diff --git a/SOURCES/openvswitch-2.13.0.patch b/SOURCES/openvswitch-2.13.0.patch
index 252d59f..af1fc0b 100644
--- a/SOURCES/openvswitch-2.13.0.patch
+++ b/SOURCES/openvswitch-2.13.0.patch
@@ -39232,10 +39232,18 @@ index 5289a70f6e..cf009f8264 100644
#define OVS_REQ_RDLOCK(...) __attribute__((shared_locks_required(__VA_ARGS__)))
#define OVS_ACQ_RDLOCK(...) __attribute__((shared_lock_function(__VA_ARGS__)))
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
-index 37e3703245..64111768b3 100755
+index 37e3703245..668507fd37 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
-@@ -101,7 +101,7 @@ class XFRM(object):
+@@ -14,6 +14,7 @@
+ # limitations under the License.
+
+ import argparse
++import ipaddress
+ import re
+ import subprocess
+ import sys
+@@ -101,7 +102,7 @@ class XFRM(object):
proc = subprocess.Popen([self.IP, 'xfrm', 'policy'],
stdout=subprocess.PIPE)
while True:
@@ -39244,7 +39252,7 @@ index 37e3703245..64111768b3 100755
if line == '':
break
a = line.split(" ")
-@@ -124,7 +124,7 @@ class XFRM(object):
+@@ -124,7 +125,7 @@ class XFRM(object):
proc = subprocess.Popen([self.IP, 'xfrm', 'state'],
stdout=subprocess.PIPE)
while True:
@@ -39253,7 +39261,7 @@ index 37e3703245..64111768b3 100755
if line == '':
break
a = line.split(" ")
-@@ -145,10 +145,18 @@ class StrongSwanHelper(object):
+@@ -145,10 +146,18 @@ class StrongSwanHelper(object):
"""This class does StrongSwan specific configurations."""
STRONGSWAN_CONF = """%s
@@ -39276,7 +39284,7 @@ index 37e3703245..64111768b3 100755
""" % (FILE_HEADER)
CONF_HEADER = """%s
-@@ -246,7 +254,7 @@ conn prevent_unencrypted_vxlan
+@@ -246,7 +255,7 @@ conn prevent_unencrypted_vxlan
proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE)
while True:
@@ -39285,7 +39293,7 @@ index 37e3703245..64111768b3 100755
if line == '':
break
tunnel_name = line.split(":")
-@@ -340,7 +348,7 @@ conn prevent_unencrypted_vxlan
+@@ -340,7 +349,7 @@ conn prevent_unencrypted_vxlan
# about possibility of ovs-monitor-ipsec to block for each tunnel
# while strongSwan sends IKE messages over Internet.
conns_dict = self.get_active_conns()
@@ -39294,7 +39302,15 @@ index 37e3703245..64111768b3 100755
tunnel = monitor.tunnels.get(ifname)
for conn in conns:
# IPsec "connection" names that we choose in strongswan
-@@ -408,19 +416,19 @@ conn prevent_unencrypted_vxlan
+@@ -405,22 +414,27 @@ conn prevent_unencrypted_vxlan
+ leftprotoport=udp/4789
+ mark={0}
+
++"""
++
++ IPV6_CONN = """\
++ hostaddrfamily=ipv6
++ clientaddrfamily=ipv6
"""
auth_tmpl = {"psk": Template("""\
@@ -39319,7 +39335,17 @@ index 37e3703245..64111768b3 100755
right=$remote_ip
leftid=@$local_name
rightid=@$remote_name
-@@ -536,7 +544,7 @@ conn prevent_unencrypted_vxlan
+@@ -512,6 +526,9 @@ conn prevent_unencrypted_vxlan
+ else:
+ auth_section = self.auth_tmpl["pki_ca"].substitute(tunnel.conf)
+
++ if tunnel.conf["address_family"] == "IPv6":
++ auth_section = self.IPV6_CONN + auth_section
++
+ vals = tunnel.conf.copy()
+ vals["auth_section"] = auth_section
+ vals["version"] = tunnel.version
+@@ -536,7 +553,7 @@ conn prevent_unencrypted_vxlan
# Delete old connections
conns_dict = self.get_active_conns()
@@ -39328,7 +39354,7 @@ index 37e3703245..64111768b3 100755
tunnel = monitor.tunnels.get(ifname)
for conn in conns:
-@@ -608,7 +616,7 @@ conn prevent_unencrypted_vxlan
+@@ -608,7 +625,7 @@ conn prevent_unencrypted_vxlan
proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE)
while True:
@@ -39337,7 +39363,7 @@ index 37e3703245..64111768b3 100755
if line == '':
break
