[PATCH ipsec v2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set

[PATCH ipsec v2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set

[Antony Antony]

The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
it was being applied regardless of the SA direction when the sysctl
ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.

Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
is configured.

Closes: https://github.com/strongswan/strongswan/issues/2946
Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
Signed-off-by: Antony Antony <antony.antony@secunet.com>
---
v1 -> v2 removed Unrecognized email address: Reported-by: 'https://github.com/roth-m'
---
 net/xfrm/xfrm_state.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9e14e453b55c..98b362d51836 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack)
 	int err;

 	if (family == AF_INET &&
+	    (!x->dir || x->dir == XFRM_SA_DIR_OUT) &&
 	    READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
 		x->props.flags |= XFRM_STATE_NOPMTUDISC;

--
2.39.5

Re: [PATCH ipsec v2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set

[Steffen Klassert]

On Thu, Dec 11, 2025 at 11:30:27AM +0100, Antony Antony wrote:
> The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
> it was being applied regardless of the SA direction when the sysctl
> ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
> 
> Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
> is configured.
> 
> Closes: https://github.com/strongswan/strongswan/issues/2946
> Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
> Signed-off-by: Antony Antony <antony.antony@secunet.com>

Applied, thanks a lot Antony!