From 7c1351ea866ec811ade4452b5f1791b34b0effe3 Mon Sep 17 00:00:00 2001

From: Andrea Claudi <aclaudi@redhat.com>

Date: Thu, 16 Apr 2020 12:10:23 +0200

Subject: [PATCH] xfrm: not try to delete ipcomp states when using deleteall

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1808634

Upstream Status: iproute2.git commit f9d696cf414c2

commit f9d696cf414c2c475764aa3b29cf288350f1e21f

Author: Xin Long <lucien.xin@gmail.com>

Date:   Mon Feb 24 09:57:01 2020 -0500

    xfrm: not try to delete ipcomp states when using deleteall

    In kernel space, ipcomp(sub) states used by main states are not

    allowed to be deleted by users, they would be freed only when

    all main states are destroyed and no one uses them.

    In user space, ip xfrm sta deleteall doesn't filter these ipcomp

    states out, and it causes errors:

      # ip xfrm state add src 192.168.0.1 dst 192.168.0.2 spi 0x1000 \

          proto comp comp deflate mode tunnel sel src 192.168.0.1 dst \

          192.168.0.2 proto gre

      # ip xfrm sta deleteall

      Failed to send delete-all request

      : Operation not permitted

    This patch is to fix it by filtering ipcomp states with a check

    xsinfo->id.proto == IPPROTO_IPIP.

    Fixes: c7699875bee0 ("Import patch ipxfrm-20040707_2.diff")

    Signed-off-by: Xin Long <lucien.xin@gmail.com>

    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

---

 ip/xfrm_state.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c

index 7b413cd9b9a22..d014444e9af4f 100644

--- a/ip/xfrm_state.c

+++ b/ip/xfrm_state.c

@@ -1131,6 +1131,9 @@ static int xfrm_state_keep(struct nlmsghdr *n, void *arg)

 	if (!xfrm_state_filter_match(xsinfo))

 		return 0;

+	if (xsinfo->id.proto == IPPROTO_IPIP)

+		return 0;

+

 	if (xb->offset > xb->size) {

 		fprintf(stderr, "State buffer overflow\n");

 		return -1;

-- 

2.25.4