Re: [devel-ipsec] Re: [PATCH net-next v4 1/2] icmp: fix ICMP error source address when xfrm policy matches

[Paul Wouters]

On Mon, 2 Feb 2026, Antony Antony via Devel wrote:

> Hi Jakub,
>
> On Thu, Jan 29, 2026 at 06:45:10PM -0800, Jakub Kicinski via Devel wrote:
> > On Wed, 28 Jan 2026 11:25:14 +0100 Antony Antony wrote:
> > > Subject: [PATCH net-next v4 1/2] icmp: fix ICMP error source address when xfrm policy matches
> >
> > > Fixes: 415b3334a21a ("icmp: Fix regression in nexthop resolution during replies.")
> > > Cc: stable+noautosel@xxxxxxxxxx # Avoid false positives in tests
> >
> > I don't understand what you're trying to express with all these tags.
> > We are sending incorrect ICMP packets, seems like a normal net-worthy
> > fix to me?
>
> You're right that we're sending incorrect ICMP packets when IPsec/xfrm is
> enabled and this is a legitimate fix. My concern with backporting is about
> potential disruption rather than the correctness of the fix itself.
> The issue is that some existing test scripts and monitoring tools may have
> hardcoded expectations for the current(incorrect) source address behavior.
> When this one-line fix gets backported to all maintained kernels, those
> tests would start failing, potentially triggering regression reports and
> requests to revert the fix from stable kernels.
>
> Additionally, without the
> commit 63b21caba17e ("xfrm: introduce forwarding of ICMP Error messages")
> being present in older kernels, the behavior change could be viewed
> differently in stable branches.
>
> This is also the sense I got from IPsec users.
> Given these considerations, I opted for the safer path of targeting net-next
> with stable+noautosel, no backporting.

libreswan is unaffected, other than the old code showing a weird
unexplainable log message.  So we are not really affected by whether or
not this get backported. We would slightly prefer the backport just to
get proper icmp messages out there (and we might need to fix a few test
cases but that is okay with us). If someone reaches out with strong
arguments to not backport, we would be fine with not doing it.

Paul