openvswitch: Allow external IPsec tunnel management.

OVS GRE IPsec tunnel support has multiple issues, Therefore
it was deprecated in OVS 2.6.

Following patch removes support for GRE IPsec and allows external
IPsec tunnel management for any type of tunnel not just GRE.
e.g. user can encrypt Geneve or VxLan traffic.

It can be done by using openflow pipeline to set skb-mark
and using IPsec keying daemons to implement IPsec tunnels.
This packet can be matched for the skb-mark to encrypt
selective tunnel traffic.

VMware-BZ: 1710701
Signed-off-by: Pravin B Shelar <[email protected]>
Acked-by: Ansis Atteka <[email protected]>

NEWS

@@ -25,6 +25,7 @@ Post-v2.6.0
      * TLV mappings for protocols such as Geneve are now segregated on
        a per-OpenFlow bridge basis rather than globally. (The interface
        has not changed.)
+     * Removed support for IPsec tunnels.
 
 v2.6.0 - xx xxx xxxx
 ---------------------

README.md

@@ -30,7 +30,7 @@ vSwitch supports the following features:
 * NIC bonding with or without LACP on upstream switch
 * NetFlow, sFlow(R), and mirroring for increased visibility
 * QoS (Quality of Service) configuration, plus policing
-* Geneve, GRE, GRE over IPSEC, VXLAN, and LISP tunneling
+* Geneve, GRE, VXLAN, STT, and LISP tunneling
 * 802.1ag connectivity fault management
 * OpenFlow 1.0 plus numerous extensions
 * Transactional configuration database with C and Python bindings

debian/automake.mk

@@ -19,9 +19,6 @@ EXTRA_DIST += \
 	debian/openvswitch-datapath-source.dirs \
 	debian/openvswitch-datapath-source.install \
 	debian/openvswitch-dev.install \
-	debian/openvswitch-ipsec.dirs \
-	debian/openvswitch-ipsec.init \
-	debian/openvswitch-ipsec.install \
 	debian/openvswitch-pki.dirs \
 	debian/openvswitch-pki.postinst \
 	debian/openvswitch-pki.postrm \
@@ -71,17 +68,13 @@ EXTRA_DIST += \
 	debian/ovn-host.postinst \
 	debian/ovn-host.postrm \
 	debian/ovn-host.template \
-	debian/ovs-monitor-ipsec \
 	debian/python-openvswitch.dirs \
 	debian/python-openvswitch.install \
 	debian/rules \
 	debian/rules.modules \
 	debian/ifupdown.sh \
 	debian/source/format
 
-FLAKE8_PYFILES += \
-	debian/ovs-monitor-ipsec
-
 check-debian-changelog-version:
 	@DEB_VERSION=`echo '$(VERSION)' | sed 's/pre/~pre/'`;		     \
 	if $(FGREP) '($(DEB_VERSION)' $(srcdir)/debian/changelog >/dev/null; \

debian/control

@@ -178,30 +178,6 @@ Description: OVN Docker drivers
  .
  ovn-docker provides the docker drivers for OVN.
 
-Package: openvswitch-ipsec
-Architecture: linux-any
-Depends: ipsec-tools (>=0.8~alpha20101208),
-         iproute2,
-         openvswitch-common (= ${binary:Version}),
-         openvswitch-switch (= ${binary:Version}),
-         python,
-         python-openvswitch (= ${source:Version}),
-         racoon (>=0.8~alpha20101208),
-         ${misc:Depends},
-         ${shlibs:Depends}
-Description: Open vSwitch GRE-over-IPsec support
- Open vSwitch is a production quality, multilayer, software-based,
- Ethernet virtual switch. It is designed to enable massive network
- automation through programmatic extension, while still supporting
- standard management interfaces and protocols (e.g. NetFlow, IPFIX,
- sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
- to support distribution across multiple physical servers similar to
- VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
- .
- The ovs-monitor-ipsec script provides support for encrypting GRE
- tunnels with IPsec.
- IPsec tunnels support is deprecated.
-
 Package: openvswitch-pki
 Architecture: all
 Depends: openvswitch-common (<< ${source:Version}.1~),