[{"id":3404477,"web_url":"http://patchwork.ozlabs.org/comment/3404477/","msgid":"<1beab98e-ccc2-485c-98ba-66db2bc4faef@ovn.org>","list_archive_url":null,"date":"2024-10-29T12:54:06","subject":"Re: [ovs-dev] [PATCH 2/9] ipsec: libreswan: Reconcile missing\n connections periodically.","submitter":{"id":76798,"url":"http://patchwork.ozlabs.org/api/people/76798/","name":"Ilya Maximets","email":"i.maximets@ovn.org"},"content":"On 10/29/24 11:15, Ilya Maximets wrote:\n> There are cases where ipsec commands may fail to add new connections or\n> remove the old ones. Unfortunately, this means that those connections\n> may actually never be added or removed, since ovs-monitor-ipsec will\n> not re-visit them, unless something else changes.\n> \n> Wake up the monitor periodically to check if something changed in the\n> system or if some connections still need loading.\n> \n> This addresses two main use cases:\n> \n> 1. Connection failed to start for some reason and was not added\n> to pluto or properly started. The logic will go over all the\n> desired, loaded and active connections and make sure that\n> any undesired connections are removed, non-loaded connections\n> are loaded and non-active connections are brought UP.\n> \n> 2. If pluto re-starts it loads all the connections, but doesn't\n> bring them up, because we're using route (ondemand) activation\n> strategy. This change in this commit will notice all the\n> loaded but not active connections and will bring them up.\n> This helps avoiding packet drops on first packets until the\n> connection activates.\n> \n> Choosing 15 seconds as an interval to wake up to give pluto some\n> breathing room, i.e. a chance to activate the connections properly\n> before we start poking them. And also if pluto is down, 15 second\n> interval will create less spam in the logs.\n> \n> StrongSwan doesn't need such a logic, because it supports a single\n> command 'ipsec update' that re-loads the config as a whole and\n> figures out what configuration changes are needed. But since we're\n> starting all the connections separately with Libreswan, we have to\n> keep track and reconcile manually.\n> \n> Some more details of the logic are in the comments in the code.\n> \n> Signed-off-by: Ilya Maximets \n> ---\n> ipsec/ovs-monitor-ipsec.in | 178 ++++++++++++++++++++++++-------------\n> 1 file changed, 116 insertions(+), 62 deletions(-)\n> \n\nCI fails on this patch and the next one. I need to move the path\n\"[PATCH 4/9] ipsec: libreswan: Fix regexp for connections waiting on child SA.\"\nto the beginning of the set to avoid CI failures in the middle of it.\n\nFor v2, I'll also squash the following change to the reconciliation\npatch to give pluto more time to actually activate connections:\n https://github.com/igsilya/ovs/commit/2015951811a25f7a302d0d1c0a6830c8d7e1eb64\n\nBest regards, Ilya Maximets.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","ovs-dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.133; helo=smtp2.