Yes, this is what i was looking for! Was this support introduced recently? We updated the kernel across our fleet recently and it magically works now.
i am now at 5.8.0-0.bpo.2-amd64 with iproute2 5.8.0 On Fri, Nov 27, 2020 at 9:22 AM Luca Boccassi <bl...@debian.org> wrote: > Control: tags -1 moreinfo > > On Fri, 7 Aug 2020 09:28:55 -0300 Bernardo Soares <bsoares...@gmail.com> > wrote: > > dear maintainer, > > > > we are moving our xfrm configuration to be based on xfrm interfaces as > > opposed to using mark values. so we use intf_id to glue the state/policy > > and interface. > > right now i found out that, while the states can be managed just fine, > the > > policy won't be deleted as the mark value seems to be the only key we can > > use to reference a policy. > > > > example: > > > > ``` > > ip xfrm policy update src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority > 200000 > > ptype main tmpl src 1.2.3.4 dst 4.3.2.1 proto esp spi 0x12345678 reqid > 4096 > > mode tunnel if_id 0x100 > > > > > > root@ca870b7a2863:/opt/src# ip xfrm policy ls > > src 0.0.0.0/0 dst 0.0.0.0/0 > > dir out priority 200000 ptype main > > tmpl src 1.2.3.4 dst 4.3.2.1 > > proto esp spi 0x12345678 reqid 4096 mode tunnel > > if_id 0x100 > > > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst > 0.0.0.0/0 > > dir out if_id 4096 > > Error: argument "if_id" is wrong: unknown > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst > 0.0.0.0/0 > > dir out if_id 0x100 > > Error: argument "if_id" is wrong: unknown > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst > 0.0.0.0/0 > > dir out mark 0x100 > > RTNETLINK answers: No such file or directory > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst > 0.0.0.0/0 > > dir out mark 4096 > > RTNETLINK answers: No such file or directory > > root@ca870b7a2863:/opt/src# ip xfrm policy del src 0.0.0.0/0 dst > 0.0.0.0/0 > > dir out spi 0x12345678 > > Error: argument "spi" is wrong: unknown > > root@ca870b7a2863:/opt/src# > > ``` > > Hi, > > The policy can be deleted with an identifier, which doesn't have to be > a mark. It can be if_id for example: > > $ sudo ip xfrm policy ls > src 0.0.0.0/0 dst 0.0.0.0/0 > dir out priority 200000 ptype main > tmpl src 2.3.4.5 dst 5.4.3.2 > proto esp spi 0x12345678 reqid 4096 mode tunnel > if_id 0x101 > src 0.0.0.0/0 dst 0.0.0.0/0 > dir out priority 200000 ptype main > tmpl src 1.2.3.4 dst 4.3.2.1 > proto esp spi 0x12345678 reqid 4096 mode tunnel > if_id 0x100 > $ sudo ip xfrm policy delete src 0.0.0.0/0 dst 0.0.0.0/0 dir out if_id > 0x100 > $ sudo ip xfrm policy ls > src 0.0.0.0/0 dst 0.0.0.0/0 > dir out priority 200000 ptype main > tmpl src 2.3.4.5 dst 5.4.3.2 > proto esp spi 0x12345678 reqid 4096 mode tunnel > if_id 0x101 > $ > > To delete all policies under a selector, there's the deleteall command: > > $ sudo ip xfrm policy ls > src 0.0.0.0/0 dst 0.0.0.0/0 > dir out priority 200000 ptype main > tmpl src 1.2.3.4 dst 4.3.2.1 > proto esp spi 0x12345678 reqid 4096 mode tunnel > if_id 0x100 > $ sudo ip xfrm policy deleteall src 0.0.0.0/0 dst 0.0.0.0/0 > $ sudo ip xfrm policy ls > $ > > Isn't that what you are looking for? > > -- > Kind regards, > Luca Boccassi >