On 30 Oct 2024, at 14:50, Ilya Maximets wrote:
> There are cases where ipsec commands may fail to add new connections or
> remove the old ones. Unfortunately, this means that those connections
> may actually never be added or removed, since ovs-monitor-ipsec will
> not re-visit them, unless something else changes.
>
> Wake up the monitor periodically to check if something changed in the
> system or if some connections still need loading.
>
> This addresses two main use cases:
>
> 1. Connection failed to start for some reason and was not added
> to pluto or properly started. The logic will go over all the
> desired, loaded and active connections and make sure that
> any undesired connections are removed, non-loaded connections
> are loaded and non-active connections are brought UP.
>
> 2. If pluto re-starts it loads all the connections, but doesn't
> bring them up, because we're using route (ondemand) activation
> strategy. This change in this commit will notice all the
> loaded but not active connections and will bring them up.
> This helps avoiding packet drops on first packets until the
> connection activates.
>
> Choosing 15 seconds as an interval to wake up to give pluto some
> breathing room, i.e. a chance to activate the connections properly
> before we start poking them. And also if pluto is down, 15 second
> interval will create less spam in the logs.
>
> StrongSwan doesn't need such a logic, because it supports a single
> command 'ipsec update' that re-loads the config as a whole and
> figures out what configuration changes are needed. But since we're
> starting all the connections separately with Libreswan, we have to
> keep track and reconcile manually.
>
> Some more details of the logic are in the comments in the code.
>
> Signed-off-by: Ilya Maximets <[email protected]>
This looks good to me.
Acked-by: Eelco Chaudron <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
