Bug#968025: Acknowledgement (iproute2: Cannot delete xfrm policy if `mark` is not preseent)

Luca Boccassi Fri, 27 Nov 2020 04:27:13 -0800

Control: tags -1 moreinfo

On Fri, 7 Aug 2020 09:28:55 -0300 Bernardo Soares <bsoares...@gmail.com> wrote:
> dear maintainer,
> 
> we are moving our xfrm configuration to be based on xfrm interfaces as
> opposed to using mark values. so we use intf_id to glue the state/policy
> and interface.
> right now i found out that, while the states can be managed just fine, the
> policy won't be deleted as the mark value seems to be the only key we can
> use to reference a policy.
> 
> example:
> 
> ```
> ip xfrm policy update src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 200000
> ptype main tmpl src 1.2.3.4 dst 4.3.2.1 proto esp spi 0x12345678 reqid 4096
> mode tunnel if_id 0x100
> 
> 
> root@ca870b7a2863:/opt/src# ip xfrm policy ls
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 200000 ptype main
> tmpl src 1.2.3.4 dst 4.3.2.1
> proto esp spi 0x12345678 reqid 4096 mode tunnel
> if_id 0x100
> 
> root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> dir out if_id 4096
> Error: argument "if_id" is wrong: unknown
> root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> dir out if_id 0x100
> Error: argument "if_id" is wrong: unknown
> root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> dir out mark 0x100
> RTNETLINK answers: No such file or directory
> root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> dir out mark 4096
> RTNETLINK answers: No such file or directory
> root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> dir out spi 0x12345678
> Error: argument "spi" is wrong: unknown
> root@ca870b7a2863:/opt/src#
> ```


Hi,

The policy can be deleted with an identifier, which doesn't have to be
a mark. It can be if_id for example:

$ sudo ip xfrm policy ls
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 200000 ptype main 
        tmpl src 2.3.4.5 dst 5.4.3.2
                proto esp spi 0x12345678 reqid 4096 mode tunnel
        if_id 0x101
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 200000 ptype main 
        tmpl src 1.2.3.4 dst 4.3.2.1
                proto esp spi 0x12345678 reqid 4096 mode tunnel
        if_id 0x100
$ sudo ip xfrm policy delete src 0.0.0.0/0 dst 0.0.0.0/0 dir out if_id 0x100
$ sudo ip xfrm policy ls
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 200000 ptype main 
        tmpl src 2.3.4.5 dst 5.4.3.2
                proto esp spi 0x12345678 reqid 4096 mode tunnel
        if_id 0x101
$

To delete all policies under a selector, there's the deleteall command:

$ sudo ip xfrm policy ls
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 200000 ptype main 
        tmpl src 1.2.3.4 dst 4.3.2.1
                proto esp spi 0x12345678 reqid 4096 mode tunnel
        if_id 0x100
$ sudo ip xfrm policy deleteall src 0.0.0.0/0 dst 0.0.0.0/0
$ sudo ip xfrm policy ls
$

Isn't that what you are looking for?

-- 
Kind regards,
Luca Boccassi

signature.asc
Description: This is a digitally signed message part

Bug#968025: Acknowledgement (iproute2: Cannot delete xfrm policy if `mark` is not preseent)

Reply via email to