diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in index 2b602c75f..37c509ac6 100755 --- a/ipsec/ovs-monitor-ipsec.in +++ b/ipsec/ovs-monitor-ipsec.in @@ -459,6 +459,7 @@ conn prevent_unencrypted_vxlan def __init__(self, libreswan_root_prefix, args): # Collect version infromation self.IPSEC = libreswan_root_prefix + "/usr/sbin/ipsec" + self.IPSEC_AUTO = [self.IPSEC] proc = subprocess.Popen([self.IPSEC, "--version"], stdout=subprocess.PIPE, encoding="latin1") @@ -470,6 +471,11 @@ conn prevent_unencrypted_vxlan except: version = 0 + if version < 5: + # With v5, LibreSWAN removed the auto command, however, it is + # still required for older versions + self.IPSEC_AUTO.append("auto") + if version >= 4: ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss" else: @@ -593,7 +599,7 @@ conn prevent_unencrypted_vxlan def refresh(self, monitor): vlog.info("Refreshing LibreSwan configuration") - subprocess.call([self.IPSEC, "auto", "--ctlsocket", self.IPSEC_CTL, + subprocess.call(self.IPSEC_AUTO + ["--ctlsocket", self.IPSEC_CTL, "--config", self.IPSEC_CONF, "--rereadsecrets"]) tunnels = set(monitor.tunnels.keys()) @@ -621,7 +627,7 @@ conn prevent_unencrypted_vxlan if not tunnel or tunnel.version != ver: vlog.info("%s is outdated %u" % (conn, ver)) - subprocess.call([self.IPSEC, "auto", "--ctlsocket", + subprocess.call(self.IPSEC_AUTO + ["--ctlsocket", self.IPSEC_CTL, "--config", self.IPSEC_CONF, "--delete", conn]) elif ifname in tunnels: @@ -643,44 +649,44 @@ conn prevent_unencrypted_vxlan # Update shunt policy if changed if monitor.conf_in_use["skb_mark"] != monitor.conf["skb_mark"]: if monitor.conf["skb_mark"]: - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--add", "--asynchronous", "prevent_unencrypted_gre"]) - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--add", "--asynchronous", "prevent_unencrypted_geneve"]) - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--add", "--asynchronous", "prevent_unencrypted_stt"]) - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--add", "--asynchronous", "prevent_unencrypted_vxlan"]) else: - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--delete", "--asynchronous", "prevent_unencrypted_gre"]) - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--delete", "--asynchronous", "prevent_unencrypted_geneve"]) - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--delete", "--asynchronous", "prevent_unencrypted_stt"]) - subprocess.call([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + subprocess.call(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--delete", "--asynchronous", "prevent_unencrypted_vxlan"]) @@ -726,8 +732,8 @@ conn prevent_unencrypted_vxlan # the "ipsec auto --start" command is lost. Just retry to make sure # the command is received by LibreSwan. while True: - proc = subprocess.Popen([self.IPSEC, "auto", - "--config", self.IPSEC_CONF, + proc = subprocess.Popen(self.IPSEC_AUTO + + ["--config", self.IPSEC_CONF, "--ctlsocket", self.IPSEC_CTL, "--start", "--asynchronous", conn], diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at index d3d27133b..1e155fece 100644 --- a/tests/system-ipsec.at +++ b/tests/system-ipsec.at @@ -110,16 +110,16 @@ m4_define([CHECK_LIBRESWAN], dnl IPSEC_STATUS_LOADED([]) dnl dnl Get number of loaded connections from ipsec status -m4_define([IPSEC_STATUS_LOADED], [ipsec status --rundir $ovs_base/$1 | \ +m4_define([IPSEC_STATUS_LOADED], [ipsec --rundir $ovs_base/$1 status | \ grep "Total IPsec connections" | \ - sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m']) + sed 's/[[0-9]]* *Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\1/m']) dnl IPSEC_STATUS_ACTIVE([]) dnl dnl Get number of active connections from ipsec status -m4_define([IPSEC_STATUS_ACTIVE], [ipsec status --rundir $ovs_base/$1 | \ +m4_define([IPSEC_STATUS_ACTIVE], [ipsec --rundir $ovs_base/$1 status | \ grep "Total IPsec connections" | \ - sed 's/[[0-9]]* Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m']) + sed 's/[[0-9]]* *Total IPsec connections: loaded \([[0-2]]\), active \([[0-2]]\).*/\2/m']) dnl CHECK_ESP_TRAFFIC() dnl