patch2: del/get byid

patch2: del/get byid

[jamal]

[-- Attachment #1: Type: text/plain, Size: 149 bytes --]


This is definetely a bug. It doesnt seem like get/del by index worked.
For some reason i thought i tested this before and it worked.

cheers,
jamal

[-- Attachment #2: polid_p3 --]
[-- Type: text/plain, Size: 400 bytes --]

--- a/net/xfrm/xfrm_policy.c	2005/04/27 15:35:50	1.2
+++ b/net/xfrm/xfrm_policy.c	2005/04/27 20:23:07
@@ -417,7 +417,7 @@
 	struct xfrm_policy *pol, **p;
 
 	write_lock_bh(&xfrm_policy_lock);
-	for (p = &xfrm_policy_list[id & 7]; (pol=*p)!=NULL; p = &pol->next) {
+	for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
 		if (pol->index == id) {
 			xfrm_pol_hold(pol);
 			if (delete)

Re: patch2: del/get byid

[Herbert Xu]

On Wed, Apr 27, 2005 at 10:11:24PM -0400, jamal wrote:
> 
> This is definetely a bug. It doesnt seem like get/del by index worked.
> For some reason i thought i tested this before and it worked.

Why is this a bug? Have you checked xfrm_gen_index?

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Thu, 2005-28-04 at 12:14 +1000, Herbert Xu wrote:
> On Wed, Apr 27, 2005 at 10:11:24PM -0400, jamal wrote:
> > 
> > This is definetely a bug. It doesnt seem like get/del by index worked.
> > For some reason i thought i tested this before and it worked.
> 
> Why is this a bug? 

well, i think it is a bug that indices are being ignored by the kernel.
To demonstrate:
Add a rule with index 100;
now try to delete or get by index.

> Have you checked xfrm_gen_index?

I think that should be fine to use if the kernel specifies the index.

cheers,
jamal

Re: patch2: del/get byid

[Herbert Xu]

On Wed, Apr 27, 2005 at 10:23:34PM -0400, jamal wrote:
> 
> well, i think it is a bug that indices are being ignored by the kernel.
> To demonstrate:
> Add a rule with index 100;
> now try to delete or get by index.

But your patch has nothing to do with this.  You were changing
id & 7 to dir.  Because the lower bits of index is set from the
direction, this is a no-op.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Thu, 2005-28-04 at 12:25 +1000, Herbert Xu wrote:
> On Wed, Apr 27, 2005 at 10:23:34PM -0400, jamal wrote:
> > 
> > well, i think it is a bug that indices are being ignored by the kernel.
> > To demonstrate:
> > Add a rule with index 100;
> > now try to delete or get by index.
> 
> But your patch has nothing to do with this.  You were changing
> id & 7 to dir.  Because the lower bits of index is set from the
> direction, this is a no-op.

The patch allows to walk all policies in the direction until a match to
the index is found.
It removes the assumption that theres a formula to compute indices
(which is fine if used by the kernel when I specify no index).

------------
jdev10:~# ip x policy add dir in index 102 priority 10 src 11.0.0.10 dst
11.0.0.2

jdev10:~# ip x p get dir in index 102
src 11.0.0.10/32 dst 11.0.0.2/32
        dir in priority 10
jdev10:~# ip -s x p ls
src 11.0.0.10/32 dst 11.0.0.2/32 uid 0
        dir in action allow index 102 priority 10 share any flag
0x00000000
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2005-04-28 02:45:10 use -
-----

That would never work without those two patches.

cheers,
jamal

Re: patch2: del/get byid

[Herbert Xu]

On Wed, Apr 27, 2005 at 10:39:40PM -0400, jamal wrote:
> 
> That would never work without those two patches.

Sorry, but you've just broken the policy timer.  This is the
other use of index.  It's a sneaky way of carrying around dir
in the policy without actually specifying it :)
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Thu, 2005-28-04 at 12:42 +1000, Herbert Xu wrote:
> On Wed, Apr 27, 2005 at 10:39:40PM -0400, jamal wrote:
> > 
> > That would never work without those two patches.
> 
> Sorry, but you've just broken the policy timer.  This is the
> other use of index.  It's a sneaky way of carrying around dir
> in the policy without actually specifying it :)

Dang ;-> Thats some abuse ;->
It would probably be easy to steal 2 bits off the flags instead, no?
Its not like they are being highly utilized.

cheers,
jamal

Re: patch2: del/get byid

[Herbert Xu]

On Wed, Apr 27, 2005 at 10:55:32PM -0400, jamal wrote:
> 
> Dang ;-> Thats some abuse ;->

Indeed, looks like it was my code too :)

> It would probably be easy to steal 2 bits off the flags instead, no?

