Bug#968025: Acknowledgement (iproute2: Cannot delete xfrm policy if `mark` is not preseent)

[Luca Boccassi]

Control: tags -1 fixed 5.8.0-1
Control: close -1

On Wed, 2020-12-02 at 09:26 -0300, Bernardo Soares wrote:
> Yes, this is what i was looking for!
> 
> Was this support introduced recently? We updated the kernel across our fleet 
> recently and it magically works now. 
> 
> i am now at 5.8.0-0.bpo.2-amd64 with iproute2 5.8.0

Quite likely - I'll mark as closed at that version then.

> 
> On Fri, Nov 27, 2020 at 9:22 AM Luca Boccassi <bl...@debian.org> wrote:
> > Control: tags -1 moreinfo
> > 
> > On Fri, 7 Aug 2020 09:28:55 -0300 Bernardo Soares <bsoares...@gmail.com> 
> > wrote:
> > > dear maintainer,
> > > 
> > > we are moving our xfrm configuration to be based on xfrm interfaces as
> > > opposed to using mark values. so we use intf_id to glue the state/policy
> > > and interface.
> > > right now i found out that, while the states can be managed just fine, the
> > > policy won't be deleted as the mark value seems to be the only key we can
> > > use to reference a policy.
> > > 
> > > example:
> > > 
> > > ```
> > > ip xfrm policy update src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 200000
> > > ptype main tmpl src 1.2.3.4 dst 4.3.2.1 proto esp spi 0x12345678 reqid 
> > > 4096
> > > mode tunnel if_id 0x100
> > > 
> > > 
> > > root@ca870b7a2863:/opt/src# ip xfrm policy ls
> > > src 0.0.0.0/0 dst 0.0.0.0/0
> > > dir out priority 200000 ptype main
> > > tmpl src 1.2.3.4 dst 4.3.2.1
> > > proto esp spi 0x12345678 reqid 4096 mode tunnel
> > > if_id 0x100
> > > 
> > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> > > dir out if_id 4096
> > > Error: argument "if_id" is wrong: unknown
> > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> > > dir out if_id 0x100
> > > Error: argument "if_id" is wrong: unknown
> > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> > > dir out mark 0x100
> > > RTNETLINK answers: No such file or directory
> > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> > > dir out mark 4096
> > > RTNETLINK answers: No such file or directory
> > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst 0.0.0.0/0
> > > dir out spi 0x12345678
> > > Error: argument "spi" is wrong: unknown
> > > root@ca870b7a2863:/opt/src#
> > > ```
> > 
> > Hi,
> > 
> > The policy can be deleted with an identifier, which doesn't have to be
> > a mark. It can be if_id for example:
> > 
> > $ sudo ip xfrm policy ls
> > src 0.0.0.0/0 dst 0.0.0.0/0 
> >         dir out priority 200000 ptype main 
> >         tmpl src 2.3.4.5 dst 5.4.3.2
> >                 proto esp spi 0x12345678 reqid 4096 mode tunnel
> >         if_id 0x101
> > src 0.0.0.0/0 dst 0.0.0.0/0 
> >         dir out priority 200000 ptype main 
> >         tmpl src 1.2.3.4 dst 4.3.2.1
> >                 proto esp spi 0x12345678 reqid 4096 mode tunnel
> >         if_id 0x100
> > $ sudo ip xfrm policy delete src 0.0.0.0/0 dst 0.0.0.0/0 dir out if_id 0x100
> > $ sudo ip xfrm policy ls
> > src 0.0.0.0/0 dst 0.0.0.0/0 
> >         dir out priority 200000 ptype main 
> >         tmpl src 2.3.4.5 dst 5.4.3.2
> >                 proto esp spi 0x12345678 reqid 4096 mode tunnel
> >         if_id 0x101
> > $
> > 
> > To delete all policies under a selector, there's the deleteall command:
> > 
> > $ sudo ip xfrm policy ls
> > src 0.0.0.0/0 dst 0.0.0.0/0 
> >         dir out priority 200000 ptype main 
> >         tmpl src 1.2.3.4 dst 4.3.2.1
> >                 proto esp spi 0x12345678 reqid 4096 mode tunnel
> >         if_id 0x100
> > $ sudo ip xfrm policy deleteall src 0.0.0.0/0 dst 0.0.0.0/0
> > $ sudo ip xfrm policy ls
> > $
> > 
> > Isn't that what you are looking for?
> > 

signature.asc
Description: This is a digitally signed message part