-@@ -617,7 +625,10 @@ conn prevent_unencrypted_vxlan
+@@ -617,7 +634,10 @@ conn prevent_unencrypted_vxlan
continue
conn = m.group(1)
@@ -39349,7 +39375,7 @@ index 37e3703245..64111768b3 100755
if not m:
continue
-@@ -649,7 +660,8 @@ conn prevent_unencrypted_vxlan
+@@ -649,7 +669,8 @@ conn prevent_unencrypted_vxlan
proc = subprocess.Popen(['certutil', '-L', '-d',
'sql:/etc/ipsec.d/'],
stdout=subprocess.PIPE,
@@ -39359,7 +39385,7 @@ index 37e3703245..64111768b3 100755
lines = proc.stdout.readlines()
for line in lines:
-@@ -678,7 +690,7 @@ conn prevent_unencrypted_vxlan
+@@ -678,7 +699,7 @@ conn prevent_unencrypted_vxlan
if proc.returncode:
raise Exception(proc.stderr.read())
except Exception as e:
@@ -39368,7 +39394,7 @@ index 37e3703245..64111768b3 100755
def _nss_delete_cert(self, name):
try:
-@@ -690,7 +702,7 @@ conn prevent_unencrypted_vxlan
+@@ -690,7 +711,7 @@ conn prevent_unencrypted_vxlan
if proc.returncode:
raise Exception(proc.stderr.read())
except Exception as e:
@@ -39377,23 +39403,47 @@ index 37e3703245..64111768b3 100755
def _nss_import_cert_and_key(self, cert, key, name):
try:
-@@ -742,6 +754,7 @@ class IPsecTunnel(object):
+@@ -742,7 +763,9 @@ class IPsecTunnel(object):
unixctl_config_tmpl = Template("""\
Tunnel Type: $tunnel_type
+ Local IP: $local_ip
Remote IP: $remote_ip
++ Address Family: $address_family
SKB mark: $skb_mark
Local cert: $certificate
-@@ -782,6 +795,7 @@ class IPsecTunnel(object):
+ Local name: $local_name
+@@ -782,7 +805,11 @@ class IPsecTunnel(object):
new_conf = {
"ifname": self.name,
"tunnel_type": row.type,
+ "local_ip": options.get("local_ip", "%defaultroute"),
"remote_ip": options.get("remote_ip"),
++ "address_family": self._get_conn_address_family(
++ options.get("remote_ip"),
++ options.get("local_ip")),
"skb_mark": monitor.conf["skb_mark"],
"certificate": monitor.conf["pki"]["certificate"],
-@@ -911,7 +925,7 @@ class IPsecTunnel(object):
+ "private_key": monitor.conf["pki"]["private_key"],
+@@ -851,6 +878,17 @@ class IPsecTunnel(object):
+
+ return header + conf + status + spds + sas + cons + "\n"
+
++ def _get_conn_address_family(self, remote_ip, local_ip):
++ remote = address_family(remote_ip)
++ local = address_family(local_ip)
++
++ if local is None:
++ return remote
++ elif local != remote:
++ return None
++ else:
++ return remote
++
+ def _is_valid_tunnel_conf(self):
+ """This function verifies if IPsec tunnel has valid configuration
+ set in 'conf'. If it is valid, then it returns True. Otherwise,
+@@ -911,7 +949,7 @@ class IPsecTunnel(object):
class IPsecMonitor(object):
"""This class monitors and configures IPsec tunnels"""
@@ -39402,7 +39452,7 @@ index 37e3703245..64111768b3 100755
self.IPSEC = root_prefix + "/usr/sbin/ipsec"
self.tunnels = {}
-@@ -941,7 +955,9 @@ class IPsecMonitor(object):
+@@ -941,7 +979,9 @@ class IPsecMonitor(object):
not os.access(self.IPSEC, os.X_OK):
vlog.err("IKE daemon is not installed in the system.")
@@ -39413,7 +39463,7 @@ index 37e3703245..64111768b3 100755
def is_tunneling_type_supported(self, tunnel_type):
"""Returns True if we know how to configure IPsec for these
-@@ -989,7 +1005,7 @@ class IPsecMonitor(object):
+@@ -989,7 +1029,7 @@ class IPsecMonitor(object):
skb_mark = None
is_valid = False
@@ -39422,7 +39472,7 @@ index 37e3703245..64111768b3 100755
pki[0] = row.other_config.get("certificate")
pki[1] = row.other_config.get("private_key")
pki[2] = row.other_config.get("ca_cert")
-@@ -1016,7 +1032,7 @@ class IPsecMonitor(object):
+@@ -1016,7 +1056,7 @@ class IPsecMonitor(object):
table."""
