openvswitch: add SSL support

Open vSwitch supports SSL to connect to an OpenFlow controller. This is
recommended for security. Expand the UCI ovs config section to allow
configuring SSL CA, certificate and private key.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

diff --git a/net/openvswitch/Makefile b/net/openvswitch/Makefile
index 9c23a2467e4bcc406cbcab645b1373c3dcc088c2..6883ba4ba2185c1ac60e25e30d9a69f32e53531b 100644 (file)
--- a/net/openvswitch/Makefile
+++ b/net/openvswitch/Makefile
@@ -17,7 +17,7 @@ include ./openvswitch.mk
 #
 PKG_NAME:=openvswitch
 PKG_VERSION:=$(ovs_version)
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.openvswitch.org/releases/
 PKG_HASH:=7d5797f2bf2449c6a266149e88f72123540f7fe7f31ad52902057ae8d8f88c38

diff --git a/net/openvswitch/README.md b/net/openvswitch/README.md
index 5ed04d77126db1d4ad5d2570dc0542a1be953bb3..5cc8bbffe544401f1592ce97f331d31480effe14 100644 (file)
--- a/net/openvswitch/README.md
+++ b/net/openvswitch/README.md
@@ -69,6 +69,19 @@ ovs ovn_northd, ovn_controller & ovs_bridge.
 Each of these supports a disabled option, which should be 
 set to 0 to launch the respective daemons.
 
+The ovs section section also supports the options below, to configure a set of
+SSL CA, certificate and private key. After adding these to Open vSwitch, you
+may specify ssl: connection methods for e.g. the OpenFlow controller. Note that
+Open vSwitch only reads these files during startup, so it needs to be restarted
+after adding or changing these options.
+
+| Name     | Type    | Required | Default | Description                       |
+|----------|---------|----------|---------|-----------------------------------|
+| disabled | boolean | no       | 0       | If set to 1, do not configure SSL |
+| ca       | string  | no       | (none)  | Path to CA certificate            |
+| cert     | string  | no       | (none)  | Path to certificate               |
+| key      | string  | no       | (none)  | Path to private key               |
+
 The ovs_bridge section also supports the options below,
 for initialising a virtual bridge with an OpenFlow controller.
 

diff --git a/net/openvswitch/files/openvswitch.config b/net/openvswitch/files/openvswitch.config
index 56900b88835e7096b31193d28a6f6e219eddc2f4..c812b7dd67fcae9c1517fe0da66f7f4ecd91dd88 100644 (file)
--- a/net/openvswitch/files/openvswitch.config
+++ b/net/openvswitch/files/openvswitch.config
@@ -1,5 +1,8 @@
 config ovs ovs
        option disabled 1
+       option ca '/etc/openvswitch/example_ca.crt'
+       option cert '/etc/openvswitch/example_cert.crt'
+       option key '/etc/openvswitch/example_key.crt'
 
 config ovn_northd north
        option disabled 1

diff --git a/net/openvswitch/files/openvswitch.init b/net/openvswitch/files/openvswitch.init
index 84ba17b6222824b304b324f90e12d9980f6de1d6..229e6869b9a6c532cf89f337ab961f5a3ad62dca 100755 (executable)
--- a/net/openvswitch/files/openvswitch.init
+++ b/net/openvswitch/files/openvswitch.init
@@ -90,6 +90,7 @@ ovs_xx() {
                ovs)
                        "$ovs_ctl" "$action" \
                                --system-id=random 1000>&-
+                       ovs_set_ssl
                        ;;
                ovn_*)
                        "$ovn_ctl" "${action}_${cfgtype#ovn_}"
@@ -216,3 +217,14 @@ ovs_bridge_init() {
        [ -n "$controller" ] && \
                ovs-vsctl set-controller "$name" "$controller"
 }
+
+ovs_set_ssl() {
+       local ca="$(uci -q get openvswitch.ovs.ca)"
+       [ -f "$ca" ] || return
+       local cert="$(uci get openvswitch.ovs.cert)"
+       [ -f "$cert" ] || return
+       local key="$(uci get openvswitch.ovs.key)"
+       [ -f "$key" ] || return
+
+       ovs-vsctl set-ssl "$key" "$cert" "$ca"
+}