From: Harald Welte <laforge@gnumonks.org>
To: netdev@vger.kernel.org
Subject: ip xfrm delete / deleteall not able to delete SAs
Date: Thu, 23 Dec 2021 23:03:33 +0100 [thread overview]
Message-ID: <YcTyNRqYdBGoEYid@nataraja> (raw)
Hi all,
I'm observing some quite strange behaviour and am wondering what is going
on...
So I have a single SA in the kernel (5.14.16, iproute 5.15.0):
--------------------------------------------------
$ sudo ip xfrm state
src 6.6.6.6 dst 5.5.5.5
proto esp spi 0x00000000 reqid 2325 mode transport
replay-window 32
auth-trunc hmac(sha1) 96
enc ecb(cipher_null)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 6.6.6.6/32 dst 5.5.5.5/32 sport 2222 dport 1111
--------------------------------------------------
Then I try to delete it individually and fail
--------------------------------------------------
$ sudo ip xfrm state delete src 6.6.6.6 dst 5.5.5.5 proto esp spi 0
RTNETLINK answers: No such process
--------------------------------------------------
Then I try deleteall and it also fails
--------------------------------------------------
$ sudo ip xfrm state deleteall
Failed to send delete-all request
: No such process
--------------------------------------------------
And finally, the SA still exists:
--------------------------------------------------
$ sudo ip xfrm state
src 6.6.6.6 dst 5.5.5.5
proto esp spi 0x00000000 reqid 2325 mode transport
replay-window 32
auth-trunc hmac(sha1) 96
enc ecb(cipher_null)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 6.6.6.6/32 dst 5.5.5.5/32 sport 2222 dport 1111
--------------------------------------------------
The SA is not removed and re-added, there is no automagic other process
running for that. 'ip xfrm monitor' doesn't show any changes at all when
the 'delete' or the 'deleteall' is running.
Flushing via 'ip xfrm state flush' works, but that is sort-of beyond the
point: Of course I need to be able to selectively delete SAs at runtime
without flushing the entire database.
Selective deletion and deleteall of policies works as expected. Just SAs
exhibit the strange behavior described above.
Regards,
Harald
--
- Harald Welte <laforge@gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
next reply other threads:[~2021-12-23 22:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-23 22:03 Harald Welte [this message]
2021-12-24 9:16 ` ip xfrm delete / deleteall not able to delete SAs with SPI=0 Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YcTyNRqYdBGoEYid@nataraja \
--to=laforge@gnumonks.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).