diff --git a/SOURCES/openvswitch-2.13.0.patch b/SOURCES/openvswitch-2.13.0.patch index 252d59f..af1fc0b 100644 --- a/SOURCES/openvswitch-2.13.0.patch +++ b/SOURCES/openvswitch-2.13.0.patch @@ -39232,10 +39232,18 @@ index 5289a70f6e..cf009f8264 100644 #define OVS_REQ_RDLOCK(...) __attribute__((shared_locks_required(__VA_ARGS__))) #define OVS_ACQ_RDLOCK(...) __attribute__((shared_lock_function(__VA_ARGS__))) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in -index 37e3703245..64111768b3 100755 +index 37e3703245..668507fd37 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in -@@ -101,7 +101,7 @@ class XFRM(object): +@@ -14,6 +14,7 @@ + # limitations under the License. + + import argparse ++import ipaddress + import re + import subprocess + import sys +@@ -101,7 +102,7 @@ class XFRM(object): proc = subprocess.Popen([self.IP, 'xfrm', 'policy'], stdout=subprocess.PIPE) while True: @@ -39244,7 +39252,7 @@ index 37e3703245..64111768b3 100755 if line == '': break a = line.split(" ") -@@ -124,7 +124,7 @@ class XFRM(object): +@@ -124,7 +125,7 @@ class XFRM(object): proc = subprocess.Popen([self.IP, 'xfrm', 'state'], stdout=subprocess.PIPE) while True: @@ -39253,7 +39261,7 @@ index 37e3703245..64111768b3 100755 if line == '': break a = line.split(" ") -@@ -145,10 +145,18 @@ class StrongSwanHelper(object): +@@ -145,10 +146,18 @@ class StrongSwanHelper(object): """This class does StrongSwan specific configurations.""" STRONGSWAN_CONF = """%s @@ -39276,7 +39284,7 @@ index 37e3703245..64111768b3 100755 """ % (FILE_HEADER) CONF_HEADER = """%s -@@ -246,7 +254,7 @@ conn prevent_unencrypted_vxlan +@@ -246,7 +255,7 @@ conn prevent_unencrypted_vxlan proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE) while True: @@ -39285,7 +39293,7 @@ index 37e3703245..64111768b3 100755 if line == '': break tunnel_name = line.split(":") -@@ -340,7 +348,7 @@ conn prevent_unencrypted_vxlan +@@ -340,7 +349,7 @@ conn prevent_unencrypted_vxlan # about possibility of ovs-monitor-ipsec to block for each tunnel # while strongSwan sends IKE messages over Internet. conns_dict = self.get_active_conns() @@ -39294,7 +39302,15 @@ index 37e3703245..64111768b3 100755 tunnel = monitor.tunnels.get(ifname) for conn in conns: # IPsec "connection" names that we choose in strongswan -@@ -408,19 +416,19 @@ conn prevent_unencrypted_vxlan +@@ -405,22 +414,27 @@ conn prevent_unencrypted_vxlan + leftprotoport=udp/4789 + mark={0} + ++""" ++ ++ IPV6_CONN = """\ ++ hostaddrfamily=ipv6 ++ clientaddrfamily=ipv6 """ auth_tmpl = {"psk": Template("""\ @@ -39319,7 +39335,17 @@ index 37e3703245..64111768b3 100755 right=$remote_ip leftid=@$local_name rightid=@$remote_name -@@ -536,7 +544,7 @@ conn prevent_unencrypted_vxlan +@@ -512,6 +526,9 @@ conn prevent_unencrypted_vxlan + else: + auth_section = self.auth_tmpl["pki_ca"].substitute(tunnel.conf) + ++ if tunnel.conf["address_family"] == "IPv6": ++ auth_section = self.IPV6_CONN + auth_section ++ + vals = tunnel.conf.copy() + vals["auth_section"] = auth_section + vals["version"] = tunnel.version +@@ -536,7 +553,7 @@ conn prevent_unencrypted_vxlan # Delete old connections conns_dict = self.get_active_conns() @@ -39328,7 +39354,7 @@ index 37e3703245..64111768b3 100755 tunnel = monitor.tunnels.get(ifname) for conn in conns: -@@ -608,7 +616,7 @@ conn prevent_unencrypted_vxlan +@@ -608,7 +625,7 @@ conn prevent_unencrypted_vxlan proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE) while True: @@ -39337,7 +39363,7 @@ index 37e3703245..64111768b3 