ovs-monitor-ipsec: Use "require" when adding SPD entries.

Previously, SPD entries were added with a level of "default".  This uses
the system-wide default for the protocol when processing a matching
packet.  Switch the level to "require" so that a SA is always used when
sending the packet.

diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index 07ad3982377204a31ea279b8d9c27ee64584fe14..12ff9f5f2f75e4b86e1262be9397cbe1e3e1c254 100755 (executable)
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -317,9 +317,9 @@ class IPsec:
         self.call_setkey("spdflush;")
 
     def spd_add(self, local_ip, remote_ip):
-        cmds = ("spdadd %s %s gre -P out ipsec esp/transport//default;\n" %
+        cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" %
                     (local_ip, remote_ip))
-        cmds += ("spdadd %s %s gre -P in ipsec esp/transport//default;" %
+        cmds += ("spdadd %s %s gre -P in ipsec esp/transport//require;" %
                     (remote_ip, local_ip))
         self.call_setkey(cmds)