Dear OVS maintainers,
While rolling out ipsec tunnels on our OVN network, we saw the curious
behaviour of `ovs-monitor-ipsec` refreshing all tunnels whenever a
change in the overlay network came in.
Specifically in our case it was because we were running `chassis-del`
commands on the southbound database, which triggered a refresh in
`ovs-monitor-ipsec` on all nodes. Due to the bug it caused all ipsec
tunnels to flip/flop resulting in a few minutes of no connectivity.
We traced the bug back to a regex in `ovs-monitor-ipsec`, in the
`get_active_conns` function.
The output of `ipsec status` in our case gives lines like:
[...]
ovn-sil-be-0-in-1{14988}
[...]
The problem is the regex matches the full tunnel name (including the
`-in|-out`) which doesn't match the interface names in ovn.
I have attached a patch file, however, I am not confident because the
existing regex seems to suggest the possibility that the `-in|-out`
suffix is optional, which my patched version doesn't account for.
Still, it seemed fruitful to notify you of this.
With kind regards,
Sebastiaan.
--- /usr/share/openvswitch/scripts/ovs-monitor-ipsec 2022-10-03 10:59:27.000000000 +0000
+++ ovs-monitor-ipsec-fixed 2023-01-25 08:37:36.604034429 +0000
@@ -260,7 +260,7 @@
tunnel_name = line.split(":")
if len(tunnel_name) < 2:
continue
- m = re.match(r"(.*)(-in-\d+|-out-\d+|-\d+).*", tunnel_name[0])
+ m = re.match(r"(.*)(?:-in-|-out-)(\d+).*", tunnel_name[0])
if not m:
continue
ifname = m.group(1)
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss