Skip to content
Snippets Groups Projects
  • Mark Gray's avatar
    1200ebbd
    geneve: add transport ports in route lookup for geneve · 1200ebbd
    Mark Gray authored
    
    commit 34beb215 upstream.
    
    This patch adds transport ports information for route lookup so that
    IPsec can select Geneve tunnel traffic to do encryption. This is
    needed for OVS/OVN IPsec with encrypted Geneve tunnels.
    
    This can be tested by configuring a host-host VPN using an IKE
    daemon and specifying port numbers. For example, for an
    Openswan-type configuration, the following parameters should be
    configured on both hosts and IPsec set up as-per normal:
    
    $ cat /etc/ipsec.conf
    
    conn in
    ...
    left=$IP1
    right=$IP2
    ...
    leftprotoport=udp/6081
    rightprotoport=udp
    ...
    conn out
    ...
    left=$IP1
    right=$IP2
    ...
    leftprotoport=udp
    rightprotoport=udp/6081
    ...
    
    The tunnel can then be setup using "ip" on both hosts (but
    changing the relevant IP addresses):
    
    $ ip link add tun type geneve id 1000 remote $IP2
    $ ip addr add 192.168.0.1/24 dev tun
    $ ip link set tun up
    
    This can then be tested by pinging from $IP1:
    
    $ ping 192.168.0.2
    
    Without this patch the traffic is unencrypted on the wire.
    
    Fixes: 2d07dc79 ("geneve: add initial netdev driver for GENEVE tunnels")
    Signed-off-by: default avatarQiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
    Signed-off-by: default avatarMark Gray <mark.d.gray@redhat.com>
    Reviewed-by: default avatarGreg Rose <gvrose8192@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    [bwh: Backported to 4.9:
     - Use geneve->dst_port instead of geneve->cfg.info.key.tp_dst
     - Adjust context]
    Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    1200ebbd
    History
    geneve: add transport ports in route lookup for geneve
    Mark Gray authored
    
    commit 34beb215 upstream.
    
    This patch adds transport ports information for route lookup so that
    IPsec can select Geneve tunnel traffic to do encryption. This is
    needed for OVS/OVN IPsec with encrypted Geneve tunnels.
    
    This can be tested by configuring a host-host VPN using an IKE
    daemon and specifying port numbers. For example, for an
    Openswan-type configuration, the following parameters should be
    configured on both hosts and IPsec set up as-per normal:
    
    $ cat /etc/ipsec.conf
    
    conn in
    ...
    left=$IP1
    right=$IP2
    ...
    leftprotoport=udp/6081
    rightprotoport=udp
    ...
    conn out
    ...
    left=$IP1
    right=$IP2
    ...
    leftprotoport=udp
    rightprotoport=udp/6081
    ...
    
    The tunnel can then be setup using "ip" on both hosts (but
    changing the relevant IP addresses):
    
    $ ip link add tun type geneve id 1000 remote $IP2
    $ ip addr add 192.168.0.1/24 dev tun
    $ ip link set tun up
    
    This can then be tested by pinging from $IP1:
    
    $ ping 192.168.0.2
    
    Without this patch the traffic is unencrypted on the wire.
    
    Fixes: 2d07dc79 ("geneve: add initial netdev driver for GENEVE tunnels")
    Signed-off-by: default avatarQiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
    Signed-off-by: default avatarMark Gray <mark.d.gray@redhat.com>
    Reviewed-by: default avatarGreg Rose <gvrose8192@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    [bwh: Backported to 4.9:
     - Use geneve->dst_port instead of geneve->cfg.info.key.tp_dst
     - Adjust context]
    Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Code owners
Assign users and groups as approvers for specific file changes. Learn more.