Public bug reported:
[Impact]
When the user tries to update the priority field of a SP, the SP is not
updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm: policy:
match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890796
Title:
ipsec: policy priority management is broken
Status in linux package in Ubuntu:
New
Bug description:
[Impact]
When the user tries to update the priority field of a SP, the SP is
not updated *AND* a new SP is created. This results to a broken IPsec
configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm:
policy: match with both mark and mask on user interfaces"):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir
in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel
reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
proto esp reqid 1 mode tunnel
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions
are limited to this area.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