Or we can simply put it in a field called dir and start using it
instead of passing it around :)

With respect to the user specifying the index when adding policies,
I think we should check with Alexey.  He added the original code to
do this so maybe there was a problem with KAME that makes this
necessary.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Thu, 2005-28-04 at 13:03 +1000, Herbert Xu wrote:

> Or we can simply put it in a field called dir and start using it
> instead of passing it around :)
> 

that would be the best option. 

> With respect to the user specifying the index when adding policies,
> I think we should check with Alexey.  He added the original code to
> do this so maybe there was a problem with KAME that makes this
> necessary.
> 

Agreed. Alexey, thread of interest on netdev, this one as well as
other with subject "patch: policy update by id"

cheers,
jamal

Re: patch2: del/get byid

[jamal]

[-- Attachment #1: Type: text/plain, Size: 482 bytes --]

On Wed, 2005-27-04 at 23:24 -0400, jamal wrote:
> On Thu, 2005-28-04 at 13:03 +1000, Herbert Xu wrote:
> 
> > Or we can simply put it in a field called dir and start using it
> > instead of passing it around :)
> > 
> 
> that would be the best option. 

Well, heres some minimalist patch i havent tested. i.e doesnt change any
of the functions; but at least it doesnt break the timers.
This includes both patches i posted earlier and introduces dir in 
xfrm_policy. 

cheers,
jamal

[-- Attachment #2: polid_p4 --]
[-- Type: text/plain, Size: 2027 bytes --]

--- a/include/net/xfrm.h	2005/04/28 14:05:00	1.1
+++ b/include/net/xfrm.h	2005/04/28 14:05:48
@@ -302,6 +302,7 @@
 	struct dst_entry       *bundles;
 	__u16			family;
 	__u8			action;
+	__u8			dir;
 	__u8			flags;
 	__u8			dead;
 	__u8			xfrm_nr;
--- a/net/xfrm/xfrm_user.c	2005/04/28 13:59:27	1.1
+++ b/net/xfrm/xfrm_user.c	2005/04/28 14:01:58
@@ -653,6 +653,7 @@
 	memcpy(&xp->selector, &p->sel, sizeof(xp->selector));
 	memcpy(&xp->lft, &p->lft, sizeof(xp->lft));
 	xp->action = p->action;
+	xp->dir = p->dir;
 	xp->flags = p->flags;
 	xp->family = p->sel.family;
 	/* XXX xp->share = p->share; */
--- a/net/xfrm/xfrm_policy.c	2005/04/27 11:32:13	1.1
+++ b/net/xfrm/xfrm_policy.c	2005/04/28 14:02:18
@@ -163,7 +163,7 @@
 	if (xp->dead)
 		goto out;
 
-	dir = xp->index & 7;
+	dir = xp->dir;
 
 	if (xp->lft.hard_add_expires_seconds) {
 		long tmo = xp->lft.hard_add_expires_seconds +
@@ -345,7 +345,10 @@
 
 	write_lock_bh(&xfrm_policy_lock);
 	for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL;) {
-		if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0) {
+		if (!delpol && 
+		    ((!excl && policy->index && 
+		      (policy->index == pol->index)) || 
+		    (memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0))) {
 			if (excl) {
 				write_unlock_bh(&xfrm_policy_lock);
 				return -EEXIST;
@@ -370,7 +373,9 @@
 	policy->next = *p;
 	*p = policy;
 	atomic_inc(&flow_cache_genid);
-	policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
+	if (!policy->index)
+		policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
+
 	policy->curlft.add_time = (unsigned long)xtime.tv_sec;
 	policy->curlft.use_time = 0;
 	if (!mod_timer(&policy->timer, jiffies + HZ))
@@ -413,7 +418,7 @@
 	struct xfrm_policy *pol, **p;
 
 	write_lock_bh(&xfrm_policy_lock);
-	for (p = &xfrm_policy_list[id & 7]; (pol=*p)!=NULL; p = &pol->next) {
+	for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
 		if (pol->index == id) {
 			xfrm_pol_hold(pol);
 			if (delete)

Re: patch2: del/get byid

[Herbert Xu]

On Thu, Apr 28, 2005 at 10:20:33AM -0400, jamal wrote:
> 
> Well, heres some minimalist patch i havent tested. i.e doesnt change any
> of the functions; but at least it doesnt break the timers.
> This includes both patches i posted earlier and introduces dir in 
> xfrm_policy. 