ifaces = set()
@@ -39431,7 +39481,7 @@ index 37e3703245..64111768b3 100755
if not self.is_tunneling_type_supported(row.type):
continue
if not self.is_ipsec_required(row.options):
-@@ -1047,7 +1063,7 @@ class IPsecMonitor(object):
+@@ -1047,7 +1087,7 @@ class IPsecMonitor(object):
return
s = ""
conns = self.ike_helper.get_active_conns()
@@ -39440,7 +39490,7 @@ index 37e3703245..64111768b3 100755
s += tunnel.show(policies, securities, conns)
unix_conn.reply(s)
-@@ -1064,7 +1080,7 @@ class IPsecMonitor(object):
+@@ -1064,7 +1104,7 @@ class IPsecMonitor(object):
if self.ike_helper.config_global(self):
needs_refresh = True
@@ -39449,7 +39499,7 @@ index 37e3703245..64111768b3 100755
if tunnel.last_refreshed_version != tunnel.version:
tunnel.last_refreshed_version = tunnel.version
needs_refresh = True
-@@ -1094,7 +1110,7 @@ class IPsecMonitor(object):
+@@ -1094,7 +1134,7 @@ class IPsecMonitor(object):
proc.wait()
if proc.returncode:
raise Exception(proc.stderr.read())
@@ -39458,7 +39508,27 @@ index 37e3703245..64111768b3 100755
if not m:
raise Exception("No CN in the certificate subject.")
except Exception as e:
-@@ -1136,19 +1152,30 @@ def unixctl_refresh(conn, unused_argv, unused_aux):
+@@ -1104,6 +1144,19 @@ class IPsecMonitor(object):
+ return m.group(1)
+
+
++def address_family(address):
++ try:
++ ip = ipaddress.ip_address(address)
++ ipstr = str(type(ip))
++ # ipaddress has inconsistencies with what exceptions are raised:
++ # https://mail.openvswitch.org/pipermail/ovs-dev/2021-April/381696.html
++ except (ValueError, ipaddress.AddressValueError):
++ return None
++ if ipstr.find('v6') != -1:
++ return "IPv6"
++ return "IPv4"
++
++
+ def unixctl_xfrm_policies(conn, unused_argv, unused_aux):
+ global xfrm
+ policies = xfrm.get_policies()
+@@ -1136,19 +1189,30 @@ def unixctl_refresh(conn, unused_argv, unused_aux):
conn.reply(None)
@@ -39497,7 +39567,7 @@ index 37e3703245..64111768b3 100755
def main():
-@@ -1161,6 +1188,8 @@ def main():
+@@ -1161,6 +1225,8 @@ def main():
parser.add_argument("--ike-daemon", metavar="IKE-DAEMON",
help="The IKE daemon used for IPsec tunnels"
" (either libreswan or strongswan).")
@@ -39506,7 +39576,7 @@ index 37e3703245..64111768b3 100755
ovs.vlog.add_args(parser)
ovs.daemon.add_args(parser)
-@@ -1173,7 +1202,8 @@ def main():
+@@ -1173,7 +1239,8 @@ def main():
root_prefix = args.root_prefix if args.root_prefix else ""
xfrm = XFRM(root_prefix)
@@ -39516,7 +39586,7 @@ index 37e3703245..64111768b3 100755
remote = args.database
schema_helper = ovs.db.idl.SchemaHelper()
-@@ -1194,7 +1224,8 @@ def main():
+@@ -1194,7 +1261,8 @@ def main():
ovs.unixctl.command_register("tunnels/show", "", 0, 0,
unixctl_show, None)
ovs.unixctl.command_register("refresh", "", 0, 0, unixctl_refresh, None)
diff --git a/SPECS/openvswitch2.13.spec b/SPECS/openvswitch2.13.spec
index da92824..d1756e8 100644
--- a/SPECS/openvswitch2.13.spec
+++ b/SPECS/openvswitch2.13.spec
@@ -59,7 +59,7 @@ Summary: Open vSwitch
Group: System Environment/Daemons daemon/database/utilities
URL: http://www.openvswitch.org/
Version: 2.13.0
-Release: 100%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist}
+Release: 101%{?commit0:.%{date}git%{shortcommit0}}%{?commit1:dpdk%{shortcommit1}}%{?dist}
# Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the
# lib/sflow*.[ch] files are SISSL
@@ -710,6 +710,10 @@ exit 0
%endif
%changelog
+* Fri Apr 02 2021 Open vSwitch CI <ovs-team@redhat.com> - 2.13.0-101
+- Merging upstream branch-2.13
+ [02b662f992b57ed2cc2274efb0033abae7bf2aa8]
+
* Thu Apr 01 2021 Open vSwitch CI <ovs-team@redhat.com> - 2.13.0-100
- Merging upstream branch-2.13
[7323d4b8e428cec0b48de457159861b8a1cdd410]