Bug 1656717

Summary: RFE: support xfrm state flush for specific family
Product: Red Hat Enterprise Linux 8 Reporter: xmu
Component: iprouteAssignee: Andrea Claudi <aclaudi>
Status: CLOSED ERRATA QA Contact: Jaroslav Aster <jaster>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: atragler, jaster, xmu
Target Milestone: rc   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iproute-4.18.0-13.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1656714 Environment:
Last Closed: 2019-11-05 22:26:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1656714, 1679662    
Bug Blocks:    

Comment 2 Phil Sutter 2018-12-14 15:03:06 UTC
Command 'ip xfrm state flush' triggers xfrm_state_flush() function in kernel (net/xfrm/xfrm_state.c). That function doesn't support filtering by address family.

Looking at iproute code, I see that 'ip xfrm state list' indeed supports filtering by address family. It uses XFRM_MSG_GETSA dump request internally. By adding an XFRMA_ADDRESS_FILTER attribute, one could add same functionality to 'ip xfrm state deleteall' command.

This is not a regression, right?

Comment 3 xmu 2018-12-17 05:49:17 UTC
yes, not a regresstion,  rhel7.5 also has the same issue.

Comment 4 Phil Sutter 2018-12-18 14:48:31 UTC
Hi,

(In reply to xmu from comment #3)
> yes, not a regresstion,  rhel7.5 also has the same issue.

Thanks for clarification. I'll hereby make this a feature request and move to RHEL8.1 accordingly. Feel free to revert if you disagree.

Cheers, Phil

Comment 6 Phil Sutter 2019-04-29 14:01:47 UTC
Fix sent upstream: https://marc.info/?l=linux-netdev&m=155654066930378&w=2

Xiumei, if time allows, could you please test if it fixes your issue? Note that you will have to use 'deleteall' instead of 'flush' and that by default, it will still remove both IPv4 and IPv6 entries. But specifying either of -4 or -6 flags will limit the effect to that address family.

Cheers, Phil

Comment 7 xmu 2019-04-30 02:18:32 UTC
Phil, 
 I'm much too busy doing rhel7.7 test recently, I'm not sure when I have time to do this, How about I test this when it goes to ON_QA?

Comment 8 Phil Sutter 2019-05-03 11:40:57 UTC
Hi Xiumei,

(In reply to xmu from comment #7)
> Phil, 
>  I'm much too busy doing rhel7.7 test recently, I'm not sure when I have
> time to do this, How about I test this when it goes to ON_QA?

Sure, no problem!

Comment 9 Phil Sutter 2019-05-09 16:52:53 UTC
Upstream commit to backport:

commit cd21ae40130b4d1ddb3ef500800840e35e7bfad1
Author: Phil Sutter <phil@nwl.cc>
Date:   Mon May 6 19:09:56 2019 +0200

    ip-xfrm: Respect family in deleteall and list commands
    
    Allow to limit 'ip xfrm {state|policy} list' output to a certain address
    family and to delete all states/policies by family.
    
    Although preferred_family was already set in filters, the filter
    function ignored it. To enable filtering despite the lack of other
    selectors, filter.use has to be set if family is not AF_UNSPEC.
    
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

Comment 13 errata-xmlrpc 2019-11-05 22:26:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3602