Thanks, the dir stuff looks good.

> @@ -345,7 +345,10 @@
>  
>  	write_lock_bh(&xfrm_policy_lock);
>  	for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL;) {
> -		if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0) {
> +		if (!delpol && 
> +		    ((!excl && policy->index && 
> +		      (policy->index == pol->index)) || 
> +		    (memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0))) {

Now that you are allowing the user to set the index, this excl check
really needs to go.  Otherwise the user can add two policies with
the same index.

You also still need to solve the problem that you may need to
delete two policies if one matches the index while the other matches
the selector (or selector plus priority if you do that).

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Fri, 2005-29-04 at 09:11 +1000, Herbert Xu wrote:

> Now that you are allowing the user to set the index, this excl check
> really needs to go.  Otherwise the user can add two policies with
> the same index.

Agreed.

> 
> You also still need to solve the problem that you may need to
> delete two policies if one matches the index while the other matches
> the selector (or selector plus priority if you do that).
> 

Ok, this bit is tricky...  that is unless we disallowed it from
happening in the first place maybe

i.e something along the lines of:

delp1 = find by index
delp2 = find by selector
if delp1 && delp2 and delp1 != delp2
return -EINVAL

// so far good. check the add case
if delp1 || delp2 and excl
return -EEXIST
        
do the insert here based on priority ..

Thoughts?

cheers,
jamal

Re: patch2: del/get byid

[jamal]

[-- Attachment #1: Type: text/plain, Size: 1059 bytes --]

On Fri, 2005-29-04 at 08:51 -0400, jamal wrote:
> On Fri, 2005-29-04 at 09:11 +1000, Herbert Xu wrote:

> > 
> > You also still need to solve the problem that you may need to
> > delete two policies if one matches the index while the other matches
> > the selector (or selector plus priority if you do that).
> > 
> 
> Ok, this bit is tricky...  that is unless we disallowed it from
> happening in the first place maybe
> 
> i.e something along the lines of:
> 
> delp1 = find by index
> delp2 = find by selector
> if delp1 && delp2 and delp1 != delp2
> return -EINVAL
> 
> // so far good. check the add case
> if delp1 || delp2 and excl
> return -EEXIST
>         
> do the insert here based on priority ..
> 
> Thoughts?

Ok, here is the patch - I spent about 30 minutes testing - some of the
logs i remembered capturing attached (in these tests i was trying to
update a rule by selector or index and and see that it gets moved
correctly in terms of priority order).


A rule is unique by both selector(which it was already) and index(new).


cheers,
jamal

[-- Attachment #2: polid_p5 --]
[-- Type: text/plain, Size: 3109 bytes --]

--- a/include/net/xfrm.h	2005/04/28 14:05:00	1.1
+++ b/include/net/xfrm.h	2005/04/28 14:05:48
@@ -302,6 +302,7 @@
 	struct dst_entry       *bundles;
 	__u16			family;
 	__u8			action;
+	__u8			dir;
 	__u8			flags;
 	__u8			dead;
 	__u8			xfrm_nr;
--- a/net/xfrm/xfrm_user.c	2005/04/28 13:59:27	1.1
+++ b/net/xfrm/xfrm_user.c	2005/04/28 14:01:58
@@ -653,6 +653,7 @@
 	memcpy(&xp->selector, &p->sel, sizeof(xp->selector));
 	memcpy(&xp->lft, &p->lft, sizeof(xp->lft));
 	xp->action = p->action;
+	xp->dir = p->dir;
 	xp->flags = p->flags;
 	xp->family = p->sel.family;
 	/* XXX xp->share = p->share; */
--- a/net/xfrm/xfrm_policy.c	2005/04/27 11:32:13	1.1
+++ b/net/xfrm/xfrm_policy.c	2005/04/29 23:07:38
@@ -163,7 +163,7 @@
 	if (xp->dead)
 		goto out;
 
