kaworu/gist:b67d68b11bfafd9b90897fc7448433e5

## gistfile1.txt
diff --git a/daemon/cmd/datapath.go b/daemon/cmd/datapath.go
index 6134dca312..543dcb8cca 100644
--- a/daemon/cmd/datapath.go
+++ b/daemon/cmd/datapath.go
@@ -18,6 +18,7 @@ import (
 	"github.com/cilium/cilium/pkg/datapath"
 	datapathIpcache "github.com/cilium/cilium/pkg/datapath/ipcache"
 	"github.com/cilium/cilium/pkg/datapath/linux/ipsec"
+	"github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
 	"github.com/cilium/cilium/pkg/datapath/linux/probes"
 	"github.com/cilium/cilium/pkg/defaults"
 	"github.com/cilium/cilium/pkg/endpointmanager"
@@ -490,6 +491,20 @@ func setupIPSec() (int, uint8, error) {
 		return 0, 0, nil
 	}

+	xfrmStateList, err := netlink.XfrmStateList(0)
+	if err != nil {
+		return 0, 0, err
+	}
+	go func() {
+		time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
+		scopedLog.Info("reclaiming stale SPIs")
+		for _, s := range xfrmStateList {
+			if err := netlink.XfrmStateDel(&s); err != nil {
+				scopedLog.WithError(err).Warning("deleting old xfrm state failed")
+			}
+		}
+	}()
+
 	authKeySize, spi, err := ipsec.LoadIPSecKeysFile(option.Config.IPSecKeyFile)
 	if err != nil {
 		return 0, 0, err
diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go
index 54103965ee..d913195f48 100644
--- a/pkg/datapath/linux/ipsec/ipsec_linux.go
+++ b/pkg/datapath/linux/ipsec/ipsec_linux.go
@@ -258,7 +258,7 @@ func ipsecDeleteXfrmSpi(spi uint8) {
 		return
 	}
 	for _, s := range xfrmStateList {
-		if s.Spi != int(spi) {
+		if s.Spi == int(spi) {
 			if err := netlink.XfrmStateDel(&s); err != nil {
 				scopedLog.WithError(err).Warning("deleting old xfrm state failed")
 			}
@@ -598,16 +598,13 @@ func loadIPSecKeys(r io.Reader) (int, uint8, error) {
 			"SPI":    spi,
 		})

-		// Detect a version change and call cleanup routine to remove old
-		// keys after a timeout period. We also want to ensure on restart
-		// we remove any stale keys for example when a restart changes keys.
-		// In the restart case oldSpi will be '0' and cause the delete logic
-		// to run.
-		if oldSpi != ipSecKey.Spi {
+		// Detect a version change and call cleanup routine to remove the old
+		// key after a timeout period.
+		if oldSpi > 0 && oldSpi != ipSecKey.Spi {
 			go func() {
 				time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
 				scopedLog.Info("New encryption keys reclaiming SPI")
-				ipsecDeleteXfrmSpi(ipSecKey.Spi)
+				ipsecDeleteXfrmSpi(oldSpi)
 			}()
 		}
 	}
	diff --git a/daemon/cmd/datapath.go b/daemon/cmd/datapath.go
	index 6134dca312..543dcb8cca 100644
	--- a/daemon/cmd/datapath.go
	+++ b/daemon/cmd/datapath.go
	@@ -18,6 +18,7 @@ import (
	"github.com/cilium/cilium/pkg/datapath"
	datapathIpcache "github.com/cilium/cilium/pkg/datapath/ipcache"
	"github.com/cilium/cilium/pkg/datapath/linux/ipsec"
	+ "github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
	"github.com/cilium/cilium/pkg/datapath/linux/probes"
	"github.com/cilium/cilium/pkg/defaults"
	"github.com/cilium/cilium/pkg/endpointmanager"
	@@ -490,6 +491,20 @@ func setupIPSec() (int, uint8, error) {
	return 0, 0, nil
	}

	+ xfrmStateList, err := netlink.XfrmStateList(0)
	+ if err != nil {
	+ return 0, 0, err
	+ }
	+ go func() {
	+ time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
	+ scopedLog.Info("reclaiming stale SPIs")
	+ for _, s := range xfrmStateList {
	+ if err := netlink.XfrmStateDel(&s); err != nil {
	+ scopedLog.WithError(err).Warning("deleting old xfrm state failed")
	+ }
	+ }
	+ }()
	+
	authKeySize, spi, err := ipsec.LoadIPSecKeysFile(option.Config.IPSecKeyFile)
	if err != nil {
	return 0, 0, err
	diff --git a/pkg/datapath/linux/ipsec/ipsec_linux.go b/pkg/datapath/linux/ipsec/ipsec_linux.go
	index 54103965ee..d913195f48 100644
	--- a/pkg/datapath/linux/ipsec/ipsec_linux.go
	+++ b/pkg/datapath/linux/ipsec/ipsec_linux.go
	@@ -258,7 +258,7 @@ func ipsecDeleteXfrmSpi(spi uint8) {
	return
	}
	for _, s := range xfrmStateList {
	- if s.Spi != int(spi) {
	+ if s.Spi == int(spi) {
	if err := netlink.XfrmStateDel(&s); err != nil {
	scopedLog.WithError(err).Warning("deleting old xfrm state failed")
	}
	@@ -598,16 +598,13 @@ func loadIPSecKeys(r io.Reader) (int, uint8, error) {
	"SPI": spi,
	})

	- // Detect a version change and call cleanup routine to remove old
	- // keys after a timeout period. We also want to ensure on restart
	- // we remove any stale keys for example when a restart changes keys.
	- // In the restart case oldSpi will be '0' and cause the delete logic
	- // to run.
	- if oldSpi != ipSecKey.Spi {
	+ // Detect a version change and call cleanup routine to remove the old
	+ // key after a timeout period.
	+ if oldSpi > 0 && oldSpi != ipSecKey.Spi {
	go func() {
	time.Sleep(linux_defaults.IPsecKeyDeleteDelay)
	scopedLog.Info("New encryption keys reclaiming SPI")
	- ipsecDeleteXfrmSpi(ipSecKey.Spi)
	+ ipsecDeleteXfrmSpi(oldSpi)
	}()
	}
	}