From: Sabrina Dubroca <sd@queasysnail.net>
To: Yan Yan <evitayan@google.com>
Cc: Antony Antony <antony.antony@secunet.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Chiachang Wang <chiachangwang@google.com>,
devel@linux-ipsec.org, Simon Horman <horms@kernel.org>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
linux-kernel@vger.kernel.org, selinux@vger.kernel.org,
Nathan Harold <nharold@google.com>
Subject: Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration
Date: Fri, 27 Feb 2026 12:26:00 +0100 [thread overview]
Message-ID: <aaF_SAQj4WT8jRaO@krikkit> (raw)
In-Reply-To: <CADHa2dAxVFQULCKnsjSmSPrK+VTJyyT-5P5BAYGdhO5wKDKqig@mail.gmail.com>
2026-02-26, 17:44:51 -0800, Yan Yan via Devel wrote:
> Hi Antony,
>
> May I request that we also support updating the XFRMA_SET_MARK as part
> of the new XFRM_MSG_MIGRATE_STATE message?
>
> In Android, the primary use case for migration is switching the
> underlying physical network for an IPsec tunnel (e.g. VPN, Wifi
> calling). Currently, due to the limits of XFRM_MSG_MIGRATE, we are
> forced to use a separate UPDSA call to update the set-mark. Supporting
> XFRMA_SET_MARK within the migrate message would allow us to update the
> addresses and the routing mark together in one atomic call.
>
> Regarding the logic, I believe the set-mark can follow the same
> omit-to-clear pattern as XFRMA_ENCAP and XFRMA_OFFLOAD_DEV.
I think this raises a wider question: clearly definining and
documenting which attributes need to be explicitly provided
("omit-to-clear" as you write), and which will be implicitly copied.
Currently it looks like we copy:
- all the crypto stuff (aalg/aead/etc)
- security context stuff
- coaddr
- replay/replay_esn
- pcpu_num, if_id, tfcpad
- dir
- mark
- extra_flags
but not
- nat_keepalive_interval
- offload
- encap
[gathered from a quick read of xfrm_state_clone_and_setup + the
definition of xfrma_policy]
Anything that we leave as implicit copy will have to be "forever"
implicitly copied with this new MIGRATE_STATE op -- unless we find a
way to pass a new "clear these properties" flag (probably via a list
of XFRMA_* attribute names), but then we could also implement that
with the existing MIGRATE code.
--
Sabrina
next prev parent reply other threads:[~2026-02-27 11:26 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 10:41 [PATCH ipsec-next v5 0/8] xfrm: XFRM_MSG_MIGRATE_STATE new netlink message Antony Antony
2026-01-27 10:42 ` [PATCH ipsec-next v5 1/8] xfrm: add missing __rcu annotation to nlsk Antony Antony
2026-02-26 17:07 ` Sabrina Dubroca
2026-03-05 7:46 ` [devel-ipsec] " Antony Antony
2026-01-27 10:42 ` [PATCH ipsec-next v5 2/8] xfrm: remove redundant assignments Antony Antony
2026-01-27 10:42 ` [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP Antony Antony
2026-01-30 11:28 ` Sabrina Dubroca
2026-02-02 12:57 ` Antony Antony
[not found] ` <CADhJOfbkUFaPfxTBrmOnrEh2JvxPKpkxaRrSdJHZGxeoQsQTcw@mail.gmail.com>
2026-02-02 19:38 ` [devel-ipsec] " Antony Antony
2026-02-24 3:28 ` Yan Yan
2026-02-26 15:41 ` Antony Antony
2026-03-06 2:49 ` Yan Yan
2026-01-27 10:42 ` [PATCH ipsec-next v5 4/8] xfrm: rename reqid in xfrm_migrate Antony Antony
2026-01-27 10:43 ` [PATCH ipsec-next v5 5/8] xfrm: split xfrm_state_migrate into create and install functions Antony Antony
2026-01-27 10:43 ` [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration Antony Antony
2026-01-30 12:14 ` Sabrina Dubroca
2026-02-26 15:43 ` [devel-ipsec] " Antony Antony
2026-02-26 16:59 ` Sabrina Dubroca
2026-03-02 14:06 ` Antony Antony
2026-01-27 10:44 ` [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration Antony Antony
2026-02-03 21:25 ` Sabrina Dubroca
2026-02-26 15:46 ` Antony Antony
2026-02-26 18:05 ` Sabrina Dubroca
2026-03-02 14:21 ` [devel-ipsec] " Antony Antony
2026-02-27 1:44 ` Yan Yan
2026-02-27 11:26 ` Sabrina Dubroca [this message]
2026-02-27 23:14 ` [devel-ipsec] " Yan Yan
2026-03-08 14:42 ` Antony Antony
2026-03-10 11:09 ` Sabrina Dubroca
2026-03-10 16:52 ` Antony Antony
2026-03-14 0:32 ` Yan Yan
2026-04-07 13:29 ` Antony Antony
2026-03-05 7:51 ` Antony Antony
2026-01-27 10:50 ` [PATCH ipsec-next v5 6/8] xfrm: add state synchronization after migration Antony Antony
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaF_SAQj4WT8jRaO@krikkit \
--to=sd@queasysnail.net \
--cc=antony.antony@secunet.com \
--cc=chiachangwang@google.com \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=edumazet@google.com \
--cc=evitayan@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nharold@google.com \
--cc=omosnace@redhat.com \
--cc=pabeni@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.