-	dir = xp->index & 7;
+	dir = xp->dir;
 
 	if (xp->lft.hard_add_expires_seconds) {
 		long tmo = xp->lft.hard_add_expires_seconds +
@@ -341,17 +341,35 @@
 {
 	struct xfrm_policy *pol, **p;
 	struct xfrm_policy *delpol = NULL;
+	struct xfrm_policy *delpol2 = NULL;
+	struct xfrm_policy *delp = NULL;
 	struct xfrm_policy **newpos = NULL;
+	int ret = -EINVAL;
+
+	if (policy->index)
+		delpol = xfrm_policy_byid(dir, policy->index, 0);
+	delpol2 = xfrm_policy_bysel(dir, &policy->selector, 0);
+
+	/* must be unique in both index and selector */
+	if (delpol && delpol2) 
+		if (delpol != delpol2) 
+			goto pol_err;
 
+	if (delpol) 
+		delp = delpol;
+	else 
+		delp = delpol2;
+			
+	if (delp && excl) { 
+		ret = -EEXIST;
+		goto pol_err;
+	}
+
+	/* insert, sorted by prio*/
 	write_lock_bh(&xfrm_policy_lock);
 	for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL;) {
-		if (!delpol && memcmp(&policy->selector, &pol->selector, sizeof(pol->selector)) == 0) {
-			if (excl) {
-				write_unlock_bh(&xfrm_policy_lock);
-				return -EEXIST;
-			}
+		if (pol == delp) {
 			*p = pol->next;
-			delpol = pol;
 			if (policy->priority > pol->priority)
 				continue;
 		} else if (policy->priority >= pol->priority) {
@@ -360,27 +378,36 @@
 		}
 		if (!newpos)
 			newpos = p;
-		if (delpol)
-			break;
 		p = &pol->next;
 	}
+
 	if (newpos)
 		p = newpos;
+	
 	xfrm_pol_hold(policy);
 	policy->next = *p;
 	*p = policy;
 	atomic_inc(&flow_cache_genid);
-	policy->index = delpol ? delpol->index : xfrm_gen_index(dir);
+	if (!policy->index)
+		policy->index = delp ? delp->index : xfrm_gen_index(dir);
+
 	policy->curlft.add_time = (unsigned long)xtime.tv_sec;
 	policy->curlft.use_time = 0;
 	if (!mod_timer(&policy->timer, jiffies + HZ))
 		xfrm_pol_hold(policy);
 	write_unlock_bh(&xfrm_policy_lock);
 
-	if (delpol) {
-		xfrm_policy_kill(delpol);
+	if (delp) {
+		xfrm_policy_kill(delp);
 	}
-	return 0;
+	ret = 0;
+
+pol_err:
+	if (delpol)
+		xfrm_pol_put(delpol);
+	if (delpol2)
+		xfrm_pol_put(delpol2);
+	return ret;
 }
 EXPORT_SYMBOL(xfrm_policy_insert);
 
@@ -413,7 +440,7 @@
 	struct xfrm_policy *pol, **p;
 
 	write_lock_bh(&xfrm_policy_lock);
-	for (p = &xfrm_policy_list[id & 7]; (pol=*p)!=NULL; p = &pol->next) {
+	for (p = &xfrm_policy_list[dir]; (pol=*p)!=NULL; p = &pol->next) {
 		if (pol->index == id) {
 			xfrm_pol_hold(pol);
 			if (delete)

[-- Attachment #3: ipsec-spd-priotst --]
[-- Type: text/plain, Size: 23452 bytes --]

