ovs-monitor-ipsec wakes up when the Interface table is modified.  To
prevent needless reconfiguration, it maintains a dictionary of the
currently implemented configuration and compares it to any new changes.
Unfortunately, for certificate-based authentication we create a new
"peer_cert_file" key in our local dictionary, which always causes the
comparison to fail.  This forces expensive renegotiation for any change
in the Interface tables.  This commit uses set difference to detect
changes from the previous configuration as opposed to a straight simple

Bug #9103

Signed-off-by: Justin Pettit <jpet...@nicira.com>
 debian/ovs-monitor-ipsec |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index cb39aae..74646f3 100755
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -421,11 +421,13 @@ def update_ipsec(ipsec, interfaces, new_interfaces):
         orig_vals = interfaces.get(name)
         if orig_vals:
             # Configuration for this host already exists.  Check if it's
-            # changed.
-            if vals == orig_vals:
-                continue
-            else:
+            # changed.  We use set difference, since we want to ignore
+            # any local additions to "orig_vals" that we've made
+            # (e.g. the "peer_cert_file" key).
+            if set(vals.items()) - set(orig_vals.items()):
                 ipsec.del_entry(vals["local_ip"], vals["remote_ip"])
+            else:
+                continue
             ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals)

dev mailing list

Reply via email to