From 5059eff3bdd5a8ddd5b9d0559b3d36f2b2ad2a7a Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Fri, 11 Mar 2011 15:18:30 -0800 Subject: [PATCH] netdev-vport: Warn on IPsec tunnels when ovs-monitor-ipsec not running. IPsec tunnels are only supported on Debian systems running ovs-monitor-ipsec. Since that daemon configures IPsec, ovs-vswitchd doesn't know whether IPsec will actually work. With this commit, a warning is printed that it is unlikely to work unless that daemon is started. There is a more serious issue that IPsec traffic can pass unencrypted if that daemon is not running. To fix that problem, changes to the kernel module will need to occur. A future commit will address that issue, but this earlier warning will be useful regardless. Bug #4854 --- lib/netdev-vport.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c index 97cc170a..875bf71c 100644 --- a/lib/netdev-vport.c +++ b/lib/netdev-vport.c @@ -26,6 +26,8 @@ #include #include "byte-order.h" +#include "daemon.h" +#include "dirs.h" #include "dpif-linux.h" #include "hash.h" #include "hmap.h" @@ -716,6 +718,14 @@ parse_tunnel_config(const char *name, const char *type, } if (is_ipsec) { + char *file_name = xasprintf("%s/%s", ovs_rundir(), + "ovs-monitor-ipsec.pid"); + if (read_pidfile(file_name) < 0) { + VLOG_WARN("%s: ovs-monitor-ipsec doesn't appear to be running, " + "traffic may not pass", name); + } + free(file_name); + if (shash_find(args, "peer_cert") && shash_find(args, "psk")) { VLOG_WARN("%s: cannot define both 'peer_cert' and 'psk'", name); return EINVAL; -- 2.30.2