openvswitch: deprecates support for IPsec tunnel port.

OVS IPsec tunnel support has issues:
1. It only works for GRE.
2. only works on Debian.
3. It does not allow user to match on packet-mark
   on packet received on tunnel ports.

This patch deprecates support for IPsec tunnel port.

Signed-off-by: Pravin B Shelar <pshelar@ovn.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>

diff --git a/NEWS b/NEWS
index dba1950e562205799c76aba9d90cb1aa2dde0bcb..6e284aac32557ba75408375d58546ac7745433dd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -150,6 +150,7 @@ v2.6.0 - xx xxx xxxx
      * Flow based tunnel match and action can be used for IPv6 address using
        tun_ipv6_src, tun_ipv6_dst fields.
      * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
    - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with

diff --git a/debian/changelog b/debian/changelog
index 7f38d53e20597ffb99780ef266780a962e1edf20..28d00babcb0fca2db73787702f1a74c35b47657a 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -118,6 +118,7 @@ openvswitch (2.6.0-1) unstable; urgency=low
      * Flow based tunnel match and action can be used for IPv6 address using
        tun_ipv6_src, tun_ipv6_dst fields.
      * Added support for IPv6 tunnels, for details checkout FAQ.
+     * Deprecated support for IPsec tunnels ports.
    - A wrapper script, 'ovs-tcpdump', to easily port-mirror an OVS port and
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with

diff --git a/debian/control b/debian/control
index 6e704f13d64cb4d3b70f4800324e24ea7cc72be5..da86fe9fd55ffa6afb43060b904c970c4b2124c7 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -200,6 +200,7 @@ Description: Open vSwitch GRE-over-IPsec support
  .
  The ovs-monitor-ipsec script provides support for encrypting GRE
  tunnels with IPsec.
+ IPsec tunnels support is deprecated.
 
 Package: openvswitch-pki
 Architecture: all

diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index 8d22cf58a22967034a0aa898c612faa45622fd29..ac31da6a6e55eb6df6bb17d0f2ba900d9f58349b 100644 (file)
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -543,6 +543,8 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
         static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
         static pid_t pid = 0;
 
+        VLOG_ERR("%s: OVS IPsec tunnel support is deprecated.", name);
+
 #ifndef _WIN32
         ovs_mutex_lock(&mutex);
         if (pid <= 0) {

diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index e73023d112c939b4880b18349802cb8fd365d4d4..976f3ca3f5bede412a9ca3bbf2c798888862e414 100644 (file)
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -2008,6 +2008,9 @@
           <dd>
             An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4/IPv6
             IPsec tunnel.
+            IPsec tunnel ports are deprecated. The support will be completely
+            removed in next version.
+
           </dd>
 
           <dt><code>vxlan</code></dt>