LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

openvswitch: add SSL support 

Open vSwitch supports SSL to connect to an OpenFlow controller. This is
recommended for security. Expand the UCI ovs config section to allow
configuring SSL CA, certificate and private key.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
lilik-openwrt-22.03
Stijn Tintel 3 years ago
parent
2430c4ef82
commit
653716eb19
4 changed files with 29 additions and 1 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/openvswitch/Makefile
  2. +13
    -0
      net/openvswitch/README.md
  3. +3
    -0
      net/openvswitch/files/openvswitch.config
  4. +12
    -0
      net/openvswitch/files/openvswitch.init

+ 1
- 1
net/openvswitch/Makefile View File

@ -17,7 +17,7 @@ include ./openvswitch.mk
# #
PKG_NAME:=openvswitch PKG_NAME:=openvswitch
PKG_VERSION:=$(ovs_version) PKG_VERSION:=$(ovs_version)
PKG_RELEASE:=5
PKG_RELEASE:=6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.openvswitch.org/releases/ PKG_SOURCE_URL:=https://www.openvswitch.org/releases/
PKG_HASH:=7d5797f2bf2449c6a266149e88f72123540f7fe7f31ad52902057ae8d8f88c38 PKG_HASH:=7d5797f2bf2449c6a266149e88f72123540f7fe7f31ad52902057ae8d8f88c38


+ 13
- 0
net/openvswitch/README.md View File

@ -69,6 +69,19 @@ ovs ovn_northd, ovn_controller & ovs_bridge.
Each of these supports a disabled option, which should be Each of these supports a disabled option, which should be
set to 0 to launch the respective daemons. set to 0 to launch the respective daemons.
The ovs section section also supports the options below, to configure a set of
SSL CA, certificate and private key. After adding these to Open vSwitch, you
may specify ssl: connection methods for e.g. the OpenFlow controller. Note that
Open vSwitch only reads these files during startup, so it needs to be restarted
after adding or changing these options.
| Name | Type | Required | Default | Description |
|----------|---------|----------|---------|-----------------------------------|
| disabled | boolean | no | 0 | If set to 1, do not configure SSL |
| ca | string | no | (none) | Path to CA certificate |
| cert | string | no | (none) | Path to certificate |
| key | string | no | (none) | Path to private key |
The ovs_bridge section also supports the options below, The ovs_bridge section also supports the options below,
for initialising a virtual bridge with an OpenFlow controller. for initialising a virtual bridge with an OpenFlow controller.


+ 3
- 0
net/openvswitch/files/openvswitch.config View File

@ -1,5 +1,8 @@
config ovs ovs config ovs ovs
option disabled 1 option disabled 1
option ca '/etc/openvswitch/example_ca.crt'
option cert '/etc/openvswitch/example_cert.crt'
option key '/etc/openvswitch/example_key.crt'
config ovn_northd north config ovn_northd north
option disabled 1 option disabled 1


+ 12
- 0
net/openvswitch/files/openvswitch.init View File

@ -90,6 +90,7 @@ ovs_xx() {
ovs) ovs)
"$ovs_ctl" "$action" \ "$ovs_ctl" "$action" \
--system-id=random 1000>&- --system-id=random 1000>&-
ovs_set_ssl
;; ;;
ovn_*) ovn_*)
"$ovn_ctl" "${action}_${cfgtype#ovn_}" "$ovn_ctl" "${action}_${cfgtype#ovn_}"
@ -216,3 +217,14 @@ ovs_bridge_init() {
[ -n "$controller" ] && \ [ -n "$controller" ] && \
ovs-vsctl set-controller "$name" "$controller" ovs-vsctl set-controller "$name" "$controller"
} }
ovs_set_ssl() {
local ca="$(uci -q get openvswitch.ovs.ca)"
[ -f "$ca" ] || return
local cert="$(uci get openvswitch.ovs.cert)"
[ -f "$cert" ] || return
local key="$(uci get openvswitch.ovs.key)"
[ -f "$key" ] || return
ovs-vsctl set-ssl "$key" "$cert" "$ca"
}

Write Preview
Loading…
Cancel
Save