ipsec: policy priority management is broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
linux-hwe (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned | ||
linux-oem-5.6 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
When the user tries to update the priority field of a SP, the SP is not updated *AND* a new SP is created. This results to a broken IPsec configuration.
This problem has been fixed in the upstream commit 4f47e8ab6ab7 ("xfrm: policy: match with both mark and mask on user interfaces"):
https:/
[Test Case]
root@dut-vm:~# uname -a
Linux dut-vm 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@dut-vm:~# ip xfrm policy flush
root@dut-vm:~# ip xfrm policy
root@dut-vm:~# ip xfrm policy add src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir in action allow priority 9 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
root@dut-vm:~# ip xfrm policy update src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp dir in priority 5 tmpl src 3.3.3.3 dst 4.4.4.4 proto esp mode tunnel reqid 1
root@dut-vm:~# ip xfrm policy
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 5
tmpl src 3.3.3.3 dst 4.4.4.4
src 1.1.1.1/24 dst 2.2.2.2/24 proto tcp
dir in priority 9
tmpl src 3.3.3.3 dst 4.4.4.4
root@dut-vm:~#
=> Now, there is 2 SP instead of 1.
[Regression Potential]
The patch affects the xfrm stack only. Thus, the potential regressions are limited to this area.
CVE References
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Released |
Changed in linux (Ubuntu Eoan): | |
status: | New → Triaged |
Changed in linux (Ubuntu Focal): | |
status: | New → Triaged |
no longer affects: | linux (Ubuntu Eoan) |
no longer affects: | linux-hwe (Ubuntu Eoan) |
Changed in linux (Ubuntu Bionic): | |
status: | New → Invalid |
Changed in linux-hwe (Ubuntu Focal): | |
status: | New → Invalid |
Changed in linux-hwe (Ubuntu): | |
status: | New → Invalid |
Changed in linux-hwe (Ubuntu Bionic): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Focal): | |
status: | Triaged → Fix Committed |
Changed in linux-hwe (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
Changed in linux-oem-5.6 (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-oem-5.6 (Ubuntu Bionic): | |
status: | New → Invalid |
Changed in linux-oem-5.6 (Ubuntu): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → Fix Committed |
Changed in linux-oem-5.6 (Ubuntu Focal): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in linux-oem-5.6 (Ubuntu): | |
status: | Confirmed → Invalid |
tags: |
added: verification-done-bionic verification-done-focal removed: verification-needed-bionic verification-needed-focal |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1890796
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.