ipsec: install iptables rules that set IPsec bit in skb mark

Without these two iptables rules (one for UDP encapsulated IPsec and
another for direct IPsec), ovs-vswitchd would incorrectly conclude
that GRE packet belonged to a plain GRE tunnel instead of IPsec GRE
tunnel.

Reported-by: Aryan TaheriMonfared <aryan.taherimonfared@uis.no>
Reported-by: Daniel Hiltgen <daniel@netkine.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>

diff --git a/AUTHORS b/AUTHORS
index 7539b1a..e974362 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -16,6 +16,7 @@ Andy Zhou               azhou@nicira.com
 Ansis Atteka            aatteka@nicira.com
 Anupam Chanda           achanda@nicira.com
 Arun Sharma             arun.sharma@calsoftinc.com
+Aryan TaheriMonfared    aryan.taherimonfared@uis.no
 Ben Pfaff               blp@nicira.com
 Brian Kruger            bkruger+ovsdev@gmail.com
 Bruce Davie             bsd@nicira.com
@@ -26,6 +27,7 @@ Chuck Short             zulcss@ubuntu.com
 Damien Millescamps      damien.millescamps@6wind.com
 Dan Carpenter           dan.carpenter@oracle.com
 Dan Wendlandt           dan@nicira.com
+Daniel Hiltgen          daniel@netkine.com
 Daniel Roman            droman@nicira.com
 Danny Kukawka           danny.kukawka@bisect.de
 David Erickson          derickso@stanford.edu

diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
index 8e5c7b2..a39dd40 100755 (executable)
--- a/debian/openvswitch-ipsec.init
+++ b/debian/openvswitch-ipsec.init
@@ -70,11 +70,23 @@ running() {
     return 0
 }
 
+uninstall_mark_rule() {
+    iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
+}
+
+install_mark_rule() {
+    if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then
+        iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
+    fi
+}
+
 start_server() {
     if [ ! -d /var/run/openvswitch ]; then
         install -d -m 755 -o root -g root /var/run/openvswitch
     fi
 
+    install_mark_rule "-p esp"
+    install_mark_rule "-p udp --dport 4500"
     /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
            --pidfile=$PIDFILE --log-file --detach --monitor \
            unix:/var/run/openvswitch/db.sock
@@ -86,6 +98,8 @@ stop_server() {
     if [ -e $PIDFILE ]; then
         kill `cat $PIDFILE`
     fi
+    uninstall_mark_rule "-p esp"
+    uninstall_mark_rule "-p udp --dport 4500"
 
     return 0
 }