LibreSwan and OpenSwan allow for many options to be set on a per tunnel basis. Pass through any options starting with ipsec_ to the connection in the configuration file. Administrators are responsible for picking valid key/value pairs. Signed-off-by: Andreas Karis <ak.karis@gmail.com> Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
openvswitch · May 4, 2022 · e8515c8 · e8515c8
1 parent af864ce
commit e8515c8
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/Documentation/tutorials/ipsec.rst b/Documentation/tutorials/ipsec.rst
@@ -303,6 +303,50 @@ external IP is 1.1.1.1, and `host_2`'s external IP is 2.2.2.2. Make sure
    You should be able to see that ESP packets are being sent from `host_1` to
    `host_2`.
 
+Custom options
+--------------
+
+Any parameter prefixed with `ipsec_` will be added to the connection profile.
+For example::
+
+    # ovs-vsctl set interface tun options:ipsec_encapsulation=yes
+
+Will result in::
+
+    #  ovs-appctl -t ovs-monitor-ipsec tunnels/show
+    Interface name: tun v7 (CONFIGURED)
+    Tunnel Type:    vxlan
+    Local IP:       192.0.0.1
+    Remote IP:      192.0.0.2
+    Address Family: IPv4
+    SKB mark:       None
+    Local cert:     None
+    Local name:     None
+    Local key:      None
+    Remote cert:    None
+    Remote name:    None
+    CA cert:        None
+    PSK:            swordfish
+    Custom Options: {'encapsulation': 'yes'}
+
+And in the following connection profiles::
+
+    conn tun-in-7
+        left=192.0.0.1
+        right=192.0.0.2
+        authby=secret
+        encapsulation=yes
+        leftprotoport=udp/4789
+        rightprotoport=udp
+
+    conn tun-out-7
+        left=192.0.0.1
+        right=192.0.0.2
+        authby=secret
+        encapsulation=yes
+        leftprotoport=udp
+        rightprotoport=udp/4789
+
 Troubleshooting
 ---------------
 
@@ -329,6 +373,7 @@ For example::
    Remote name:    None
    CA cert:        None
    PSK:            swordfish
+   Custom Options: {}
    Ofport:         1          <--- Whether ovs-vswitchd has assigned Ofport
                                    number to this Tunnel Port
    CFM state:      Up         <--- Whether CFM declared this tunnel healthy

diff --git a/NEWS b/NEWS
@@ -23,6 +23,9 @@ Post-v2.17.0
          OpenFlow versions 1.0-1.2 with Nicira Extensions
          OpenFlow versions 1.3 with Open Network Foundation extension
          OpenFlow versions 1.4+, as defined in the OpenFlow specification
+   - IPsec:
+     * Added support for custom per-tunnel options via 'options:ipsec_*' knobs.
+       See Documentation/tutorials/ipsec.rst for details.
    - Windows:
      * Conntrack support for TCPv6, UDPv6, ICMPv6, FTPv6.
      * IPv6 Geneve tunnel support.

diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
@@ -313,6 +313,10 @@ conn prevent_unencrypted_vxlan
                 tmpl = self.auth_tmpl["pki_ca"]
                 auth_section = tmpl.substitute(tunnel.conf)
 
+        if "custom_options" in tunnel.conf:
+            for key, value in tunnel.conf["custom_options"].items():
+                auth_section += "\n    " + key + "=" + value
+
         vals = tunnel.conf.copy()
         vals["auth_section"] = auth_section
         vals["version"] = tunnel.version
@@ -550,6 +554,10 @@ conn prevent_unencrypted_vxlan
         if tunnel.conf["address_family"] == "IPv6":
             auth_section = self.IPV6_CONN + auth_section
 
+        if "custom_options" in tunnel.conf:
+            for key, value in tunnel.conf["custom_options"].items():
+                auth_section += "\n    " + key + "=" + value
+
         vals = tunnel.conf.copy()
         vals["auth_section"] = auth_section
         vals["version"] = tunnel.version
@@ -831,6 +839,7 @@ class IPsecTunnel(object):
   Remote name:    $remote_name
   CA cert:        $ca_cert
   PSK:            $psk
+  Custom Options: $custom_options
 """)
 
     unixctl_status_tmpl = Template("""\
@@ -874,7 +883,13 @@ class IPsecTunnel(object):
             "remote_cert": remote_cert,
             "remote_name": remote_name,
             "local_name": monitor.conf["pki"]["local_name"],
-            "psk": options.get("psk")}
+            "psk": options.get("psk"),
+            "custom_options": {}}
+
+        # add custom ipsec options to the connection
+        for key, value in options.items():
+            if key.startswith("ipsec_"):
+                new_conf["custom_options"][key[len("ipsec_"):]] = value
 
         if self.conf != new_conf:
             # Configuration was updated in OVSDB.  Validate it and figure

diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
@@ -1046,7 +1046,9 @@
       <p>
         These settings control the global configuration of IPsec tunnels.  The
         <code>options</code> column of the <code>Interface</code> table
-        configures IPsec for individual tunnels.
+        configures IPsec for individual tunnels. The <code>options</code>
+        column also allows for custom options prefixed with <code>ipsec_</code>
+        to be passed to the individual connections.
       </p>
       <p>
         OVS IPsec supports the following three forms of authentication.