[ovs-dev] [PATCH] netdev-vport: Warn on IPsec tunnels when ovs-monitor-ipsec not running.
Justin Pettit
jpettit at nicira.com
Sat Mar 12 06:13:00 UTC 2011
IPsec tunnels are only supported on Debian systems running
ovs-monitor-ipsec. Since that daemon configures IPsec, ovs-vswitchd
doesn't actually know whether IPsec will actually work. With this
commit, a warning is printed that it is unlikely to work unless that
daemon is started.
There is a more serious issue that IPsec traffic can pass unencrypted if
that daemon is not running. To fix that problem, changes to the kernel
module will need to occur. A future commit will address that issue, but
this earlier warning will be useful regardless.
Bug #4854
---
lib/netdev-vport.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index 97cc170..ac3caf8 100644
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -23,9 +23,13 @@
#include <sys/socket.h>
#include <linux/rtnetlink.h>
#include <net/if.h>
+#include <signal.h>
#include <sys/ioctl.h>
+#include <sys/types.h>
#include "byte-order.h"
+#include "daemon.h"
+#include "dirs.h"
#include "dpif-linux.h"
#include "hash.h"
#include "hmap.h"
@@ -716,6 +720,15 @@ parse_tunnel_config(const char *name, const char *type,
}
if (is_ipsec) {
+ char *file_name = xasprintf("%s/%s", ovs_rundir(),
+ "ovs-monitor-ipsec.pid");
+ pid_t pid = read_pidfile(file_name);
+ free(file_name);
+ if (pid <0 || kill(pid, 0)) {
+ VLOG_WARN("%s: ovs-monitor-ipsec doesn't appear to be running, "
+ "traffic may not pass", name);
+ }
+
if (shash_find(args, "peer_cert") && shash_find(args, "psk")) {
VLOG_WARN("%s: cannot define both 'peer_cert' and 'psk'", name);
return EINVAL;
--
1.7.1
More information about the dev
mailing list