ipsec: Safely delete xfrm state

Signed-off-by: Gray <[email protected]>

pkg/datapath/linux/ipsec/ipsec_linux.go

@@ -761,14 +761,51 @@ func ipsecDeleteXfrmState(nodeID uint16) error {
 
  errs := resiliency.NewErrorSet(fmt.Sprintf("failed to delete node (%d) xfrm states", nodeID), len(xfrmStateList))
  for _, s := range xfrmStatesToDelete {
- if err := netlink.XfrmStateDel(&s); err != nil {
+ if err := safelyDeleteXfrmState(&s, xfrmStateList); err != nil {
  errs.Add(fmt.Errorf("failed to delete xfrm state (%s): %w", s.String(), err))
  }
  }
 
  return errs.Error()
 }
 
+func safelyDeleteXfrmState(state *netlink.XfrmState, stateList []netlink.XfrmState) (err error) {
+
+ if getDirFromXfrmMark(state.Mark) == dirIngress && ipsec.GetNodeIDFromXfrmMark(state.Mark) != 0 {
+ oldXFRMInMark := &netlink.XfrmMark{
+ Value: linux_defaults.RouteMarkDecrypt,
+ Mask: linux_defaults.IPsecMarkBitMask,
+ }
+
+ errs := resiliency.NewErrorSet("failed to delete old xfrm states", len(stateList))
+
+ scopedLog := log.WithFields(logrus.Fields{
+ logfields.SPI: state.Spi,
+ logfields.SourceIP: state.Src,
+ logfields.DestinationIP: state.Dst,
+ logfields.TrafficDirection: getDirFromXfrmMark(state.Mark),
+ logfields.NodeID: getNodeIDAsHexFromXfrmMark(state.Mark),
+ })
+
+ for _, s := range stateList {
+ if s.Spi == state.Spi && xfrmIPEqual(s.Dst, state.Dst) && xfrmMarkEqual(s.Mark, oldXFRMInMark) {
+ err, deferFn := xfrmTemporarilyRemoveState(scopedLog, s, string(dirIngress))
+ if err != nil {
+ errs.Add(fmt.Errorf("Failed to remove old XFRM %s state %s: %w", string(dirIngress), s.String(), err))
+ } else {
+ defer deferFn()
+ }
+ }
+ }
+ if err := errs.Error(); err != nil {
+ scopedLog.WithError(err).Error("Failed to clean up old XFRM state")
+ return err
+ }
+ }
+
+ return netlink.XfrmStateDel(state)
+}
+
 func ipsecDeleteXfrmPolicy(nodeID uint16) error {
  scopedLog := log.WithFields(logrus.Fields{
  logfields.NodeID: nodeID,