ipsec: install iptables rules that set IPsec bit in skb mark

Without these two iptables rules (one for UDP encapsulated IPsec and another for direct IPsec), ovs-vswitchd would incorrectly conclude that GRE packet belonged to a plain GRE tunnel instead of IPsec GRE tunnel. Reported-by: Aryan TaheriMonfared <[email protected]> Reported-by: Daniel Hiltgen <[email protected]> Signed-off-by: Ansis Atteka <[email protected]>
AliJabar · Jan 22, 2014 · f34dcab · f34dcab
1 parent db751c4
commit f34dcab
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -10,6 +10,7 @@ Andrew Lambeth          [email protected]
 Andy Southgate          [email protected]
 Anupam Chanda           [email protected]
 Arun Sharma             [email protected]
+Aryan TaheriMonfared    [email protected]
 Ben Pfaff               [email protected]
 Brian Kruger            [email protected]
 Bruce Davie             [email protected]
@@ -19,6 +20,7 @@ Chris Wright            [email protected]
 Chuck Short             [email protected]
 Dan Carpenter           [email protected]
 Dan Wendlandt           [email protected]
+Daniel Hiltgen          [email protected]
 Daniel Roman            [email protected]
 Danny Kukawka           [email protected]
 David Erickson          [email protected]

diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
@@ -70,11 +70,23 @@ running() {
     return 0
 }
 
+uninstall_mark_rule() {
+    iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
+}
+
+install_mark_rule() {
+    if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then
+        iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
+    fi
+}
+
 start_server() {
     if [ ! -d /var/run/openvswitch ]; then
         install -d -m 755 -o root -g root /var/run/openvswitch
     fi
 
+    install_mark_rule "-p esp"
+    install_mark_rule "-p udp --dport 4500"
     /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
            --pidfile=$PIDFILE --log-file --detach --monitor \
            unix:/var/run/openvswitch/db.sock
@@ -86,6 +98,8 @@ stop_server() {
     if [ -e $PIDFILE ]; then
         kill `cat $PIDFILE`
     fi
+    uninstall_mark_rule "-p esp"
+    uninstall_mark_rule "-p udp --dport 4500"
 
     return 0
 }