+
+/* Returns true if 'nd_args' is equivalent to 'args', otherwise false.
+ * Typically, 'nd_args' is the result of a call to unparse_tunnel_config()
+ * and 'args' is the original definition of the port.
+ *
+ * IPsec key configuration is handled by an external program, so it is not
+ * pushed down into the kernel module. Thus, when the "unparse_config"
+ * method is called on an existing IPsec-based vport, a simple
+ * comparison with the returned data will not match the original
+ * configuration. This function ignores configuration about keys when
+ * doing a comparison.
+ */
+static bool
+config_equal_ipsec(const struct shash *nd_args, const struct shash *args)
+{
+ struct shash tmp1, tmp2;
+ bool result;
+
+ smap_clone(&tmp1, nd_args);
+ smap_clone(&tmp2, args);
+
+ shash_find_and_delete(&tmp1, "psk");
+ shash_find_and_delete(&tmp2, "psk");
+ shash_find_and_delete(&tmp1, "peer_cert");
+ shash_find_and_delete(&tmp2, "peer_cert");
+ shash_find_and_delete(&tmp1, "certificate");
+ shash_find_and_delete(&tmp2, "certificate");
+ shash_find_and_delete(&tmp1, "private_key");
+ shash_find_and_delete(&tmp2, "private_key");
+ shash_find_and_delete(&tmp1, "use_ssl_cert");
+ shash_find_and_delete(&tmp2, "use_ssl_cert");
+
+ result = smap_equal(&tmp1, &tmp2);
+ smap_destroy(&tmp1);
+ smap_destroy(&tmp2);
+
+ return result;
+}