IP=./root/iproute-mod/ip/ip 
root@jzny2: $IP x p flush
root@jzny2: $IP -s x p ls
root@jzny2: $IP x policy add dir in index 1 priority 10 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP x policy add dir in index 2 priority 100 src 11.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP x policy add dir in index 4 priority 200 src 11.0.0.10/24 dst 11.0.0.2/24
root@jzny2: $IP x policy add dir in index 5 priority 400 src 13.0.0.10/24 dst 11.0.0.2/24
root@jzny2: $IP -s x p ls
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 10 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -

root@jzny2: $IP x policy update dir in priority 120 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 120 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -

root@jzny2: $IP x policy update dir in priority 220 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 220 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:55 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -

root@jzny2: $IP x policy update dir in priority 420 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 420 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:55 use -

root@jzny2: $IP x policy update dir in priority 20 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP -s x p ls
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 20 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:55 use -
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -

root@jzny2: $IP x policy add dir in priority 30 src 13.0.0.10/24 dst 11.0.0.2/24
RTNETLINK answers: File exists

root@jzny2: $IP -s x p ls
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 20 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:55 use -
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -

root@jzny2: $IP x policy update dir in priority 700 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 5 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:54 use -
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 700 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:56 use -

root@jzny2: $IP x p flush
root@jzny2: $IP -s x p ls
root@jzny2: $IP x policy add dir in index 1 priority 10 src 12.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP x policy add dir in index 2 priority 100 src 11.0.0.10/24 dst 12.0.0.2/24
root@jzny2: $IP x policy add dir in index 3 priority 200 src 11.0.0.10/24 dst 11.0.0.2/24
root@jzny2: $IP x policy add dir in index 4 priority 400 src 13.0.0.10/24 dst 11.0.0.2/24
root@jzny2: $IP -s x p ls
src 12.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 1 priority 10 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -

root@jzny2: $IP x policy update dir in priority 120 index 1
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	dir in action allow index 1 priority 120 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use 2005-04-29 22:16:59
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -

root@jzny2: $IP x policy update dir in priority 220 index 1
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	dir in action allow index 1 priority 220 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:17:00 use 2005-04-29 22:17:00
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -

root@jzny2: $IP x policy update dir in priority 420 index 1
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	dir in action allow index 1 priority 420 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:17:00 use 2005-04-29 22:17:00

root@jzny2: $IP x policy update dir in priority 20 index 1
root@jzny2: $IP -s x p ls
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	dir in action allow index 1 priority 20 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:17:01 use 2005-04-29 22:17:01
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -

root@jzny2: $IP x policy add dir in priority 30 index 4
RTNETLINK answers: Invalid argument
root@jzny2: $IP -s x p ls
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	dir in action allow index 1 priority 20 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:17:01 use 2005-04-29 22:17:01
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -

root@jzny2: $IP x policy update dir in priority 700 index 1
root@jzny2: $IP -s x p ls
src 11.0.0.10/24 dst 12.0.0.2/24 uid 0
	dir in action allow index 2 priority 100 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 11.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 3 priority 200 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 13.0.0.10/24 dst 11.0.0.2/24 uid 0
	dir in action allow index 4 priority 400 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:16:59 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	dir in action allow index 1 priority 700 share any flag 0x00000000
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2005-04-29 22:17:02 use 2005-04-29 22:17:02

Re: patch2: del/get byid

[Herbert Xu]

On Fri, Apr 29, 2005 at 07:20:46PM -0400, jamal wrote:
>
> @@ -341,17 +341,35 @@
>  {
>  	struct xfrm_policy *pol, **p;
>  	struct xfrm_policy *delpol = NULL;
> +	struct xfrm_policy *delpol2 = NULL;
> +	struct xfrm_policy *delp = NULL;
>  	struct xfrm_policy **newpos = NULL;
> +	int ret = -EINVAL;
> +
> +	if (policy->index)
> +		delpol = xfrm_policy_byid(dir, policy->index, 0);
> +	delpol2 = xfrm_policy_bysel(dir, &policy->selector, 0);
> +
> +	/* must be unique in both index and selector */
> +	if (delpol && delpol2) 
> +		if (delpol != delpol2) 
> +			goto pol_err;
>  
> +	if (delpol) 
> +		delp = delpol;
> +	else 
> +		delp = delpol2;
> +			
> +	if (delp && excl) { 
> +		ret = -EEXIST;
> +		goto pol_err;
> +	}
> +
> +	/* insert, sorted by prio*/
>  	write_lock_bh(&xfrm_policy_lock);

...

>  	write_unlock_bh(&xfrm_policy_lock);
>  
> -	if (delpol) {
> -		xfrm_policy_kill(delpol);
> +	if (delp) {
> +		xfrm_policy_kill(delp);
>  	}

This is racy.  The policy could be killed by the timer in the middle.

