[PATCH 0/18] pull request (net-next): ipsec-next 2026-06-12

[Steffen Klassert <steffen.klassert@secunet.com>]

1) Replace the open-coded manual cleanup in xfrm_add_policy() error
   path with xfrm_policy_destroy() for consistency with
   xfrm_policy_construct().
   From Deepanshu Kartikey.

2) Limit XFRMA_TFCPAD to a sensible maximum (max IP length, 64k) since
   u32 is excessive for traffic flow confidentiality padding.
   From David Ahern.

3) Add a new netlink message XFRM_MSG_MIGRATE_STATE that
   allows migrating individual IPsec SAs independently of
   their policies. The existing XFRM_MSG_MIGRATE is tightly coupled
   to policy+SA migration, lacks SPI for unique SA identification,
   and cannot express reqid changes or migrate Transport mode
   selectors. The new interface identifies the SA via SPI and mark,
   supports reqid changes, address family changes, encap removal,
   and uses an atomic create+install flow under x->lock to prevent
   SN/IV reuse during AEAD SA migration.
   From Antony Antony.

Please pull or let me know if there are problems.

Thanks!

The following changes since commit 790ead9394860e7d70c5e0e50a35b243e909a618:

  Documentation: net/smc: correct old value of smcr_max_recv_wr (2026-04-27 16:49:39 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git tags/ipsec-next-2026-06-12

for you to fetch changes up to 355f808d8a11fa69b19dfd8811bc87d97830f5d6:

  Merge branch 'xfrm: XFRM_MSG_MIGRATE_STATE new netlink message' (2026-06-09 16:02:12 +0200)

----------------------------------------------------------------
ipsec-next-2026-06-12

----------------------------------------------------------------
Antony Antony (16):
      xfrm: remove redundant assignments
      xfrm: add extack to xfrm_init_state
      xfrm: allow migration from UDP encapsulated to non-encapsulated ESP
      xfrm: fix NAT-related field inheritance in SA migration
      xfrm: rename reqid in xfrm_migrate
      xfrm: split xfrm_state_migrate into create and install functions
      xfrm: check family before comparing addresses in migrate
      xfrm: add state synchronization after migration
      xfrm: add error messages to state migration
      xfrm: move encap and xuo into struct xfrm_migrate
      xfrm: refactor XFRMA_MTIMER_THRESH validation into a helper
      xfrm: extract address family and selector validation helpers
      xfrm: make xfrm_dev_state_add xuo parameter const
      xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration
      xfrm: restrict netlink attributes for XFRM_MSG_MIGRATE_STATE
      xfrm: add documentation for XFRM_MSG_MIGRATE_STATE

David Ahern (1):
      xfrm: Reject excessive values for XFRMA_TFCPAD

Deepanshu Kartikey (1):
      xfrm: cleanup error path in xfrm_add_policy()

Steffen Klassert (1):
      Merge branch 'xfrm: XFRM_MSG_MIGRATE_STATE new netlink message'

 Documentation/networking/xfrm/index.rst            |   1 +
 .../networking/xfrm/xfrm_migrate_state.rst         | 274 ++++++++++++
 include/net/xfrm.h                                 |  78 +++-
 include/uapi/linux/xfrm.h                          |  25 ++
 net/ipv4/ipcomp.c                                  |   2 +-
 net/ipv6/ipcomp6.c                                 |   2 +-
 net/key/af_key.c                                   |  12 +-
 net/xfrm/xfrm_compat.c                             |   5 +-
 net/xfrm/xfrm_device.c                             |   2 +-
 net/xfrm/xfrm_policy.c                             |  25 +-
 net/xfrm/xfrm_state.c                              | 144 +++---
 net/xfrm/xfrm_user.c                               | 481 ++++++++++++++++++---
 security/selinux/nlmsgtab.c                        |   3 +-
 13 files changed, 912 insertions(+), 142 deletions(-)
 create mode 100644 Documentation/networking/xfrm/xfrm_migrate_state.rst