From patchwork Wed Oct 30 13:50:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 2004220 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XdpSF3MJxz1xxd for ; Thu, 31 Oct 2024 00:51:09 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id D61BD40BC7; Wed, 30 Oct 2024 13:51:06 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id i4lEffhK8KSc; Wed, 30 Oct 2024 13:51:04 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1201540B82 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1201540B82; Wed, 30 Oct 2024 13:51:04 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id C90D0C08A8; Wed, 30 Oct 2024 13:51:03 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 127D4C08A9 for ; Wed, 30 Oct 2024 13:51:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 9ADC6608C7 for ; Wed, 30 Oct 2024 13:51:00 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id JGx_F2j0GwKt for ; Wed, 30 Oct 2024 13:51:00 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.208.67; helo=mail-ed1-f67.google.com; envelope-from=i.maximets.ovn@gmail.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 9A5EE608C3 Authentication-Results: smtp3.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9A5EE608C3 Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) by smtp3.osuosl.org (Postfix) with ESMTPS id 9A5EE608C3 for ; Wed, 30 Oct 2024 13:50:59 +0000 (UTC) Received: by mail-ed1-f67.google.com with SMTP id 4fb4d7f45d1cf-5cbb719839eso7213036a12.2 for ; Wed, 30 Oct 2024 06:50:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730296257; x=1730901057; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7PoLJfVY4XRs2iOz6Z64+VoUHBEALjgpZ0v3Dy/7vFE=; b=NET/khT52rFbJXKyXu9zK1ljIGkOexK87+f2c2ILE6L9PzUFWODfcMC4M8WlUHdQSb iTJeoFbxU9g4xdPWyz/P0wO+iAJeBYBoeUyn8IFYVJt7w9rPhGAs2kVaSHxgBAR1D6CA xUCVOpVPFy+dpGlC7YaeF3xUFd9HjsCsR7cfbq8brgpubFkBiH79h3evkF5uxmgAecZE +k11JWEpu7vLPAcedmBtcnNs4hZJB2WKreZo3Do50tkvggVv7oWroFzVTIYOY/poH52z JqRvMPfuI/PzcdW5wmVOo5Nmc1UvI2fZ407mCYSQ9lRMqls//iCuq17oAPRVA7JQfISX uKTQ== X-Gm-Message-State: AOJu0YyOScoFoeNtwoTZMJiVcXeTicgxCjPv3XROa9a9rl5CjOKeoJzY G2QKUgOrVtFje8pEEm6y8ogyg4Rn9Ci3/46QtyRdMubp1ymwEHMWc4hXke+C X-Google-Smtp-Source: AGHT+IE7TD1c3kYNfIKSUZ1u/EReDJUMyKXLC1wF8smJkx07rnWG0MulMvrX1OHqejmTccXN/pmMlQ== X-Received: by 2002:a05:6402:2343:b0:5ca:152c:5b5b with SMTP id 4fb4d7f45d1cf-5cbbf8e8291mr11909498a12.21.1730296256904; Wed, 30 Oct 2024 06:50:56 -0700 (PDT) Received: from im-t490s.redhat.com (ip-86-49-44-151.bb.vodafone.cz. [86.49.44.151]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5cbb6255be3sm4763479a12.3.2024.10.30.06.50.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Oct 2024 06:50:56 -0700 (PDT) From: Ilya Maximets To: ovs-dev@openvswitch.org Date: Wed, 30 Oct 2024 14:50:33 +0100 Message-ID: <20241030135043.3139987-5-i.maximets@ovn.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20241030135043.3139987-1-i.maximets@ovn.org> References: <20241030135043.3139987-1-i.maximets@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH v2 4/9] ipsec: libreswan: Try to bring non-active connections up. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ilya Maximets Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Sometimes connections are getting loaded, but do not become active for some reason on a first try. We can try and bring them up manually. However, if they are still not active after that, it's better to just remove the connection and try to add them from scratch, as there must be some internal issue in libreswan that doesn't allow these connections to actually become active. Note: Once the "defunct" connection is removed, the second connection for the same tunnel will also be removed as "half-loaded". This ensures that all the shared SAs will also be cleaned up, so we can truly start from scratch. Signed-off-by: Ilya Maximets Acked-by: Eelco Chaudron Acked-by: Roi Dayan --- ipsec/ovs-monitor-ipsec.in | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 0ac6297bb..5d4b77bd2 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -516,6 +516,7 @@ conn prevent_unencrypted_vxlan self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl self.conf_file = None + self.conns_not_active = set() self.last_refresh = time.time() self.secrets_file = None vlog.dbg("Using: " + self.IPSEC) @@ -641,6 +642,14 @@ conn prevent_unencrypted_vxlan loaded = set(loaded_conns.get(name, dict()).keys()) active = set(active_conns.get(name, dict()).keys()) + # Untrack connections that became active. + self.conns_not_active.difference_update(active) + # Remove connections that didn't become active after --start + # and another explicit --up. + for conn in self.conns_not_active & loaded: + self._delete_ipsec_connection(conn, "is defunct") + loaded.remove(conn) + # Remove all the loaded or active but not desired connections. for conn in loaded | active: if conn not in desired: @@ -671,6 +680,8 @@ conn prevent_unencrypted_vxlan # so loaded >= active for conn in loaded - active: vlog.info("Bringing up ipsec connection %s" % conn) + # On failure to --up it will be removed from the set. + self.conns_not_active.add(conn) self._start_ipsec_connection(conn, "up") # Update shunt policy if changed @@ -804,6 +815,7 @@ conn prevent_unencrypted_vxlan def _delete_ipsec_connection(self, conn, reason): vlog.info("%s %s, removing" % (conn, reason)) + self.conns_not_active.discard(conn) run_command(self.IPSEC_AUTO + ["--ctlsocket", self.IPSEC_CTL, "--config", self.IPSEC_CONF,