diff --git a/debian/control b/debian/control index b4df6ed57bb59905729be124d00ae65a834a177c..bdf3d3d4987b80a72846b55071449a5f90f1a370 100644 --- a/debian/control +++ b/debian/control @@ -303,3 +303,25 @@ Description: Python 3 bindings for Open vSwitch VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. . This package contains the full Python 3 bindings for Open vSwitch database. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: + iproute2, + lsb-base, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python3-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init index a39dd40e686d32886947ceff02cd83aa1ce02f99..aa68384547556e95f5b475c51e66b6019bf8851e 100755 --- a/debian/openvswitch-ipsec.init +++ b/debian/openvswitch-ipsec.init @@ -24,8 +24,8 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Open vSwitch GRE-over-IPsec daemon -# Description: The ovs-monitor-ipsec script provides support for encrypting GRE -# tunnels with IPsec. +# Description: The ovs-monitor-ipsec script provides support for +# encrypting GRE tunnels with IPsec. ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin @@ -33,8 +33,9 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location NAME=ovs-monitor-ipsec # Introduce the short server's name here LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch -PIDFILE=/var/run/openvswitch/$NAME.pid +PIDFILE=/var/run/openvswitch/$NAME.pid test -x $DAEMON || exit 0 @@ -44,14 +45,14 @@ DODTIME=10 # Time to wait for the server to die, in seconds # If this value is set too low you might not # let some servers to die gracefully and # 'restart' will not work - + set -e running_pid() { # Check if a given process pid's cmdline matches a given name pid=$1 name=$2 - [ -z "$pid" ] && return 1 + [ -z "$pid" ] && return 1 [ ! -d /proc/$pid ] && return 1 cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2` # Is this the expected server @@ -70,37 +71,13 @@ running() { return 0 } -uninstall_mark_rule() { - iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0 -} - -install_mark_rule() { - if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then - iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1 - fi -} - start_server() { - if [ ! -d /var/run/openvswitch ]; then - install -d -m 755 -o root -g root /var/run/openvswitch - fi - - install_mark_rule "-p esp" - install_mark_rule "-p udp --dport 4500" - /usr/share/openvswitch/scripts/ovs-monitor-ipsec \ - --pidfile=$PIDFILE --log-file --detach --monitor \ - unix:/var/run/openvswitch/db.sock - + ${DATADIR}/scripts/ovs-ctl --ike-daemon=strongswan start-ovs-ipsec return 0 } stop_server() { - if [ -e $PIDFILE ]; then - kill `cat $PIDFILE` - fi - uninstall_mark_rule "-p esp" - uninstall_mark_rule "-p udp --dport 4500" - + ${DATADIR}/scripts/ovs-ctl stop-ovs-ipsec return 0 } @@ -190,12 +167,13 @@ case "$1" in ;; # Use this if the daemon cannot reload reload) - log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon" - log_warning_msg "cannot re-read the config file (use restart)." + log_warning_msg "Reloading $NAME daemon: not implemented, as the" + log_warning_msg "deamon cannot re-read the config file (use restart)." ;; *) N=/etc/init.d/openvswitch-ipsec - echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 + echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" \ + >&2 exit 1 ;; esac diff --git a/debian/openvswitch-ipsec.install b/debian/openvswitch-ipsec.install index 72cacfa2530896d550fde997be449395ce86a7c7..