Bug 1656717 - RFE: support xfrm state flush for specific family
Summary: RFE: support xfrm state flush for specific family
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: iproute
Version: 8.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.1
Assignee: Andrea Claudi
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On: 1656714 1679662
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-06 07:23 UTC by xmu
Modified: 2019-11-05 22:26 UTC (History)
3 users (show)

Fixed In Version: iproute-4.18.0-13.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1656714
Environment:
Last Closed: 2019-11-05 22:26:40 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:3602 None None None 2019-11-05 22:26:57 UTC

Comment 2 Phil Sutter 2018-12-14 15:03:06 UTC
Command 'ip xfrm state flush' triggers xfrm_state_flush() function in kernel (net/xfrm/xfrm_state.c). That function doesn't support filtering by address family.

Looking at iproute code, I see that 'ip xfrm state list' indeed supports filtering by address family. It uses XFRM_MSG_GETSA dump request internally. By adding an XFRMA_ADDRESS_FILTER attribute, one could add same functionality to 'ip xfrm state deleteall' command.

This is not a regression, right?

Comment 3 xmu 2018-12-17 05:49:17 UTC
yes, not a regresstion,  rhel7.5 also has the same issue.

Comment 4 Phil Sutter 2018-12-18 14:48:31 UTC
Hi,

(In reply to xmu from comment #3)
> yes, not a regresstion,  rhel7.5 also has the same issue.

Thanks for clarification. I'll hereby make this a feature request and move to RHEL8.1 accordingly. Feel free to revert if you disagree.

Cheers, Phil

Comment 6 Phil Sutter 2019-04-29 14:01:47 UTC
Fix sent upstream: https://marc.info/?l=linux-netdev&m=155654066930378&w=2

Xiumei, if time allows, could you please test if it fixes your issue? Note that you will have to use 'deleteall' instead of 'flush' and that by default, it will still remove both IPv4 and IPv6 entries. But specifying either of -4 or -6 flags will limit the effect to that address family.

Cheers, Phil

Comment 7 xmu 2019-04-30 02:18:32 UTC
Phil, 
 I'm much too busy doing rhel7.7 test recently, I'm not sure when I have time to do this, How about I test this when it goes to ON_QA?

Comment 8 Phil Sutter 2019-05-03 11:40:57 UTC
Hi Xiumei,

(In reply to xmu from comment #7)
> Phil, 
>  I'm much too busy doing rhel7.7 test recently, I'm not sure when I have
> time to do this, How about I test this when it goes to ON_QA?

Sure, no problem!

Comment 9 Phil Sutter 2019-05-09 16:52:53 UTC
Upstream commit to backport:

commit cd21ae40130b4d1ddb3ef500800840e35e7bfad1
Author: Phil Sutter <phil@nwl.cc>
Date:   Mon May 6 19:09:56 2019 +0200

    ip-xfrm: Respect family in deleteall and list commands
    
    Allow to limit 'ip xfrm {state|policy} list' output to a certain address
    family and to delete all states/policies by family.
    
    Although preferred_family was already set in filters, the filter
    function ignored it. To enable filtering despite the lack of other
    selectors, filter.use has to be set if family is not AF_UNSPEC.
    
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

Comment 13 errata-xmlrpc 2019-11-05 22:26:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3602


Note You need to log in before you can comment on or make changes to this bug.