If Open vSwitch has IPSEC tunnel (with certificates) and Interface table was updated, then ovs-monitor-ipsec daemon would incorrectly remove and readd all existing IPSEC tunnels.
The root cause for this issue was that "peer_cert_file" key was present in interfaces dictionary, but it was missing in new_interfaces dictionary. Signed-off-by: Ansis Atteka <[email protected]> Reported-by: Niklas Andersson <[email protected]> --- debian/ovs-monitor-ipsec | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec index ac2cd7e..fc69268 100755 --- a/debian/ovs-monitor-ipsec +++ b/debian/ovs-monitor-ipsec @@ -216,12 +216,10 @@ path certificate "%s"; # The peer's certificate comes to us in PEM format as a string. # Write that string to a file for Racoon to use. - peer_cert_file = "%s/ovs-%s.pem" % (self.cert_dir, host) - f = open(root_prefix + peer_cert_file, "w") + f = open(root_prefix + vals["peer_cert_file"], "w") f.write(vals["peer_cert"]) f.close() - vals["peer_cert_file"] = peer_cert_file self.cert_hosts[host] = vals self.commit() @@ -489,8 +487,11 @@ def main(): vlog.warn("no valid SSL entry for %s" % name) continue + peer_cert_name = "ovs-%s.pem" % (options.get("remote_ip")) entry["certificate"] = ssl_cert[0] entry["private_key"] = ssl_cert[1] + entry["peer_cert_file"] = (Racoon.cert_dir + "/" + + peer_cert_name) new_interfaces[name] = entry -- 1.7.9 _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
