On 10/29/24 11:15, Ilya Maximets wrote: > There are cases where ipsec commands may fail to add new connections or > remove the old ones. Unfortunately, this means that those connections > may actually never be added or removed, since ovs-monitor-ipsec will > not re-visit them, unless something else changes. > > Wake up the monitor periodically to check if something changed in the > system or if some connections still need loading. > > This addresses two main use cases: > > 1. Connection failed to start for some reason and was not added > to pluto or properly started. The logic will go over all the > desired, loaded and active connections and make sure that > any undesired connections are removed, non-loaded connections > are loaded and non-active connections are brought UP. > > 2. If pluto re-starts it loads all the connections, but doesn't > bring them up, because we're using route (ondemand) activation > strategy. This change in this commit will notice all the > loaded but not active connections and will bring them up. > This helps avoiding packet drops on first packets until the > connection activates. > > Choosing 15 seconds as an interval to wake up to give pluto some > breathing room, i.e. a chance to activate the connections properly > before we start poking them. And also if pluto is down, 15 second > interval will create less spam in the logs. > > StrongSwan doesn't need such a logic, because it supports a single > command 'ipsec update' that re-loads the config as a whole and > figures out what configuration changes are needed. But since we're > starting all the connections separately with Libreswan, we have to > keep track and reconcile manually. > > Some more details of the logic are in the comments in the code. > > Signed-off-by: Ilya Maximets <[email protected]> > --- > ipsec/ovs-monitor-ipsec.in | 178 ++++++++++++++++++++++++------------- > 1 file changed, 116 insertions(+), 62 deletions(-) >
CI fails on this patch and the next one. I need to move the path "[PATCH 4/9] ipsec: libreswan: Fix regexp for connections waiting on child SA." to the beginning of the set to avoid CI failures in the middle of it. For v2, I'll also squash the following change to the reconciliation patch to give pluto more time to actually activate connections: https://github.com/igsilya/ovs/commit/2015951811a25f7a302d0d1c0a6830c8d7e1eb64 Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
