From patchwork Fri Nov 1 01:23:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 2004935 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Xfjn64KqTz1xwF for ; Fri, 1 Nov 2024 12:23:54 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id F2302819D2; Fri, 1 Nov 2024 01:23:52 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id ulQ4dDslm0xX; Fri, 1 Nov 2024 01:23:50 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9842D813CC Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 9842D813CC; Fri, 1 Nov 2024 01:23:50 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 68816C08A8; Fri, 1 Nov 2024 01:23:50 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 11DF1C08A6 for ; Fri, 1 Nov 2024 01:23:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A3C4181765 for ; Fri, 1 Nov 2024 01:23:46 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id YHkB6h-PlrGw for ; Fri, 1 Nov 2024 01:23:46 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.218.66; helo=mail-ej1-f66.google.com; envelope-from=i.maximets.ovn@gmail.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 97F928176F Authentication-Results: smtp1.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 97F928176F Received: from mail-ej1-f66.google.com (mail-ej1-f66.google.com [209.85.218.66]) by smtp1.osuosl.org (Postfix) with ESMTPS id 97F928176F for ; Fri, 1 Nov 2024 01:23:45 +0000 (UTC) Received: by mail-ej1-f66.google.com with SMTP id a640c23a62f3a-a9acafdb745so261206266b.0 for ; Thu, 31 Oct 2024 18:23:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730424223; x=1731029023; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fl029zscEulCjwyVKRQENMpMiVk8mHy3/zyIhVoIY1E=; b=Rf5GCL8mZO5s2tLGe/wfa61UHaBsArIQYOtuQ8BhIiQowbzxLlw4QFZwJGzsKSjC3g K9cCEUGisGascJ5adpbR4II1oWmOSCOgYGa9q0N7Y6BjzdHmAxlq+5cK9yd/3/JKuUPM H3unG30LJWbIOtXpzcObJJZuFrsE9CK1XqBphVqEhUd5hI9qoP+RKxglzcOTMWfgxU4H 6CkG/JeBGnZ2xeNVLS07vQoZ5hLGMTWuryTP62E39b+knQbYFJbQqgN8FVHgMFpLTugE 6H3PJZlI+3xD8QXzhaKRk1KORS+fUiKFvYR+KFx8gFb6sfSqfj8lcLG1lMmFff9ZZGFJ PKtA== X-Gm-Message-State: AOJu0Yync9L7InkTbqCuz6I06HbgK2qOAtx9BtE7AouneRwrCJR3RaFc wIkfHdH+It0WWUAdmzoEMHWVndu8agsr4NejvmevGEx0z7E5qyB9N/SbEWBJ X-Google-Smtp-Source: AGHT+IHmbzDgmINh2uH59vZ2E06OZYlLJSZDLE/Hs0PNJ8RMJxVX4+Mv0hY72NhgZd+k0L4YNw+2Wg== X-Received: by 2002:a17:907:ea1:b0:a9a:babb:b916 with SMTP id a640c23a62f3a-a9e55a836fcmr385261566b.15.1730424223335; Thu, 31 Oct 2024 18:23:43 -0700 (PDT) Received: from im-t490s.redhat.com (ip-86-49-44-151.bb.vodafone.cz. [86.49.44.151]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9e5663fef4sm126112766b.149.2024.10.31.18.23.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 31 Oct 2024 18:23:42 -0700 (PDT) From: Ilya Maximets To: ovs-dev@openvswitch.org Date: Fri, 1 Nov 2024 02:23:05 +0100 Message-ID: <20241101012321.3346333-5-i.maximets@ovn.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20241101012321.3346333-1-i.maximets@ovn.org> References: <20241101012321.3346333-1-i.maximets@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH v3 04/10] ipsec: libreswan: Try to bring non-active connections up. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ilya Maximets Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Sometimes connections are getting loaded, but do not become active for some reason on a first try. We can try and bring them up manually. However, if they are still not active after that, it's better to just remove the connection and try to add them from scratch, as there must be some internal issue in libreswan that doesn't allow these connections to actually become active. Note: Once the "defunct" connection is removed, the second connection for the same tunnel will also be removed as "half-loaded". This ensures that all the shared SAs will also be cleaned up, so we can truly start from scratch. Acked-by: Eelco Chaudron Acked-by: Roi Dayan Signed-off-by: Ilya Maximets --- ipsec/ovs-monitor-ipsec.in | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 152c30a13..20f6ccb20 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -516,6 +516,7 @@ conn prevent_unencrypted_vxlan self.IPSEC_D = "sql:" + libreswan_root_prefix + ipsec_d self.IPSEC_CTL = libreswan_root_prefix + ipsec_ctl self.conf_file = None + self.conns_not_active = set() self.last_refresh = time.time() self.secrets_file = None vlog.dbg("Using: " + self.IPSEC) @@ -641,6 +642,14 @@ conn prevent_unencrypted_vxlan loaded = set(loaded_conns.get(name, dict()).keys()) active = set(active_conns.get(name, dict()).keys()) + # Untrack connections that became active. + self.conns_not_active.difference_update(active) + # Remove connections that didn't become active after --start + # and another explicit --up. + for conn in self.conns_not_active & loaded: + self._delete_ipsec_connection(conn, "is defunct") + loaded.remove(conn) + # Remove all the loaded or active but not desired connections. for conn in loaded | active: if conn not in desired: @@ -671,6 +680,8 @@ conn prevent_unencrypted_vxlan # so loaded >= active for conn in loaded - active: vlog.info("Bringing up ipsec connection %s" % conn) + # On failure to --up it will be removed from the set. + self.conns_not_active.add(conn) self._start_ipsec_connection(conn, "up") # Update shunt policy if changed @@ -804,6 +815,7 @@ conn prevent_unencrypted_vxlan def _delete_ipsec_connection(self, conn, reason): vlog.info("%s %s, removing" % (conn, reason)) + self.conns_not_active.discard(conn) run_command(self.IPSEC_AUTO + ["--ctlsocket", self.IPSEC_CTL, "--config", self.IPSEC_CONF,