group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1890796] Re: ipsec: policy priority management is broken

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Stefan Bader <1890796@xxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Aug 2020 16:04:24 -0000
Reply-to: Bug 1890796 <1890796@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
The same offending patch was already released with Xenial and is applied
to the current SRU cycle for Bionic. Those would also need to be fixed.

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: linux-hwe (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Bionic)
       Status: Invalid => Triaged

** Changed in: linux (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Xenial)
       Status: New => Triaged

** Changed in: linux (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-hwe (Ubuntu Xenial)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1890796

Title:
  ipsec: policy priority management is broken

Status in linux package in Ubuntu:
  Fix Released
Status in linux-hwe package in Ubuntu:
  Invalid
Status in linux source package in Xenial:
  Triaged
Status in linux-hwe source package in Xenial:
  Invalid
Status in linux source package in Bionic:
  Triaged
Status in linux-hwe source package in Bionic:
  Triaged
Status in linux source package in Focal:
  Triaged
Status in linux-hwe source package in Focal:
  Invalid

Bug description:
  [Impact]

  When the user tries to update the priority field of a SP, the SP is
  not updated *AND* a new SP is created. This results to a broken IPsec
  configuration.

  This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm: policy: match with both mark and mask on user interfaces"):
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f47e8ab6ab7

  [Test Case]

  root@dut-vm:~# uname -a
  Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  root@dut-vm:~# ip xfrm policy flush
  root@dut-vm:~# ip xfrm policy
  root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
  root@dut-vm:~# ip xfrm policy
  src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp 
          dir in priority 9 
          tmpl src 3.3.3.3 dst 4.4.4.4
                  proto esp reqid 1 mode tunnel
  root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
  root@dut-vm:~# ip xfrm policy
  src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp 
          dir in priority 5 
          tmpl src 3.3.3.3 dst 4.4.4.4
                  proto esp reqid 1 mode tunnel
  src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp 
          dir in priority 9 
          tmpl src 3.3.3.3 dst 4.4.4.4
                  proto esp reqid 1 mode tunnel
  root@dut-vm:~#

  => Now, there is 2 SP instead of 1.

  [Regression Potential]

  The patch affects the xfrm stack only. Thus, the potential regressions
  are limited to this area.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890796/+subscriptions