Re: [devel-ipsec] Re: [PATCH net-next v4 1/2] icmp: fix ICMP error source address when xfrm policy matches

[Antony Antony <antony@phenome.org>]

Hi Jakub,

On Thu, Jan 29, 2026 at 06:45:10PM -0800, Jakub Kicinski via Devel wrote:
> On Wed, 28 Jan 2026 11:25:14 +0100 Antony Antony wrote:
> > Subject: [PATCH net-next v4 1/2] icmp: fix ICMP error source address when xfrm policy matches
> 
> > Fixes: 415b3334a21a ("icmp: Fix regression in nexthop resolution during replies.")
> > Cc: stable+noautosel@kernel.org # Avoid false positives in tests
> 
> I don't understand what you're trying to express with all these tags.
> We are sending incorrect ICMP packets, seems like a normal net-worthy
> fix to me?

You're right that we're sending incorrect ICMP packets when IPsec/xfrm is 
enabled and this is a legitimate fix. My concern with backporting is about 
potential disruption rather than the correctness of the fix itself.
The issue is that some existing test scripts and monitoring tools may have
hardcoded expectations for the current(incorrect) source address behavior.  
When this one-line fix gets backported to all maintained kernels, those 
tests would start failing, potentially triggering regression reports and 
requests to revert the fix from stable kernels.

Additionally, without the
commit 63b21caba17e ("xfrm: introduce forwarding of ICMP Error messages") 
being present in older kernels, the behavior change could be viewed 
differently in stable branches.

This is also the sense I got from IPsec users.
Given these considerations, I opted for the safer path of targeting net-next
with stable+noautosel, no backporting.

-antony