From 6c28c0a3046a162698fa19f3c2f2682342905288 Mon Sep 17 00:00:00 2001

From: Andrea Claudi <aclaudi@redhat.com>

Date: Tue, 21 Apr 2020 12:49:56 +0200

Subject: [PATCH] xfrm: not try to delete ipcomp states when using deleteall

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1767328

Upstream Status: iproute2.git commit f9d696cf414c2

commit f9d696cf414c2c475764aa3b29cf288350f1e21f

Author: Xin Long <lucien.xin@gmail.com>

Date:   Mon Feb 24 09:57:01 2020 -0500

    xfrm: not try to delete ipcomp states when using deleteall

    In kernel space, ipcomp(sub) states used by main states are not

    allowed to be deleted by users, they would be freed only when

    all main states are destroyed and no one uses them.

    In user space, ip xfrm sta deleteall doesn't filter these ipcomp

    states out, and it causes errors:

      # ip xfrm state add src 192.168.0.1 dst 192.168.0.2 spi 0x1000 \

          proto comp comp deflate mode tunnel sel src 192.168.0.1 dst \

          192.168.0.2 proto gre

      # ip xfrm sta deleteall

      Failed to send delete-all request

      : Operation not permitted

    This patch is to fix it by filtering ipcomp states with a check

    xsinfo->id.proto == IPPROTO_IPIP.

    Fixes: c7699875bee0 ("Import patch ipxfrm-20040707_2.diff")

    Signed-off-by: Xin Long <lucien.xin@gmail.com>

    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

---

 ip/xfrm_state.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c

index 2222737cdd98d..8baa0eb669969 100644

--- a/ip/xfrm_state.c

+++ b/ip/xfrm_state.c

@@ -1048,6 +1048,9 @@ static int xfrm_state_keep(const struct sockaddr_nl *who,

 	if (!xfrm_state_filter_match(xsinfo))

 		return 0;

+	if (xsinfo->id.proto == IPPROTO_IPIP)

+		return 0;

+

 	if (xb->offset > xb->size) {

 		fprintf(stderr, "State buffer overflow\n");

 		return -1;

-- 

2.25.3