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 --- a/debian/openvswitch-ipsec.install +++ b/debian/openvswitch-ipsec.install @@ -1 +0,0 @@ -debian/ovs-monitor-ipsec usr/share/openvswitch/scripts diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec deleted file mode 100755 index 6bc26aa8d6771f932fb3c8574014f6604886441c..0000000000000000000000000000000000000000 --- a/debian/ovs-monitor-ipsec +++ /dev/null @@ -1,507 +0,0 @@ -#! /usr/bin/env python -# Copyright (c) 2009, 2010, 2011, 2012 Nicira, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# A daemon to monitor attempts to create GRE-over-IPsec tunnels. -# Uses racoon and setkey to support the configuration. Assumes that -# OVS has complete control over IPsec configuration for the box. - -# xxx To-do: -# - Doesn't actually check that Interface is connected to bridge -# - If a certificate is badly formed, Racoon will refuse to start. We -# should do a better job of verifying certificates are valid before -# adding an interface to racoon.conf. - - -import argparse -import glob -import os -import subprocess -import sys - -import ovs.dirs -from ovs.db import error -import ovs.util -import ovs.daemon -import ovs.db.idl -import ovs.unixctl -import ovs.unixctl.server -import ovs.vlog -from six.moves import range -import six - -vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") -root_prefix = '' # Prefix for absolute file names, for testing. -SETKEY = "/usr/sbin/setkey" -IP = "/sbin/ip" -exiting = False -IPSEC_MARK = "1" - - -def unixctl_exit(conn, unused_argv, unused_aux): - global exiting - exiting = True - conn.reply(None) - - -# Class to configure the racoon daemon, which handles IKE negotiation -class Racoon(object): - # Default locations for files - conf_file = "/etc/racoon/racoon.conf" - cert_dir = "/etc/racoon/certs" - psk_file = "/etc/racoon/psk.txt" - - # Racoon configuration header we use for IKE - conf_header = """# Configuration file generated by Open vSwitch -# -# Do not modify by hand! - -path pre_shared_key "%s"; -path certificate "%s"; - -""" - - # Racoon configuration footer we use for IKE - conf_footer = """sainfo anonymous { - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm aes; - authentication_algorithm hmac_sha1, hmac_md5; - compression_algorithm deflate; -} - -""" - - # Certificate entry template. - cert_entry = """remote %s { - exchange_mode main; - nat_traversal on; - ike_frag on; - certificate_type x509 "%s" "%s"; - my_identifier asn1dn; - peers_identifier asn1dn; - peers_certfile x509 "%s"; - verify_identifier on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method rsasig; - dh_group 2; - } -} - -""" - - # Pre-shared key template. - psk_entry = """remote %s { - exchange_mode main; - nat_traversal on; - proposal { - encryption_algorithm aes; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} - -""" - - def __init__(self): - self.psk_hosts = {} - self.cert_hosts = {} - - if not os.path.isdir(root_prefix + self.cert_dir): - os.mkdir(self.cert_dir) - - # Clean out stale peer certs from previous runs - for ovs_cert in glob.glob("%s%s/ovs-*.pem" - % (root_prefix, self.cert_dir)): - try: - os.remove(ovs_cert) - except OSError: - vlog.warn("couldn't remove %s" % ovs_cert) - - # Replace racoon's conf file with our template - self.commit() - - def reload(self): - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", - "reload"]) - if exitcode != 0: - # Racoon is finicky about its configuration file and will - # refuse to start if it sees something it doesn't like - # (e.g., a certificate file doesn't exist). Try restarting - # the process before giving up. - vlog.warn("attempting to restart racoon") - exitcode = subprocess.call([root_prefix + "/etc/init.d/racoon", - "restart"]) - if exitcode != 0: - vlog.warn("couldn't reload racoon") - - def commit(self): - # Rewrite the Racoon configuration file - conf_file = open(root_prefix + self.conf_file, 'w') - conf_file.write(Racoon.conf_header % (self.psk_file, self.cert_dir)) - - for host, vals in