From: Tobias Brunner Date: Thu, 1 Feb 2018 16:10:19 +0000 (+0100) Subject: testing: Ignore IP-in-IP SAs created with IPComp SAs that remain in the kernel X-Git-Tag: 5.6.2dr4~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4492c9c670f5b0dc30dd4d00ffc4c371ae40a01f;p=thirdparty%2Fstrongswan.git testing: Ignore IP-in-IP SAs created with IPComp SAs that remain in the kernel The kernel creates such SAs to handle uncompressed small packets. They are implicitly created and deleted with IPComp SAs. The problem is that when we delete an IPComp SA only that state is deleted and removed from the SA lists immediately, the IP-in-IP state is not removed until the IPComp state is eventually destroyed. This could take a while if there are still references to it around. So the IP-in-IP states will keep getting reported by ip xfrm state until that happens (we also can't flush or explicitly delete such kernel-created states). In kernels before 4.14 this wasn't really a problem but since ec30d78c14a8 ("xfrm: add xdst pcpu cache") the kernel seems to keep the references to the last used SAs around a lot longer. Also, usually a test scenario following an IPComp scenario will create and use new SAs and thus the cached SAs will disappear before the kernel state is checked again. However, if a following scenario uses different hosts the states might remain, which caused some unrelated scenarios to fail before adding this fix. --- diff --git a/testing/do-tests b/testing/do-tests index 38999ea615..6415295333 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -776,8 +776,10 @@ do do eval HOSTLOGIN=root@\$ipv4_${host} IPSECSTATE=`ssh $SSHCONF $HOSTLOGIN 'ip xfrm state'` + # ignore IPv4/v6 states created with IPComp SAs + IPSECSTATEISSUE=`echo "$IPSECSTATE" | grep 'proto.*spi' | grep -v 'proto 4'` IPSECPOLICY=`ssh $SSHCONF $HOSTLOGIN 'ip xfrm policy'` - if [ -n "$IPSECSTATE" -o -n "$IPSECPOLICY" ] + if [ -n "$IPSECSTATEISSUE" -o -n "$IPSECPOLICY" ] then echo -e "\n$host# ip xfrm state [NO]" >> $CONSOLE_LOG echo "$IPSECSTATE" >> $CONSOLE_LOG