vswitch: Disable header-caching when IPsec is enabled

Header caching speeds up sending tunneled traffic by bypassing the Linux
IP stack.  This also causes it to bypass IPsec processing, which will
break connectivity.  This commit disables header caching when IPsec is
enabled.

diff --git a/lib/netdev-tunnel.c b/lib/netdev-tunnel.c
index fdc1d976a4fc493bd673dafcdc6c6bade0bc8751..079830e63372ee45f47bdbf13da4c603f08b252d 100644 (file)
--- a/lib/netdev-tunnel.c
+++ b/lib/netdev-tunnel.c
@@ -62,6 +62,8 @@ parse_config(const char *name, const char *type, const struct shash *args,
              struct tnl_port_config *config)
 {
     struct shash_node *node;
+    bool ipsec_ip_set = false;
+    bool ipsec_mech_set = false;
 
     memset(config, 0, sizeof *config);
 
@@ -126,11 +128,24 @@ parse_config(const char *name, const char *type, const struct shash *args,
             if (!strcmp(node->data, "false")) {
                 config->flags &= ~TNL_F_HDR_CACHE;
             }
+        } else if (!strcmp(node->name, "ipsec_local_ip")) {
+            ipsec_ip_set = true;
+        } else if (!strcmp(node->name, "ipsec_cert")
+                   || !strcmp(node->name, "ipsec_psk")) {
+            ipsec_mech_set = true;
         } else {
             VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name);
         }
     }
 
+    /* IPsec doesn't work when header caching is enabled.  Disable it if
+     * the IPsec local IP address and authentication mechanism have been
+     * defined. */
+    if (ipsec_ip_set && ipsec_mech_set) {
+        VLOG_INFO("%s: header caching disabled due to use of IPsec", name);
+        config->flags &= ~TNL_F_HDR_CACHE;
+    }
+
     if (!config->daddr) {
         VLOG_WARN("%s: %s type requires valid 'remote_ip' argument", name, type);
         return EINVAL;

diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index c86e4d5bc91ffcc1ae708273cfbe00027ad2c028..6c271fb7acf80807d733d2b859b827537ff46a02 100644 (file)
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -374,6 +374,20 @@ set_up_iface(const struct ovsrec_interface *iface_cfg, struct iface *iface,
                   xstrdup(iface_cfg->value_options[i]));
     }
 
+    /* Include 'other_config' keys in hash of netdev options.  The
+     * namespace of 'other_config' and 'options' must be disjoint.
+     * Prefer 'options' keys over 'other_config' keys. */
+    for (i = 0; i < iface_cfg->n_other_config; i++) {
+        char *value = xstrdup(iface_cfg->value_other_config[i]);
+        if (!shash_add_once(&options, iface_cfg->key_other_config[i],
+                            value)) {
+            VLOG_WARN("%s: \"other_config\" key %s conflicts with existing "
+                      "\"other_config\" or \"options\" entry...ignoring",
+                      iface_cfg->name, iface_cfg->key_other_config[i]);
+            free(value);
+        }
+    }
+
     if (create) {
         struct netdev_options netdev_options;
 

diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 141c5fe53e56fcf262fdd059e70502786f7ee579..242106d0d5f46310b840350ae0d519c2190cb68b 100644 (file)
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -661,7 +661,9 @@
                bypass certain components of the IP stack (such as IP tables)
                and it may be useful to disable it if these features are
                required or as a debugging measure.  Default is enabled, set to
-               <code>false</code> to disable.</dd>
+               <code>false</code> to disable.  If IPsec is enabled through the
+               <ref column="other_config"/> parameters, header caching will be
+               automatically disabled.</dd>
             </dl>
           </dd>
           <dt><code>capwap</code></dt>