It was suggested by Jesse that it would be better to just not create IPsec tunnel devices if the ovs-monitor-ipsec daemon is not running. He had legitimate concerns about users missing the warning message printed and traffic possibly going out unencrypted.
Suggested-by: Jesse Gross <[email protected]> --- lib/netdev-vport.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c index 875bf71..8715109 100644 --- a/lib/netdev-vport.c +++ b/lib/netdev-vport.c @@ -720,11 +720,13 @@ parse_tunnel_config(const char *name, const char *type, if (is_ipsec) { char *file_name = xasprintf("%s/%s", ovs_rundir(), "ovs-monitor-ipsec.pid"); - if (read_pidfile(file_name) < 0) { - VLOG_WARN("%s: ovs-monitor-ipsec doesn't appear to be running, " - "traffic may not pass", name); - } + pid_t pid = read_pidfile(file_name); free(file_name); + if (pid < 0) { + VLOG_WARN("%s: IPsec requires the ovs-monitor-ipsec daemon", + name); + return EINVAL; + } if (shash_find(args, "peer_cert") && shash_find(args, "psk")) { VLOG_WARN("%s: cannot define both 'peer_cert' and 'psk'", name); -- 1.7.1 _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