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp4.osuosl.org;\n dmarc=none (p=none dis=none) header.from=ovn.org"],"Received":["from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Xd9F40S1Xz1xwF\n\tfor ; Tue, 29 Oct 2024 23:54:15 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp2.osuosl.org (Postfix) with ESMTP id E6A0240A35;\n\tTue, 29 Oct 2024 12:54:13 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id hXpRxM5a2Iiz; Tue, 29 Oct 2024 12:54:12 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp2.osuosl.org (Postfix) with ESMTPS id 5EADE405D6;\n\tTue, 29 Oct 2024 12:54:12 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 33418C08A6;\n\tTue, 29 Oct 2024 12:54:12 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id EC1C4C08A3\n for ; Tue, 29 Oct 2024 12:54:10 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id E53404061A\n for ; Tue, 29 Oct 2024 12:54:10 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 7DB9m9W0lohT for ;\n Tue, 29 Oct 2024 12:54:09 +0000 (UTC)","from mail-wr1-f66.google.com (mail-wr1-f66.google.com\n [209.85.221.66])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 8775540635\n for ; Tue, 29 Oct 2024 12:54:09 +0000 (UTC)","by mail-wr1-f66.google.com with SMTP id\n ffacd0b85a97d-37d4c482844so3650322f8f.0\n for ; Tue, 29 Oct 2024 05:54:09 -0700 (PDT)","from [192.168.0.13] (ip-86-49-44-151.bb.vodafone.cz. [86.49.44.151])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-38058b13309sm12469359f8f.3.2024.10.29.05.54.06\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Tue, 29 Oct 2024 05:54:06 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5EADE405D6","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 8775540635"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=209.85.221.66;\n helo=mail-wr1-f66.google.com; envelope-from=i.maximets.ovn@gmail.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 8775540635","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1730206447; x=1730811247;\n h=content-transfer-encoding:in-reply-to:autocrypt:from\n :content-language:references:to:subject:cc:user-agent:mime-version\n :date:message-id:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=3XbWGbxC35KmsR0qcCKXVynrojx6zWBG8dDJB4LPnGU=;\n b=iJAV8W/obC+Qqyd5kd+Dnc5/lMEUrc/9hnSFtKdGDjPrb+TxpfPBXuWWIVhimyBop1\n c365kcu5rt149qg+IPf1EejmH4rWZ1L/KFhJNoMSTlfDTOLwyFz4o11AXYscDuIP0Np7\n 5JgIBnXA2y+JfcUxRxnBeDXqgKD1jU0PUJlJcczrLL0WjlcPjc+UgRTrHfCox5zk3b7i\n oltZ3nJbuImMBUtDp8SLDLYeUL3hmn5tCAhopyRK60zT6Mr1cpgQqZphiY2EOXQ8StEY\n /vVx1gadIVKwq284B3klFilmqkuZZxV8Eyml0wcH4xMrEpU3RKm40SFsH7mQVq/ZcmC0\n bLdw==","X-Gm-Message-State":"AOJu0YwzA3BOKtGk22PmZCmUIShStooVLaWR2y8yuswiKRieJLhY7b8N\n SjT7SV4/JRLJja1r8Ji06uCJf9zyO0t+BmvuFgkhABfoNC9bZnBg1T8Ivhci","X-Google-Smtp-Source":"\n AGHT+IEoKhS3hmJXu6QcSuF0m1eG+B5YgIZcmhRfUfwYrHjfKNeHPyEAUv8UKiY/WFjGBfc1KBsd/g==","X-Received":"by 2002:a5d:6943:0:b0:37d:4e74:68a with SMTP id\n ffacd0b85a97d-380611e0f5bmr8524507f8f.46.1730206447285;\n Tue, 29 Oct 2024 05:54:07 -0700 (PDT)","Message-ID":"<1beab98e-ccc2-485c-98ba-66db2bc4faef@ovn.org>","Date":"Tue, 29 Oct 2024 13:54:06 +0100","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","To":"ovs-dev@openvswitch.org","References":"<20241029101608.2991596-1-i.maximets@ovn.org>\n <20241029101608.2991596-3-i.maximets@ovn.org>","Content-Language":"en-US","From":"Ilya Maximets ","Autocrypt":"addr=i.maximets@ovn.org; keydata=\n xsFNBF77bOMBEADVZQ4iajIECGfH3hpQMQjhIQlyKX4hIB3OccKl5XvB/JqVPJWuZQRuqNQG\n /B70MP6km95KnWLZ4H1/5YOJK2l7VN7nO+tyF+I+srcKq8Ai6S3vyiP9zPCrZkYvhqChNOCF\n