100755 if line == '': break -@@ -617,7 +625,10 @@ conn prevent_unencrypted_vxlan +@@ -617,7 +634,10 @@ conn prevent_unencrypted_vxlan continue conn = m.group(1) @@ -39349,7 +39375,7 @@ index 37e3703245..64111768b3 100755 if not m: continue -@@ -649,7 +660,8 @@ conn prevent_unencrypted_vxlan +@@ -649,7 +669,8 @@ conn prevent_unencrypted_vxlan proc = subprocess.Popen(['certutil', '-L', '-d', 'sql:/etc/ipsec.d/'], stdout=subprocess.PIPE, @@ -39359,7 +39385,7 @@ index 37e3703245..64111768b3 100755 lines = proc.stdout.readlines() for line in lines: -@@ -678,7 +690,7 @@ conn prevent_unencrypted_vxlan +@@ -678,7 +699,7 @@ conn prevent_unencrypted_vxlan if proc.returncode: raise Exception(proc.stderr.read()) except Exception as e: @@ -39368,7 +39394,7 @@ index 37e3703245..64111768b3 100755 def _nss_delete_cert(self, name): try: -@@ -690,7 +702,7 @@ conn prevent_unencrypted_vxlan +@@ -690,7 +711,7 @@ conn prevent_unencrypted_vxlan if proc.returncode: raise Exception(proc.stderr.read()) except Exception as e: @@ -39377,23 +39403,47 @@ index 37e3703245..64111768b3 100755 def _nss_import_cert_and_key(self, cert, key, name): try: -@@ -742,6 +754,7 @@ class IPsecTunnel(object): +@@ -742,7 +763,9 @@ class IPsecTunnel(object): unixctl_config_tmpl = Template("""\ Tunnel Type: $tunnel_type + Local IP: $local_ip Remote IP: $remote_ip ++ Address Family: $address_family SKB mark: $skb_mark Local cert: $certificate -@@ -782,6 +795,7 @@ class IPsecTunnel(object): + Local name: $local_name +@@ -782,7 +805,11 @@ class IPsecTunnel(object): new_conf = { "ifname": self.name, "tunnel_type": row.type, + "local_ip": options.get("local_ip", "%defaultroute"), "remote_ip": options.get("remote_ip"), ++ "address_family": self._get_conn_address_family( ++ options.get("remote_ip"), ++ options.get("local_ip")), "skb_mark": monitor.conf["skb_mark"], "certificate": monitor.conf["pki"]["certificate"], -@@ -911,7 +925,7 @@ class IPsecTunnel(object): + "private_key": monitor.conf["pki"]["private_key"], +@@ -851,6 +878,17 @@ class IPsecTunnel(object): + + return header + conf + status + spds + sas + cons + "\n" + ++ def _get_conn_address_family(self, remote_ip, local_ip): ++ remote = address_family(remote_ip) ++ local = address_family(local_ip) ++ ++ if local is None: ++ return remote ++ elif local != remote: ++ return None ++ else: ++ return remote ++ + def _is_valid_tunnel_conf(self): + """This function verifies if IPsec tunnel has valid configuration + set in 'conf'. If it is valid, then it returns True. Otherwise, +@@ -911,7 +949,7 @@ class IPsecTunnel(object): class IPsecMonitor(object): """This class monitors and configures IPsec tunnels""" @@ -39402,7 +39452,7 @@ index 37e3703245..64111768b3 100755 self.IPSEC = root_prefix + "/usr/sbin/ipsec" self.tunnels = {} -@@ -941,7 +955,9 @@ class IPsecMonitor(object): +@@ -941,7 +979,9 @@ class IPsecMonitor(object): not os.access(self.IPSEC, os.X_OK): vlog.err("IKE daemon is not installed in the system.") @@ -39413,7 +39463,7 @@ index 37e3703245..64111768b3 100755 def is_tunneling_type_supported(self, tunnel_type): """Returns True if we know how to configure IPsec for these -@@ -989,7 +1005,7 @@ class IPsecMonitor(object): +@@ -989,7 +1029,7 @@ class IPsecMonitor(object): skb_mark = None is_valid = False @@ -39422,7 +39472,7 @@ index 37e3703245..64111768b3 100755 pki[0] = row.other_config.get("certificate") pki[1] = row.other_config.get("private_key") pki[2] = row.other_config.get("ca_cert") -@@ -1016,7 +1032,7 @@ class