From e33a06d093462a221ff441539f32cedef8134eff Mon Sep 17 00:00:00 2001
From: Ansis Atteka <aatteka@nicira.com>
Date: Thu, 8 Mar 2012 18:58:09 -0800
Subject: [PATCH] ovs-monitor-ipsec: Detect correctly IPSEC configuration
changes
If Open vSwitch has IPSEC tunnel (with certificates) and Interface
table was updated, then ovs-monitor-ipsec daemon would incorrectly
remove and readd all existing IPSEC tunnels.
The root cause for this issue was that "peer_cert_file" key was present in
interfaces dictionary, but it was missing in new_interfaces dictionary.
v2: Do not fail buildtests
Issue#10096
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Reported-by: Niklas Andersson <nandersson@nicira.com>
---
debian/ovs-monitor-ipsec | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index ac2cd7e17..70063f89c 100755
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -216,13 +216,10 @@ path certificate "%s";
# The peer's certificate comes to us in PEM format as a string.
# Write that string to a file for Racoon to use.
- peer_cert_file = "%s/ovs-%s.pem" % (self.cert_dir, host)
- f = open(root_prefix + peer_cert_file, "w")
+ f = open(root_prefix + vals["peer_cert_file"], "w")
f.write(vals["peer_cert"])
f.close()
- vals["peer_cert_file"] = peer_cert_file
-
self.cert_hosts[host] = vals
self.commit()
@@ -465,6 +462,7 @@ def main():
if rec.type == "ipsec_gre":
name = rec.name
options = rec.options
+ peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip"))
entry = {
"remote_ip": options.get("remote_ip"),
"local_ip": options.get("local_ip", "0.0.0.0/0"),
@@ -472,6 +470,7 @@ def main():
"private_key": options.get("private_key"),
"use_ssl_cert": options.get("use_ssl_cert"),
"peer_cert": options.get("peer_cert"),
+ "peer_cert_file": Racoon.cert_dir + "/" + peer_cert_name,
"psk": options.get("psk")}
if entry["peer_cert"] and entry["psk"]:
--
2.47.0