From: Justin Pettit <jpettit@nicira.com>
Date: Tue, 10 Jan 2012 02:46:23 +0000 (-0800)
Subject: ovs-monitor-ipsec: Don't reconfigure cert-based authentication as often.
X-Git-Tag: sliver-openvswitch-0.1-1~508
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=3831d6f4ce1b0023702ad5e4bf75a455d57dc187;p=sliver-openvswitch.git

ovs-monitor-ipsec: Don't reconfigure cert-based authentication as often.

ovs-monitor-ipsec wakes up when the Interface table is modified.  To
prevent needless reconfiguration, it maintains a dictionary of the
currently implemented configuration and compares it to any new changes.
Unfortunately, for certificate-based authentication we create a new
"peer_cert_file" key in our local dictionary, which always causes the
comparison to fail.  This forces expensive renegotiation for any change
in the Interface tables.  This commit uses set difference to detect
changes from the previous configuration as opposed to a straight simple
comparison.

Bug #9103

Signed-off-by: Justin Pettit <jpettit@nicira.com>
---

diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index ac2cd7e17..970708264 100755
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -399,11 +399,13 @@ def update_ipsec(ipsec, interfaces, new_interfaces):
         orig_vals = interfaces.get(name)
         if orig_vals:
             # Configuration for this host already exists.  Check if it's
-            # changed.
-            if vals == orig_vals:
-                continue
-            else:
+            # changed.  We use set difference, since we want to ignore
+            # any local additions to "orig_vals" that we've made
+            # (e.g. the "peer_cert_file" key).
+            if set(vals.items()) - set(orig_vals.items()):
                 ipsec.del_entry(vals["local_ip"], vals["remote_ip"])
+            else:
+                continue
 
         try:
             ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals)