From: Antony Antony <antony@phenome.org>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Antony Antony <antony.antony@secunet.com>,
David Miller <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org
Subject: Re: [PATCH 0/18] pull request (net-next): ipsec-next 2026-06-12
Date: Tue, 16 Jun 2026 07:54:29 +0200 [thread overview]
Message-ID: <ajDlFUhMfJP36qA8@Antony2201.local> (raw)
In-Reply-To: <20260613131552.2562d433@kernel.org>
On Sat, Jun 13, 2026 at 01:15:52PM -0700, Jakub Kicinski wrote:
> On Fri, 12 Jun 2026 09:46:16 +0200 Steffen Klassert wrote:
> > 3) Add a new netlink message XFRM_MSG_MIGRATE_STATE that
> > allows migrating individual IPsec SAs independently of
> > their policies. The existing XFRM_MSG_MIGRATE is tightly coupled
> > to policy+SA migration, lacks SPI for unique SA identification,
> > and cannot express reqid changes or migrate Transport mode
> > selectors. The new interface identifies the SA via SPI and mark,
> > supports reqid changes, address family changes, encap removal,
> > and uses an atomic create+install flow under x->lock to prevent
> > SN/IV reuse during AEAD SA migration.
> > From Antony Antony.
>
> Hi! There are some Sashiko comments here, please follow up:
>
> https://sashiko.dev/#/patchset/20260612074725.1760473-8-steffen.klassert@secunet.com
>
Thanks Jakub. I have fixes and testing them now. And I will send fixes soon.
The comments didn't click until I realized xfrm_user_state_lookup() only
keys on mark.v & mark.m, so distinct (v, m) pairs collapse to the same
masked value. A lookup key of {0, 0} matches a source SA with mark
{0, 0xffffff} (both mask to 0), but reusing {0, 0} as the migrated mark
turns "match only mark 0x00" into "match all traffic".
Fix is copy from old SA than from old_mark passed along. This also pointed
more issues.
-antony
prev parent reply other threads:[~2026-06-16 6:02 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 7:46 [PATCH 0/18] pull request (net-next): ipsec-next 2026-06-12 Steffen Klassert
2026-06-12 7:46 ` [PATCH 01/18] xfrm: cleanup error path in xfrm_add_policy() Steffen Klassert
2026-06-13 20:40 ` patchwork-bot+netdevbpf
2026-06-12 7:46 ` [PATCH 02/18] xfrm: Reject excessive values for XFRMA_TFCPAD Steffen Klassert
2026-06-12 7:46 ` [PATCH 03/18] xfrm: remove redundant assignments Steffen Klassert
2026-06-12 7:46 ` [PATCH 04/18] xfrm: add extack to xfrm_init_state Steffen Klassert
2026-06-12 7:46 ` [PATCH 05/18] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP Steffen Klassert
2026-06-12 7:46 ` [PATCH 06/18] xfrm: fix NAT-related field inheritance in SA migration Steffen Klassert
2026-06-12 7:46 ` [PATCH 07/18] xfrm: rename reqid in xfrm_migrate Steffen Klassert
2026-06-12 7:46 ` [PATCH 08/18] xfrm: split xfrm_state_migrate into create and install functions Steffen Klassert
2026-06-12 7:46 ` [PATCH 09/18] xfrm: check family before comparing addresses in migrate Steffen Klassert
2026-06-12 7:46 ` [PATCH 10/18] xfrm: add state synchronization after migration Steffen Klassert
2026-06-12 7:46 ` [PATCH 11/18] xfrm: add error messages to state migration Steffen Klassert
2026-06-12 7:46 ` [PATCH 12/18] xfrm: move encap and xuo into struct xfrm_migrate Steffen Klassert
2026-06-12 7:46 ` [PATCH 13/18] xfrm: refactor XFRMA_MTIMER_THRESH validation into a helper Steffen Klassert
2026-06-12 7:46 ` [PATCH 14/18] xfrm: extract address family and selector validation helpers Steffen Klassert
2026-06-12 7:46 ` [PATCH 15/18] xfrm: make xfrm_dev_state_add xuo parameter const Steffen Klassert
2026-06-12 7:46 ` [PATCH 16/18] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration Steffen Klassert
2026-06-12 7:46 ` [PATCH 17/18] xfrm: restrict netlink attributes for XFRM_MSG_MIGRATE_STATE Steffen Klassert
2026-06-12 7:46 ` [PATCH 18/18] xfrm: add documentation " Steffen Klassert
2026-06-13 20:15 ` [PATCH 0/18] pull request (net-next): ipsec-next 2026-06-12 Jakub Kicinski
2026-06-16 5:54 ` Antony Antony [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajDlFUhMfJP36qA8@Antony2201.local \
--to=antony@phenome.org \
--cc=antony.antony@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox