the deleteall command in the setkey utility is
non-functional at the moment. The kernel code,
conforming to the RFC, only implements the SADB_DELETE
and SADB_FLUSH commands for removing SAD entries, which
deletes entries that match a specified source address,
destination address, protocol specification, and spi
specification. The deleteall command generates an
SADB_DELETE message for the kernel, but fails to:
1) include the SADB_EXT header in the message
2) generate multiple messages if there are multiple
entries matching the provided <src,dst> tuple with
differing spi values.
The attached patch cleans this up. With this patch,
when the deleteall command is issued, a SADB_DUMP
command is first sent down, and the results are
filtered to collect the required spi entries that match
the src,dst specification. For each collected spi, an
SADB delete command (complete with SADB_EXT header) is
created and sent to the kernel. I've tested this
locally here with successful results.
Thanks and regards
Log in to post a comment.