[PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
@ 2025-11-27 14:05 Antony Antony
  2025-12-05  6:18 ` Steffen Klassert
  0 siblings, 1 reply; 4+ messages in thread
From: Antony Antony @ 2025-11-27 14:05 UTC (permalink / raw)
  To: Steffen Klassert, Herbert Xu, netdev
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Antony Antony

The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
it was being applied regardless of the SA direction when the sysctl
ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.

Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
is configured.

Reported-by: https://github.com/roth-m
Closes: https://github.com/strongswan/strongswan/issues/2946
Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
Signed-off-by: Antony Antony <antony.antony@secunet.com>
---
 net/xfrm/xfrm_state.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9e14e453b55c..98b362d51836 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack)
 	int err;

 	if (family == AF_INET &&
+	    (!x->dir || x->dir == XFRM_SA_DIR_OUT) &&
 	    READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
 		x->props.flags |= XFRM_STATE_NOPMTUDISC;

--
2.39.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
  2025-11-27 14:05 [PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Antony Antony
@ 2025-12-05  6:18 ` Steffen Klassert
  2025-12-05 14:00   ` Simon Horman
  0 siblings, 1 reply; 4+ messages in thread
From: Steffen Klassert @ 2025-12-05  6:18 UTC (permalink / raw)
  To: Antony Antony
  Cc: Herbert Xu, netdev, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Simon Horman

On Thu, Nov 27, 2025 at 03:05:55PM +0100, Antony Antony wrote:
> The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
> it was being applied regardless of the SA direction when the sysctl
> ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
> 
> Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
> is configured.
> 
> Reported-by: https://github.com/roth-m

This tag does not make much sense IMO. We neither have a
real name nor an email address to contact.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
  2025-12-05  6:18 ` Steffen Klassert
@ 2025-12-05 14:00   ` Simon Horman
  2025-12-11  8:10     ` Steffen Klassert
  0 siblings, 1 reply; 4+ messages in thread
From: Simon Horman @ 2025-12-05 14:00 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: Antony Antony, Herbert Xu, netdev, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni

On Fri, Dec 05, 2025 at 07:18:58AM +0100, Steffen Klassert wrote:
> On Thu, Nov 27, 2025 at 03:05:55PM +0100, Antony Antony wrote:
> > The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
> > it was being applied regardless of the SA direction when the sysctl
> > ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
> > 
> > Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
> > is configured.
> > 
> > Reported-by: https://github.com/roth-m
> 
> This tag does not make much sense IMO. We neither have a
> real name nor an email address to contact.

FWIIW, I noticed that too.
And if that is all the information available
then I'd suggest dropping the tag.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
  2025-12-05 14:00   ` Simon Horman
@ 2025-12-11  8:10     ` Steffen Klassert
  0 siblings, 0 replies; 4+ messages in thread
From: Steffen Klassert @ 2025-12-11  8:10 UTC (permalink / raw)
  To: Simon Horman
  Cc: Antony Antony, Herbert Xu, netdev, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni

On Fri, Dec 05, 2025 at 02:00:42PM +0000, Simon Horman wrote:
> On Fri, Dec 05, 2025 at 07:18:58AM +0100, Steffen Klassert wrote:
> > On Thu, Nov 27, 2025 at 03:05:55PM +0100, Antony Antony wrote:
> > > The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
> > > it was being applied regardless of the SA direction when the sysctl
> > > ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
> > > 
> > > Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
> > > is configured.
> > > 
> > > Reported-by: https://github.com/roth-m
> > 
> > This tag does not make much sense IMO. We neither have a
> > real name nor an email address to contact.
> 
> FWIIW, I noticed that too.
> And if that is all the information available
> then I'd suggest dropping the tag.

Right, Antony please remove the tag and resend.

Thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-12-11  8:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-27 14:05 [PATCH ipsec] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Antony Antony
2025-12-05  6:18 ` Steffen Klassert
2025-12-05 14:00   ` Simon Horman
2025-12-11  8:10     ` Steffen Klassert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).