This is also getting pretty hairy for something that nobody has needed so
far.  Which user-space application is going to use this index thing?

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Sat, 2005-30-04 at 09:49 +1000, Herbert Xu wrote:
> On Fri, Apr 29, 2005 at 07:20:46PM -0400, jamal wrote:

> 
> >  	write_unlock_bh(&xfrm_policy_lock);
> >  
> > -	if (delpol) {
> > -		xfrm_policy_kill(delpol);
> > +	if (delp) {
> > +		xfrm_policy_kill(delp);
> >  	}
> 
> This is racy.  The policy could be killed by the timer in the middle.
> 

the policy_kill is?

> This is also getting pretty hairy for something that nobody has needed so
> far.  Which user-space application is going to use this index thing?

did you see the attachment i put with ip x tests?

cheers,
jamal

Re: patch2: del/get byid

[Herbert Xu]

On Fri, Apr 29, 2005 at 08:01:21PM -0400, jamal wrote:
> On Sat, 2005-30-04 at 09:49 +1000, Herbert Xu wrote:
> > On Fri, Apr 29, 2005 at 07:20:46PM -0400, jamal wrote:
> > 
> > >  	write_unlock_bh(&xfrm_policy_lock);
> > >  
> > > -	if (delpol) {
> > > -		xfrm_policy_kill(delpol);
> > > +	if (delp) {
> > > +		xfrm_policy_kill(delp);
> > >  	}
> > 
> > This is racy.  The policy could be killed by the timer in the middle.
> 
> the policy_kill is?

1) You find delpol using xfrm_policy_byid/xfrm_policy_bysel.
2) The timer kicks in and unlinks delpol from the list.
3) You take the list lock and continue to use delpol as if it was
   still on the list.
4) You call xfrm_policy_kill on delpol again even though it's already
   dead.
 
> > This is also getting pretty hairy for something that nobody has needed so
> > far.  Which user-space application is going to use this index thing?
> 
> did you see the attachment i put with ip x tests?

Well I meant a usage other than a test suite :)
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Sat, 2005-30-04 at 10:12 +1000, Herbert Xu wrote:
> On Fri, Apr 29, 2005 at 08:01:21PM -0400, jamal wrote:

> > the policy_kill is?
> 
> 1) You find delpol using xfrm_policy_byid/xfrm_policy_bysel.

Which increments the refcnt

> 2) The timer kicks in and unlinks delpol from the list.

How does this happen again? One path i see is an expiry of delpol about
the same time. 

> 3) You take the list lock and continue to use delpol as if it was
>    still on the list.

I am assuming the refcount is sufficient to protect it.

> 4) You call xfrm_policy_kill on delpol again even though it's already
>    dead.

It can only be dead if ->dead is set and refcnt hits zero, no?

>  
> > > This is also getting pretty hairy for something that nobody has needed so
> > > far.  Which user-space application is going to use this index thing?
> > 
> > did you see the attachment i put with ip x tests?
> 
> Well I meant a usage other than a test suite :)

surely ip is a user space application. Correctness is also valuable
regardless of whether theres an app using it today or not.

cheers,
jamal

Re: patch2: del/get byid

[Herbert Xu]

On Fri, Apr 29, 2005 at 08:35:57PM -0400, jamal wrote:
>
> > 1) You find delpol using xfrm_policy_byid/xfrm_policy_bysel.
> 
> Which increments the refcnt

Refcnt prevents the policy from being freed.  It doesn't prevent it
from being deleted from the list.  Only the list lock can do that.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: patch2: del/get byid

[jamal]

On Sat, 2005-30-04 at 10:47 +1000, Herbert Xu wrote:
> On Fri, Apr 29, 2005 at 08:35:57PM -0400, jamal wrote:
> >
> > > 1) You find delpol using xfrm_policy_byid/xfrm_policy_bysel.
> > 
> > Which increments the refcnt
> 
> Refcnt prevents the policy from being freed.  It doesn't prevent it
> from being deleted from the list.  Only the list lock can do that.
> 

Yes, of course. Look at the code carefuly,  the delpol is already
_unlinked_ when i call xfrm_policy_kill();-> 
If it wasnt so none of those tests would have worked; infact in my first
30 seconds of testing i discovered that when i listed after
an update;->

cheers,
jamal