kaworu · May 19, 2022 13:24
diff --git a/gistfile1.txt b/gistfile1.txt
 diff --git a/daemon/cmd/datapath.go b/daemon/cmd/datapath.go
 index 6134dca312..543dcb8cca 100644
 --- a/daemon/cmd/datapath.go
 +++ b/daemon/cmd/datapath.go
 @@ -18,6 +18,7 @@ import (
 	"github.com/cilium/cilium/pkg/datapath"
 	datapathIpcache "github.com/cilium/cilium/pkg/datapath/ipcache"
 	"github.com/cilium/cilium/pkg/datapath/linux/ipsec"
 +	"github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
 	"github.com/cilium/cilium/pkg/datapath/linux/probes"
 	"github.com/cilium/cilium/pkg/defaults"
 	"github.com/cilium/cilium/pkg/endpointmanager"
 @@ -490,6 +491,20 @@ func setupIPSec() (int, uint8, error) {
 		return 0, 0, nil
 	}
 
 +	xfrmStateList, err := netlink.XfrmStateList(0)
 +	if err != nil {
 +		return 0, 0, err
 +	}
 +	go func() {
 +		time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
 +		scopedLog.Info("reclaiming stale SPIs")
 +		for _, s := range xfrmStateList {
 +			if err := netlink.XfrmStateDel(&s); err != nil {
 +				scopedLog.WithError(err).Warning("deleting old xfrm state failed")
 +			}
 +		}
 +	}()
 +
 	authKeySize, spi, err := ipsec.LoadIPSecKeysFile(option.Config.IPSecKeyFile)
 	if err != nil {
 		return 0, 0, err
 diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go
 index 54103965ee..d913195f48 100644
 --- a/pkg/datapath/linux/ipsec/ipsec_linux.go
 +++ b/pkg/datapath/linux/ipsec/ipsec_linux.go
 @@ -258,7 +258,7 @@ func ipsecDeleteXfrmSpi(spi uint8) {
 		return
 	}
 	for _, s := range xfrmStateList {
 -		if s.Spi != int(spi) {
 +		if s.Spi == int(spi) {
 			if err := netlink.XfrmStateDel(&s); err != nil {
 				scopedLog.WithError(err).Warning("deleting old xfrm state failed")
 			}
 @@ -598,16 +598,13 @@ func loadIPSecKeys(r io.Reader) (int, uint8, error) {
 			"SPI":    spi,
 		})
 
 -		// Detect a version change and call cleanup routine to remove old
 -		// keys after a timeout period. We also want to ensure on restart
 -		// we remove any stale keys for example when a restart changes keys.
 -		// In the restart case oldSpi will be '0' and cause the delete logic
 -		// to run.
 -		if oldSpi != ipSecKey.Spi {
 +		// Detect a version change and call cleanup routine to remove the old
 +		// key after a timeout period.
 +		if oldSpi > 0 && oldSpi != ipSecKey.Spi {
 			go func() {
 				time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
 				scopedLog.Info("New encryption keys reclaiming SPI")
 -				ipsecDeleteXfrmSpi(ipSecKey.Spi)
 +				ipsecDeleteXfrmSpi(oldSpi)
 			}()
 		}
 	}
	diff --git a/daemon/cmd/datapath.go b/daemon/cmd/datapath.go
	index 6134dca312..543dcb8cca 100644
	--- a/daemon/cmd/datapath.go
	+++ b/daemon/cmd/datapath.go
	@@ -18,6 +18,7 @@ import (
	"github.com/cilium/cilium/pkg/datapath"
	datapathIpcache "github.com/cilium/cilium/pkg/datapath/ipcache"
	"github.com/cilium/cilium/pkg/datapath/linux/ipsec"
	+ "github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
	"github.com/cilium/cilium/pkg/datapath/linux/probes"
	"github.com/cilium/cilium/pkg/defaults"
	"github.com/cilium/cilium/pkg/endpointmanager"
	@@ -490,6 +491,20 @@ func setupIPSec() (int, uint8, error) {
	return 0, 0, nil
	}

	+ xfrmStateList, err := netlink.XfrmStateList(0)
	+ if err != nil {
	+ return 0, 0, err
	+ }
	+ go func() {
	+ time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
	+ scopedLog.Info("reclaiming stale SPIs")
	+ for _, s := range xfrmStateList {
	+ if err := netlink.XfrmStateDel(&s); err != nil {
	+ scopedLog.WithError(err).Warning("deleting old xfrm state failed")
	+ }
	+ }
	+ }()
	+
	authKeySize, spi, err := ipsec.LoadIPSecKeysFile(option.Config.IPSecKeyFile)
	if err != nil {
	return 0, 0, err
	diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go
	index 54103965ee..d913195f48 100644
	--- a/pkg/datapath/linux/ipsec/ipsec_linux.go
	+++ b/pkg/datapath/linux/ipsec/ipsec_linux.go
	@@ -258,7 +258,7 @@ func ipsecDeleteXfrmSpi(spi uint8) {
	return
	}
	for _, s := range xfrmStateList {
	- if s.Spi != int(spi) {
	+ if s.Spi == int(spi) {
	if err := netlink.XfrmStateDel(&s); err != nil {
	scopedLog.WithError(err).Warning("deleting old xfrm state failed")
	}
	@@ -598,16 +598,13 @@ func loadIPSecKeys(r io.Reader) (int, uint8, error) {
	"SPI": spi,
	})

	- // Detect a version change and call cleanup routine to remove old
	- // keys after a timeout period. We also want to ensure on restart
	- // we remove any stale keys for example when a restart changes keys.
	- // In the restart case oldSpi will be '0' and cause the delete logic
	- // to run.
	- if oldSpi != ipSecKey.Spi {
	+ // Detect a version change and call cleanup routine to remove the old
	+ // key after a timeout period.
	+ if oldSpi > 0 && oldSpi != ipSecKey.Spi {
	go func() {
	time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
	scopedLog.Info("New encryption keys reclaiming SPI")
	- ipsecDeleteXfrmSpi(ipSecKey.Spi)
	+ ipsecDeleteXfrmSpi(oldSpi)
	}()
	}
	}