[Openswan dev] ip xfrm bug

Herbert Xu herbert at gondor.apana.org.au
Fri Dec 14 04:16:59 EST 2007

On Thu, Nov 29, 2007 at 11:41:04AM -0500, Paul Wouters wrote:
> I just encountered an ip xfrm bug.

Hi Paul:

Sorry for the late response.  You caught me as I was flying
back and forth between Sydney and China :)

> So i ran: ip xfrm policy deleteall

OK, the usualy way to do it is

	ip xfrm policy flush

which lets the kernel delete all policies.  The deleteall command
is done in user-space.  As a result deleteall keeps trying to delete
until the number of policies hits zero.  The bug here is that it
is including socket policies in the number of policies.

You can't delete socket policies because they belong to sockets
which belongs to individual processes (and pluto in this case).

Stephen, could you look into this?

> The other end was also a netkey system. The command returned fine there,
> but a minute later came me a kernel oops:

OK this looks bad.  Can you reproduce this with a more recent

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

More information about the Dev mailing list