IPsecMonitor(object): +@@ -1016,7 +1056,7 @@ class IPsecMonitor(object): table.""" ifaces = set() @@ -39431,7 +39481,7 @@ index 37e3703245..64111768b3 100755 if not self.is_tunneling_type_supported(row.type): continue if not self.is_ipsec_required(row.options): -@@ -1047,7 +1063,7 @@ class IPsecMonitor(object): +@@ -1047,7 +1087,7 @@ class IPsecMonitor(object): return s = "" conns = self.ike_helper.get_active_conns() @@ -39440,7 +39490,7 @@ index 37e3703245..64111768b3 100755 s += tunnel.show(policies, securities, conns) unix_conn.reply(s) -@@ -1064,7 +1080,7 @@ class IPsecMonitor(object): +@@ -1064,7 +1104,7 @@ class IPsecMonitor(object): if self.ike_helper.config_global(self): needs_refresh = True @@ -39449,7 +39499,7 @@ index 37e3703245..64111768b3 100755 if tunnel.last_refreshed_version != tunnel.version: tunnel.last_refreshed_version = tunnel.version needs_refresh = True -@@ -1094,7 +1110,7 @@ class IPsecMonitor(object): +@@ -1094,7 +1134,7 @@ class IPsecMonitor(object): proc.wait() if proc.returncode: raise Exception(proc.stderr.read()) @@ -39458,7 +39508,27 @@ index 37e3703245..64111768b3 100755 if not m: raise Exception("No CN in the certificate subject.") except Exception as e: -@@ -1136,19 +1152,30 @@ def unixctl_refresh(conn, unused_argv, unused_aux): +@@ -1104,6 +1144,19 @@ class IPsecMonitor(object): + return m.group(1) + + ++def address_family(address): ++ try: ++ ip = ipaddress.ip_address(address) ++ ipstr = str(type(ip)) ++ # ipaddress has inconsistencies with what exceptions are raised: ++ # https://mail.openvswitch.org/pipermail/ovs-dev/2021-April/381696.html ++ except (ValueError, ipaddress.AddressValueError): ++ return None ++ if ipstr.find('v6') != -1: ++ return "IPv6" ++ return "IPv4" ++ ++ + def unixctl_xfrm_policies(conn, unused_argv, unused_aux): + global xfrm + policies = xfrm.get_policies() +@@ -1136,19 +1189,30 @@ def unixctl_refresh(conn, unused_argv, unused_aux): conn.reply(None) @@ -39497,7 +39567,7 @@ index 37e3703245..64111768b3 100755 def main(): -@@ -1161,6 +1188,8 @@ def main(): +@@ -1161,6 +1225,8 @@ def main(): parser.add_argument("--ike-daemon", metavar="IKE-DAEMON", help="The IKE daemon used for IPsec tunnels" " (either libreswan or strongswan).") @@ -39506,7 +39576,7 @@ index 37e3703245..64111768b3 100755 ovs.vlog.add_args(parser) ovs.daemon.add_args(parser) -@@ -1173,7 +1202,8 @@ def main(): +@@ -1173,7 +1239,8 @@ def main(): root_prefix = args.root_prefix if args.root_prefix else "" xfrm = XFRM(root_prefix) @@ -39516,7 +39586,7 @@ index 37e3703245..64111768b3 100755 remote = args.database schema_helper = ovs.db.idl.SchemaHelper() -@@ -1194,7 +1224,8 @@ def main(): +@@ -1194,7 +1261,8 @@ def main(): ovs.unixctl.command_register("tunnels/show", "", 0, 0, unixctl_show, None) ovs.unixctl.command_register("refresh", "", 0, 0, unixctl_refresh, None) diff --git a/SPECS/openvswitch2.13.spec b/SPECS/openvswitch2.13.spec index da92824..d1756e8 100644 --- a/SPECS/openvswitch2.13.spec +++ b/SPECS/openvswitch2.13.spec @@ -59,7 +59,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.13.0 -Release: 100%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist} +Release: 101%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -710,6 +710,10 @@ exit 0 %endif %changelog +* Fri Apr 02 2021 Open vSwitch CI - 2.13.0-101 +- Merging upstream branch-2.13 + [02b662f992b57ed2cc2274efb0033abae7bf2aa8] + * Thu Apr 01 2021 Open vSwitch CI - 2.13.0-100 - Merging upstream branch-2.13 [7323d4b8e428cec0b48de457159861b8a1cdd410]