From 3831d6f4ce1b0023702ad5e4bf75a455d57dc187 Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Mon, 9 Jan 2012 18:46:23 -0800 Subject: [PATCH] ovs-monitor-ipsec: Don't reconfigure cert-based authentication as often. ovs-monitor-ipsec wakes up when the Interface table is modified. To prevent needless reconfiguration, it maintains a dictionary of the currently implemented configuration and compares it to any new changes. Unfortunately, for certificate-based authentication we create a new "peer_cert_file" key in our local dictionary, which always causes the comparison to fail. This forces expensive renegotiation for any change in the Interface tables. This commit uses set difference to detect changes from the previous configuration as opposed to a straight simple comparison. Bug #9103 Signed-off-by: Justin Pettit --- debian/ovs-monitor-ipsec | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec index ac2cd7e1..97070826 100755 --- a/debian/ovs-monitor-ipsec +++ b/debian/ovs-monitor-ipsec @@ -399,11 +399,13 @@ def update_ipsec(ipsec, interfaces, new_interfaces): orig_vals = interfaces.get(name) if orig_vals: # Configuration for this host already exists. Check if it's - # changed. - if vals == orig_vals: - continue - else: + # changed. We use set difference, since we want to ignore + # any local additions to "orig_vals" that we've made + # (e.g. the "peer_cert_file" key). + if set(vals.items()) - set(orig_vals.items()): ipsec.del_entry(vals["local_ip"], vals["remote_ip"]) + else: + continue try: ipsec.add_entry(vals["local_ip"], vals["remote_ip"], vals) -- 2.30.2