diff --git a/SOURCES/openvswitch-3.3.0.patch b/SOURCES/openvswitch-3.3.0.patch index e24cd90..19acb32 100644 --- a/SOURCES/openvswitch-3.3.0.patch +++ b/SOURCES/openvswitch-3.3.0.patch @@ -372,26 +372,32 @@ index 0000000000..9a23d7f746 + +#include_next diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in -index 7945162f9f..bc7ac55237 100755 +index 7945162f9f..37c509ac68 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in -@@ -457,14 +457,30 @@ conn prevent_unencrypted_vxlan +@@ -457,14 +457,36 @@ conn prevent_unencrypted_vxlan CERTKEY_PREFIX = "ovs_certkey_" def __init__(self, libreswan_root_prefix, args): + # Collect version infromation + self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" ++ self.IPSEC_AUTO = [self.IPSEC] + proc = subprocess.Popen([self.IPSEC, "--version"], + stdout=subprocess.PIPE, + encoding="latin1") + pout, perr = proc.communicate() + -+ v = re.match("^Libreswan (.*)$", pout) ++ v = re.match("^Libreswan v?(.*)$", pout) + try: + version = int(v.group(1).split(".")[0]) + except: + version = 0 + ++ if version < 5: ++ # With v5, LibreSWAN removed the auto command, however, it is ++ # still required for older versions ++ self.IPSEC_AUTO.append("auto") ++ + if version >= 4: + ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss" + else: @@ -408,6 +414,96 @@ index 7945162f9f..bc7ac55237 100755 self.IPSEC_CONF = libreswan_root_prefix + ipsec_conf self.IPSEC_SECRETS = libreswan_root_prefix + ipsec_secrets self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d +@@ -577,7 +599,7 @@ conn prevent_unencrypted_vxlan + + def refresh(self, monitor): + vlog.info("Refreshing LibreSwan configuration") +- subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL, ++ subprocess.call(self.IPSEC_AUTO + ["--ctlsocket", self.IPSEC_CTL, + "--config", self.IPSEC_CONF, "--rereadsecrets"]) + tunnels = set(monitor.tunnels.keys()) + +@@ -605,7 +627,7 @@ conn prevent_unencrypted_vxlan + + if not tunnel or tunnel.version != ver: + vlog.info("%s is outdated %u" % (conn, ver)) +- subprocess.call([self.IPSEC, "auto", "--ctlsocket", ++ subprocess.call(self.IPSEC_AUTO + ["--ctlsocket", + self.IPSEC_CTL, "--config", + self.IPSEC_CONF, "--delete", conn]) + elif ifname in tunnels: +@@ -627,44 +649,44 @@ conn prevent_unencrypted_vxlan + # Update shunt policy if changed + if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]: + if monitor.conf["skb_mark"]: +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", + "--asynchronous", "prevent_unencrypted_gre"]) +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", + "--asynchronous", "prevent_unencrypted_geneve"]) +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", + "--asynchronous", "prevent_unencrypted_stt"]) +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--add", + "--asynchronous", "prevent_unencrypted_vxlan"]) + else: +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", + "--asynchronous", "prevent_unencrypted_gre"]) +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", + "--asynchronous", "prevent_unencrypted_geneve"]) +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", + "--asynchronous", "prevent_unencrypted_stt"]) +- subprocess.call([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ subprocess.call(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--delete", + "--asynchronous", "prevent_unencrypted_vxlan"]) +@@ -710,8 +732,8 @@ conn prevent_unencrypted_vxlan + # the "ipsec auto --start" command is lost. Just retry to make sure + # the command is received by LibreSwan. + while True: +- proc = subprocess.Popen([self.IPSEC, "auto", +- "--config", self.IPSEC_CONF, ++ proc = subprocess.Popen(self.IPSEC_AUTO + ++ ["--config", self.IPSEC_CONF, + "--ctlsocket", self.IPSEC_CTL, + "--start", + "--asynchronous", conn], diff --git a/lib/bfd.c b/lib/bfd.c index 9af258917b..b8149e7897 100644 --- a/lib/bfd.c @@ -4217,6 +4313,31 @@ index 7cf9bac170..f8ba766739 100644 options="$1" test "$options" != "${options%% -- *}" || options="$options -- " eal_options="$eal_options ${options%% -- *}" +diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at +index d3d27133b9..1e155fecea 100644 +--- a/tests/system-ipsec.at ++++ b/tests/system-ipsec.at +@@ -110,16 +110,16 @@ m4_define([CHECK_LIBRESWAN], + dnl IPSEC_STATUS_LOADED([]) + dnl + dnl Get number of loaded connections from ipsec status +-m4_define([IPSEC_STATUS_LOADED], [ipsec status --rundir $ovs_base/$1 | \ ++m4_define([IPSEC_STATUS_LOADED], [ipsec --rundir $ovs_base/$1 status | \ + grep "Total IPsec connections" | \ +- sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m']) ++ sed 's/[[0-9]]* *Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m']) + + dnl IPSEC_STATUS_ACTIVE([]) + dnl + dnl Get number of active connections from ipsec status +-m4_define([IPSEC_STATUS_ACTIVE], [ipsec status --rundir $ovs_base/$1 | \ ++m4_define([IPSEC_STATUS_ACTIVE], [ipsec --rundir $ovs_base/$1 status | \ + grep "Total IPsec connections" | \ +- sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m']) ++ sed 's/[[0-9]]* *Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m']) + + dnl CHECK_ESP_TRAFFIC() + dnl diff --git a/tests/system-layer3-tunnels.at b/tests/system-layer3-tunnels.at index 6fbdedb64f..5dcdd2afae 100644 --- a/tests/system-layer3-tunnels.at diff --git a/SPECS/openvswitch3.3.spec b/SPECS/openvswitch3.3.spec index 1469139..a23176a 100644 --- a/SPECS/openvswitch3.3.spec +++ b/SPECS/openvswitch3.3.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 3.3.0 -Release: 35%{?dist} +Release: 36%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -767,6 +767,13 @@ exit 0 %endif %changelog +* Wed Jul 03 2024 Open vSwitch CI - 3.3.0-36 +- Merging upstream branch-3.3 [RH git: eb0ad890f2] + Commit list: + a3722ab1f7 ovs-monitor-ipsec: LibreSwan v5 support. + bd18a13732 ovs-monitor-ipsec: LibreSwan autodetect version. + + * Tue Jul 02 2024 Michael Santana - 3.3.0-35 - netdev-offload-tc: Reserve lower tc prio for vlan ethertype. [RH git: c2202ea6e8] The cited commit reserved lower tc priorities for IP ethertypes in order