pNqdWBEmTvLZeVPmfdrjmzCLXVLi5De9HpIZQFg/Ztgj1AZENNQjYjtDdObMHuJQNJ6ubPIW\n cvOOn4WBr8NsP4a2OuHSTdVyAJwcDhu+WrS/Bj3KlQXIdPv3Zm5x9u/56NmCn1tSkLrEgi0i\n /nJNeH5QhPdYGtNzPixKgPmCKz54/LDxU61AmBvyRve+U80ukS+5vWk8zvnCGvL0ms7kx5sA\n tETpbKEV3d7CB3sQEym8B8gl0Ux9KzGp5lbhxxO995KWzZWWokVUcevGBKsAx4a/C0wTVOpP\n FbQsq6xEpTKBZwlCpxyJi3/PbZQJ95T8Uw6tlJkPmNx8CasiqNy2872gD1nN/WOP8m+cIQNu\n o6NOiz6VzNcowhEihE8Nkw9V+zfCxC8SzSBuYCiVX6FpgKzY/Tx+v2uO4f/8FoZj2trzXdLk\n BaIiyqnE0mtmTQE8jRa29qdh+s5DNArYAchJdeKuLQYnxy+9U1SMMzJoNUX5uRy6/3KrMoC/\n 7zhn44x77gSoe7XVM6mr/mK+ViVB7v9JfqlZuiHDkJnS3yxKPwARAQABzSJJbHlhIE1heGlt\n ZXRzIDxpLm1heGltZXRzQG92bi5vcmc+wsGUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMB\n Ah4BAheAFiEEh+ma1RKWrHCY821auffsd8gpv5YFAmP+Y/MFCQjFXhAACgkQuffsd8gpv5Yg\n OA//eEakvE7xTHNIMdLW5r3XnWSEY44dFDEWTLnS7FbZLLHxPNFXN0GSAA8ZsJ3fE26O5Pxe\n EEFTf7R/W6hHcSXNK4c6S8wR4CkTJC3XOFJchXCdgSc7xS040fLZwGBuO55WT2ZhQvZj1PzT\n 8Fco8QKvUXr07saHUaYk2Lv2mRhEPP9zsyy7C2T9zUzG04a3SGdP55tB5Adi0r/Ea+6VJoLI\n ctN8OaF6BwXpag8s76WAyDx8uCCNBF3cnNkQrCsfKrSE2jrvrJBmvlR3/lJ0OYv6bbzfkKvo\n 0W383EdxevzAO6OBaI2w+wxBK92SMKQB3R0ZI8/gqCokrAFKI7gtnyPGEKz6jtvLgS3PeOtf\n 5D7PTz+76F/X6rJGTOxR3bup+w1bP/TPHEPa2s7RyJISC07XDe24n9ZUlpG5ijRvfjbCCHb6\n pOEijIj2evcIsniTKER2pL+nkYtx0bp7dZEK1trbcfglzte31ZSOsfme74u5HDxq8/rUHT01\n 51k/vvUAZ1KOdkPrVEl56AYUEsFLlwF1/j9mkd7rUyY3ZV6oyqxV1NKQw4qnO83XiaiVjQus\n K96X5Ea+XoNEjV4RdxTxOXdDcXqXtDJBC6fmNPzj4QcxxyzxQUVHJv67kJOkF4E+tJza+dNs\n 8SF0LHnPfHaSPBFrc7yQI9vpk1XBxQWhw6oJgy3OwU0EXvts4wEQANCXyDOic0j2QKeyj/ga\n OD1oKl44JQfOgcyLVDZGYyEnyl6b/tV1mNb57y/YQYr33fwMS1hMj9eqY6tlMTNz+ciGZZWV\n YkPNHA+aFuPTzCLrapLiz829M5LctB2448bsgxFq0TPrr5KYx6AkuWzOVq/X5wYEM6djbWLc\n VWgJ3o0QBOI4/uB89xTf7mgcIcbwEf6yb/86Cs+jaHcUtJcLsVuzW5RVMVf9F+Sf/b98Lzrr\n 2/mIB7clOXZJSgtV79Alxym4H0cEZabwiXnigjjsLsp4ojhGgakgCwftLkhAnQT3oBLH/6ix\n 87ahawG3qlyIB8ZZKHsvTxbWte6c6xE5dmmLIDN44SajAdmjt1i7SbAwFIFjuFJGpsnfdQv1\n OiIVzJ44kdRJG8kQWPPua/k+AtwJt/gjCxv5p8sKVXTNtIP/sd3EMs2xwbF8McebLE9JCDQ1\n RXVHceAmPWVCq3WrFuX9dSlgf3RWTqNiWZC0a8Hn6fNDp26TzLbdo9mnxbU4I/3BbcAJZI9p\n 9ELaE9rw3LU8esKqRIfaZqPtrdm1C+e5gZa2gkmEzG+WEsS0MKtJyOFnuglGl1ZBxR1uFvbU\n VXhewCNoviXxkkPk/DanIgYB1nUtkPC+BHkJJYCyf9Kfl33s/bai34aaxkGXqpKv+CInARg3\n fCikcHzYYWKaXS6HABEBAAHCwXwEGAEIACYCGwwWIQSH6ZrVEpascJjzbVq59+x3yCm/lgUC\n Y/5kJAUJCMVeQQAKCRC59+x3yCm/lpF7D/9Lolx00uxqXz2vt/u9flvQvLsOWa+UBmWPGX9u\n oWhQ26GjtbVvIf6SECcnNWlu/y+MHhmYkz+h2VLhWYVGJ0q03XkktFCNwUvHp3bTXG3IcPIC\n eDJUVMMIHXFp7TcuRJhrGqnlzqKverlY6+2CqtCpGMEmPVahMDGunwqFfG65QubZySCHVYvX\n T9SNga0Ay/L71+eVwcuGChGyxEWhVkpMVK5cSWVzZe7C+gb6N1aTNrhu2dhpgcwe1Xsg4dYv\n dYzTNu19FRpfc+nVRdVnOto8won1SHGgYSVJA+QPv1x8lMYqKESOHAFE/DJJKU8MRkCeSfqs\n izFVqTxTk3VXOCMUR4t2cbZ9E7Qb/ZZigmmSgilSrOPgDO5TtT811SzheAN0PvgT+L1Gsztc\n Q3BvfofFv3OLF778JyVfpXRHsn9rFqxG/QYWMqJWi+vdPJ5RhDl1QUEFyH7ok/ZY60/85FW3\n o9OQwoMf2+pKNG3J+EMuU4g4ZHGzxI0isyww7PpEHx6sxFEvMhsOp7qnjPsQUcnGIIiqKlTj\n H7i86580VndsKrRK99zJrm4s9Tg/7OFP1SpVvNvSM4TRXSzVF25WVfLgeloN1yHC5Wsqk33X\n XNtNovqA0TLFjhfyyetBsIOgpGakgBNieC9GnY7tC3AG+BqG5jnVuGqSTO+iM/d+lsoa+w==","In-Reply-To":"<20241029101608.2991596-3-i.maximets@ovn.org>","Subject":"Re: [ovs-dev] [PATCH 2/9] ipsec: libreswan: Reconcile missing\n connections periodically.","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Cc":"i.maximets@ovn.org","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" "}}]