{
const char *name = netdev_dev_get_name(dev);
const char *type = netdev_dev_get_type(dev);
- bool is_gre = !strcmp(type, "gre");
+ bool is_gre = false;
+ bool is_ipsec = false;
struct tnl_port_config config;
struct shash_node *node;
- bool ipsec_ip_set = false;
bool ipsec_mech_set = false;
memset(&config, 0, sizeof config);
config.flags |= TNL_F_PMTUD;
config.flags |= TNL_F_HDR_CACHE;
+ if (!strcmp(type, "gre")) {
+ is_gre = true;
+ } else if (!strcmp(type, "ipsec_gre")) {
+ is_gre = true;
+ is_ipsec = true;
+
+ config.flags |= TNL_F_IPSEC;
+
+ /* IPsec doesn't work when header caching is enabled. */
+ config.flags &= ~TNL_F_HDR_CACHE;
+ }
+
SHASH_FOR_EACH (node, args) {
if (!strcmp(node->name, "remote_ip")) {
struct in_addr in_addr;
if (!strcmp(node->data, "false")) {
config.flags &= ~TNL_F_HDR_CACHE;
}
- } else if (!strcmp(node->name, "ipsec_local_ip")) {
- ipsec_ip_set = true;
- } else if (!strcmp(node->name, "ipsec_cert")
- || !strcmp(node->name, "ipsec_psk")) {
+ } else if (!strcmp(node->name, "peer_cert") && is_ipsec) {
+ if (shash_find(args, "certificate")) {
+ ipsec_mech_set = true;
+ } else {
+ const char *use_ssl_cert;
+
+ /* If the "use_ssl_cert" is true, then "certificate" and
+ * "private_key" will be pulled from the SSL table. The
+ * use of this option is strongly discouraged, since it
+ * will like be removed when multiple SSL configurations
+ * are supported by OVS.
+ */
+ use_ssl_cert = shash_find_data(args, "use_ssl_cert");
+ if (!use_ssl_cert || strcmp(use_ssl_cert, "true")) {
+ VLOG_WARN("%s: 'peer_cert' requires 'certificate' argument",
+ name);
+ return EINVAL;
+ }
+ ipsec_mech_set = true;
+ }
+ } else if (!strcmp(node->name, "psk") && is_ipsec) {
ipsec_mech_set = true;
+ } else if (is_ipsec
+ && (!strcmp(node->name, "certificate")
+ || !strcmp(node->name, "private_key")
+ || !strcmp(node->name, "use_ssl_cert"))) {
+ /* Ignore options not used by the netdev. */
} else {
VLOG_WARN("%s: unknown %s argument '%s'",
name, type, node->name);
}
}
- /* IPsec doesn't work when header caching is enabled. Disable it if the
- * IPsec local IP address and authentication mechanism have been defined. */
- if (ipsec_ip_set && ipsec_mech_set) {
- VLOG_INFO("%s: header caching disabled due to use of IPsec", name);
- config.flags &= ~TNL_F_HDR_CACHE;
+ if (is_ipsec) {
+ if (shash_find(args, "peer_cert") && shash_find(args, "psk")) {
+ VLOG_WARN("%s: cannot define both 'peer_cert' and 'psk'", name);
+ return EINVAL;
+ }
+
+ if (!ipsec_mech_set) {
+ VLOG_WARN("%s: IPsec requires an 'peer_cert' or psk' argument",
+ name);
+ return EINVAL;
+ }
}
if (!config.daddr) {
{
static const struct vport_class vport_classes[] = {
{ { "gre", VPORT_FUNCTIONS }, parse_tunnel_config },
+ { { "ipsec_gre", VPORT_FUNCTIONS }, parse_tunnel_config },
{ { "capwap", VPORT_FUNCTIONS }, parse_tunnel_config },
{ { "patch", VPORT_FUNCTIONS }, parse_patch_config }
};