[ovs-dev] [PATCH 1/4] ovs-monitor-ipsec: Fix active connection regex

Mark Gray mark.d.gray at redhat.com
Wed Dec 16 12:04:32 UTC 2020


Connections are added to IPsec using a connection name
that is determined from the OVS port name and the tunnel
type.

GRE connections take the form:
  <iface>-<ver>
Other connections take the form:
  <iface>-in-<ver>
  <iface>-out-<ver>

The regex '|' operator parses strings left to right looking
for the first match that it can find. '.*' is also greedy. This
causes incorrect interface names to be parsed from active
connections as other tunnel types are parsed as type
GRE. This gives unexpected "is outdated" warnings and the
connection is torn down.

For example,

'ovn-424242-in-1' will produce an incorrect interface name of
'ovn-424242-in' instead of 'ovn-424242'.

There are a number of ways this could be resolved including
a cleverer regular expression, or re.findall(). However, this
approach was taken as it simplifies the code easing maintainability.

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
---
 ipsec/ovs-monitor-ipsec.in | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index b84608a55d8a..1793088d9be1 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -625,7 +625,10 @@ conn prevent_unencrypted_vxlan
                 continue
 
             conn = m.group(1)
-            m = re.match(r"(.*)(-in-\d+|-out-\d+|-\d+)", conn)
+            m = re.match(r"(.*)(-in-\d+|-out-\d+)", conn)
+            if not m:
+                # GRE connections have format <iface>-<ver>
+                m = re.match(r"(.*)(-\d+)", conn)
             if not m:
                 continue
 
-- 
2.26.2



More information about the dev mailing list