six.iteritems(self.cert_hosts): - conf_file.write(Racoon.cert_entry % (host, vals["certificate"], - vals["private_key"], vals["peer_cert_file"])) - - for host in self.psk_hosts: - conf_file.write(Racoon.psk_entry % host) - - conf_file.write(Racoon.conf_footer) - conf_file.close() - - # Rewrite the pre-shared keys file; it must only be readable by root. - orig_umask = os.umask(0o077) - psk_file = open(root_prefix + Racoon.psk_file, 'w') - os.umask(orig_umask) - - psk_file.write("# Generated by Open vSwitch...do not modify by hand!") - psk_file.write("\n\n") - for host, vals in six.iteritems(self.psk_hosts): - psk_file.write("%s %s\n" % (host, vals["psk"])) - psk_file.close() - - self.reload() - - def _add_psk(self, host, psk): - if host in self.cert_hosts: - raise error.Error("host %s already defined for cert" % host) - - self.psk_hosts[host] = psk - self.commit() - - def _verify_certs(self, vals): - # Racoon will refuse to start if the certificate files don't - # exist, so verify that they're there. - if not os.path.isfile(root_prefix + vals["certificate"]): - raise error.Error("'certificate' file does not exist: %s" - % vals["certificate"]) - elif not os.path.isfile(root_prefix + vals["private_key"]): - raise error.Error("'private_key' file does not exist: %s" - % vals["private_key"]) - - # Racoon won't start if a given certificate or private key isn't - # valid. This is a weak test, but will detect the most flagrant - # errors. - if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1: - raise error.Error("'peer_cert' is not in valid PEM format") - - cert = open(root_prefix + vals["certificate"]).read() - if cert.find("-----BEGIN CERTIFICATE-----") == -1: - raise error.Error("'certificate' is not in valid PEM format") - - cert = open(root_prefix + vals["private_key"]).read() - if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1: - raise error.Error("'private_key' is not in valid PEM format") - - def _add_cert(self, host, vals): - if host in self.psk_hosts: - raise error.Error("host %s already defined for psk" % host) - - if vals["certificate"] is None: - raise error.Error("'certificate' not defined for %s" % host) - elif vals["private_key"] is None: - # Assume the private key is stored in the same PEM file as - # the certificate. We make a copy of "vals" so that we don't - # modify the original "vals", which would cause the script - # to constantly think that the configuration has changed - # in the database. - vals = vals.copy() - vals["private_key"] = vals["certificate"] - - self._verify_certs(vals) - - # The peer's certificate comes to us in PEM format as a string. - # Write that string to a file for Racoon to use. - f = open(root_prefix + vals["peer_cert_file"], "w") - f.write(vals["peer_cert"]) - f.close() - - self.cert_hosts[host] = vals - self.commit() - - def _del_cert(self, host): - peer_cert_file = self.cert_hosts[host]["peer_cert_file"] - del self.cert_hosts[host] - self.commit() - try: - os.remove(root_prefix + peer_cert_file) - except OSError: - pass - - def add_entry(self, host, vals): - if vals["peer_cert"]: - self._add_cert(host, vals) - elif vals["psk"]: - self._add_psk(host, vals) - - def del_entry(self, host): - if host in self.cert_hosts: - self._del_cert(host) - elif host in self.psk_hosts: - del self.psk_hosts[host] - self.commit() - - -# Class to configure IPsec on a system using racoon for IKE and setkey -# for maintaining the Security Association Database (SAD) and Security -# Policy Database (SPD). Only policies for GRE are supported. -class IPsec(object): - def __init__(self): - self.sad_flush() - self.spd_flush() - self.racoon = Racoon() - self.entries = [] - - def call_setkey(self, cmds): - try: - p = subprocess.Popen([root_prefix + SETKEY, "-c"], - stdin=subprocess.PIPE, - stdout=subprocess.PIPE) - except: - vlog.err("could not call %s%s" % (root_prefix, SETKEY)) - sys.exit(1) - - # xxx It is safer to pass the string into the communicate() - # xxx method, but it didn't work for slightly longer commands. - # xxx An alternative may need to be found. - p.stdin.write(cmds) - return p.communicate()[0] - - def call_ip_xfrm(self, cmds): - exitcode = subprocess.call([root_prefix + IP, "xfrm"] + cmds) - if exitcode != 0: - vlog.err("couldn't install IPsec policy that prevents " - "traffic from exiting unencrypted") - - def get_spi(self, local_ip, remote_ip, proto="esp"): - # Run the setkey dump command to retrieve the SAD. Then, parse - # the output looking for SPI buried in the output. Note that - # multiple SAD entries can exist for the same "flow", since an - # older entry could be in a "dying" state. - spi_list = [] - host_line = "%s %s" % (local_ip, remote_ip) - results = self.call_setkey("dump ;\n").split("\n") - for i in range(len(results)): - if results[i].strip() == host_line: - # The SPI is in the line following the host pair - spi_line = results[i + 1] - if (spi_line[1:4] == proto): - spi = spi_line.split()[2] - spi_list.append(spi.split('(')[1].rstrip(')')) - return spi_list - - def sad_flush(self): - self.call_setkey("flush;\n") - - def sad_del(self, local_ip, remote_ip): - # To delete all SAD entries, we should be able to use setkey's - # "deleteall" command. Unfortunately, it's fundamentally broken - # on Linux and not documented as such. - cmds = "" - - # Delete local_ip->remote_ip SAD entries - spi_list = self.get_spi(local_ip, remote_ip) - for spi in spi_list: - cmds += "delete %s %s esp %s;\n" % (local_ip, remote_ip, spi) - - # Delete remote_ip->local_ip SAD entries - spi_list = self.get_spi(remote_ip, local_ip) - for spi in spi_list: - cmds += "delete %s %s esp %s;\n" % (remote_ip, local_ip, spi) - - if cmds: - self.call_setkey(cmds) - - def spd_flush(self): - self.call_setkey("spdflush;\n") - self.call_ip_xfrm(["policy", "add", "src", "0.0.0.0/0", "dst", - "0.0.0.0/0", "proto", "gre", "dir", "out", - "mark", IPSEC_MARK, "mask", IPSEC_MARK, - "action", "block", "priority", "4294967295"]) - - def spd_add(self, local_ip, remote_ip): - cmds = ("spdadd %s %s gre -P out ipsec esp/transport//require;\n" % - (local_ip, remote_ip)) - cmds += ("spdadd %s %s gre -P in ipsec esp/transport//require;\n" % - (remote_ip, local_ip)) - self.call_setkey(cmds) - - def spd_del(self, local_ip, remote_ip): - cmds = "spddelete %s %s gre -P out;\n" % (local_ip, remote_ip) - cmds += "spddelete %s %s gre -P in;\n" % (remote_ip, local_ip) - self.call_setkey(cmds) - - def add_entry(self, local_ip, remote_ip, vals): - if remote_ip in self.entries: - raise error.Error("host %s already configured for ipsec" - % remote_ip) - - self.racoon.add_entry(remote_ip, vals) - self.spd_add(local_ip, remote_ip) - - self.entries.append(remote_ip) - - def del_entry(self, local_ip, remote_ip): - if remote_ip in self.entries: - self.racoon.del_entry(remote_ip) - self.spd_del(local_ip, remote_ip) - self.sad_del(local_ip, remote_ip) - - self.entries.remove(remote_ip) - - -def update_ipsec(ipsec, interfaces, new_interfaces): - for name, vals in six.iteritems(interfaces): - if name not in new_interfaces: - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) - - for name, vals in six.iteritems(new_interfaces): - orig_vals = interfaces.get(name) - if orig_vals: - # Configuration for this host already exists. Check if it's - # changed. We use set difference, since we want to ignore - # any local additions to "orig_vals" that we've made - # (e.g. the "peer_cert_file" key). - if set(vals.items()) - set(orig_vals.items()): - ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) - else: - continue - - try: - ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals) - except error.Error as msg: - vlog.warn("skipping ipsec config for %s: %s" % (name, msg)) - - -def get_ssl_cert(data): - for ovs_rec in data["Open_vSwitch"].rows.values(): - if ovs_rec.ssl: - ssl = ovs_rec.ssl[0] - if ssl.certificate and ssl.private_key: - return (ssl.certificate, ssl.private_key) - - return None - - -def main(): - - parser = argparse.ArgumentParser() - parser.add_argument("database", metavar="DATABASE", - help="A socket on which ovsdb-server is listening.") - parser.add_argument("--root-prefix", metavar="DIR", - help="Use DIR as alternate root directory" - " (for testing).") - - ovs.vlog.add_args(parser) - ovs.daemon.add_args(parser) - args = parser.parse_args() - ovs.vlog.handle_args(args) - ovs.daemon.handle_args(args) - - global root_prefix - if args.root_prefix: - root_prefix = args.root_prefix - - remote = args.database - schema_helper = ovs.db.idl.SchemaHelper() - schema_helper.register_columns("Interface", ["name", "type", "options"]) - schema_helper.register_columns("Open_vSwitch", ["ssl"]) - schema_helper.register_columns("SSL", ["certificate", "private_key"]) - idl = ovs.db.idl.Idl(remote, schema_helper) - - ipsec = IPsec() - - ovs.daemon.daemonize() - - ovs.unixctl.command_register("exit", "", 0, 0, unixctl_exit, None) - error, unixctl_server = ovs.unixctl.server.UnixctlServer.create(None) - if error: - ovs.util.ovs_fatal(error, "could not create unixctl server", vlog) - - interfaces = {} - seqno = idl.change_seqno # Sequence number when we last processed the db - while True: - unixctl_server.run() - if exiting: - break - - idl.run() - if seqno == idl.change_seqno: - poller = ovs.poller.Poller() - unixctl_server.wait(poller) - idl.wait(poller) - poller.block() - continue - seqno = idl.change_seqno - - ssl_cert = get_ssl_cert(idl.tables) - - new_interfaces = {} - for rec in six.itervalues(idl.tables["Interface"].rows): - if rec.type == "ipsec_gre": - name = rec.name - options = rec.options - peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip")) - entry = { - "remote_ip": options.get("remote_ip"), - "local_ip": options.get("local_ip", "0.0.0.0/0"), - "certificate": options.get("certificate"), - "private_key": options.get("private_key"), - "use_ssl_cert": options.get("use_ssl_cert"), - "peer_cert": options.get("peer_cert"), - "peer_cert_file": Racoon.cert_dir + "/" + peer_cert_name, - "psk": options.get("psk")} - - if entry["peer_cert"] and entry["psk"]: - vlog.warn("both 'peer_cert' and 'psk' defined for %s" - % name) - continue - elif not entry["peer_cert"] and not entry["psk"]: - vlog.warn("no 'peer_cert' or 'psk' defined for %s" % name) - continue - - # The "use_ssl_cert" option is deprecated and will - # likely go away in the near future. - if entry["use_ssl_cert"] == "true": - if not ssl_cert: - vlog.warn("no valid SSL entry for %s" % name) - continue - - entry["certificate"] = ssl_cert[0] - entry["private_key"] = ssl_cert[1] - - new_interfaces[name] = entry - - if interfaces != new_interfaces: - update_ipsec(ipsec, interfaces, new_interfaces) - interfaces = new_interfaces - - unixctl_server.close() - idl.close() - - -if __name__ == '__main__': - try: - main() - except SystemExit: - # Let system.exit() calls complete normally - raise - except: - vlog.exception("traceback") - sys.exit(ovs.daemon.RESTART_EXIT_CODE) diff --git a/debian/patches/fix-ovs-monitor-ipsec.patch b/debian/patches/fix-ovs-monitor-ipsec.patch new file mode 100644 index 0000000000000000000000000000000000000000..2d2b2e8f3a40477d877128d5febeabf367ac9f33 --- /dev/null +++ b/debian/patches/fix-ovs-monitor-ipsec.patch @@ -0,0 +1,117 @@ +Description: Fix ovs-monitor-ipsec + Open subprocesses in the text mode. + Use valid strongSwan configuration. + Use python3 dictionary iterators. +Forwarded: no +Author: Jakub Safarik +Last-Update: 2019-09-29 +--- a/ipsec/ovs-monitor-ipsec.in ++++ b/ipsec/ovs-monitor-ipsec.in +@@ -99,7 +99,8 @@ + the IPsec policy.""" + policies = {} + proc = subprocess.Popen([self.IP, 'xfrm', 'policy'], +- stdout=subprocess.PIPE) ++ stdout=subprocess.PIPE, ++ universal_newlines=True) + while True: + line = proc.stdout.readline().strip() + if line == '': +@@ -122,7 +123,8 @@ + is SELECTOR.""" + securities = {} + proc = subprocess.Popen([self.IP, 'xfrm', 'state'], +- stdout=subprocess.PIPE) ++ stdout=subprocess.PIPE, ++ universal_newlines=True) + while True: + line = proc.stdout.readline().strip() + if line == '': +@@ -145,10 +147,18 @@ + """This class does StrongSwan specific configurations.""" + + STRONGSWAN_CONF = """%s +-charon.plugins.kernel-netlink.set_proto_port_transport_sa = yes +-charon.plugins.kernel-netlink.xfrm_ack_expires = 10 +-charon.load_modular = yes +-charon.plugins.gcm.load = yes ++charon { ++ plugins { ++ kernel-netlink { ++ set_proto_port_transport_sa = yes ++ xfrm_ack_expires = 10 ++ } ++ gcm { ++ load = yes ++ } ++ } ++ load_modular = yes ++} + """ % (FILE_HEADER) + + CONF_HEADER = """%s +@@ -243,7 +253,9 @@ + sample line from the parsed outpus as . """ + + conns = {} +- proc = subprocess.Popen([self.IPSEC, 'status'], stdout=subprocess.PIPE) ++ proc = subprocess.Popen([self.IPSEC, 'status'], ++ stdout=subprocess.PIPE, ++ universal_newlines=True) + + while True: + line = proc.stdout.readline().strip() +@@ -340,7 +352,7 @@ + # about possibility of ovs-monitor-ipsec to block for each tunnel + # while strongSwan sends IKE messages over Internet. + conns_dict = self.get_active_conns() +- for ifname, conns in conns_dict.iteritems(): ++ for ifname, conns in conns_dict.items(): + tunnel = monitor.tunnels.get(ifname) + for conn in conns: + # IPsec "connection" names that we choose in strongswan +@@ -536,7 +548,7 @@ + + # Delete old connections + conns_dict = self.get_active_conns() +- for ifname, conns in conns_dict.iteritems(): ++ for ifname, conns in conns_dict.items(): + tunnel = monitor.tunnels.get(ifname) + + for conn in conns: +@@ -989,7 +1001,7 @@ + skb_mark = None + is_valid = False + +- for row in data["Open_vSwitch"].rows.itervalues(): ++ for row in data["Open_vSwitch"].rows.values(): + pki[0] = row.other_config.get("certificate") + pki[1] = row.other_config.get("private_key") + pki[2] = row.other_config.get("ca_cert") +@@ -1016,7 +1028,7 @@ + table.""" + ifaces = set() + +- for row in data["Interface"].rows.itervalues(): ++ for row in data["Interface"].rows.values(): + if not self.is_tunneling_type_supported(row.type): + continue + if not self.is_ipsec_required(row.options): +@@ -1047,7 +1059,7 @@ + return + s = "" + conns = self.ike_helper.get_active_conns() +- for name, tunnel in self.tunnels.iteritems(): ++ for name, tunnel in self.tunnels.items(): + s += tunnel.show(policies, securities, conns) + unix_conn.reply(s) + +@@ -1064,7 +1076,7 @@ + if self.ike_helper.config_global(self): + needs_refresh = True + +- for name, tunnel in self.tunnels.iteritems(): ++ for name, tunnel in self.tunnels.items(): + if tunnel.last_refreshed_version != tunnel.version: + tunnel.last_refreshed_version = tunnel.version + needs_refresh = True diff --git a/debian/patches/series b/debian/patches/series index aafe3ad1a3b0114aa0056d3ee7b5de2c559f5b8d..4c31b32e21c3fe3ecb2a8cc4a71bcc7180e55387 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +fix-ovs-monitor-ipsec.patch remove-include-debian-automake.mk.patch remove-tests-broken-in-mips64el-and-mipsel.patch remove-bfd-decay-tests.patch