Re: [devel-ipsec] Re: [PATCH net-next v4 1/2] icmp: fix ICMP error source address when xfrm policy matches

[Tobias Brunner]

On 02.02.26 15:53, Paul Wouters wrote:
> On Mon, 2 Feb 2026, Antony Antony via Devel wrote:
> 
>> Hi Jakub,
>>
>> On Thu, Jan 29, 2026 at 06:45:10PM -0800, Jakub Kicinski via Devel wrote:
>>> On Wed, 28 Jan 2026 11:25:14 +0100 Antony Antony wrote:
>>>> Subject: [PATCH net-next v4 1/2] icmp: fix ICMP error source address when xfrm policy matches
>>>
>>>> Fixes: 415b3334a21a ("icmp: Fix regression in nexthop resolution during replies.")
>>>> Cc: stable+noautosel@xxxxxxxxxx # Avoid false positives in tests
>>>
>>> I don't understand what you're trying to express with all these tags.
>>> We are sending incorrect ICMP packets, seems like a normal net-worthy
>>> fix to me?
>>
>> You're right that we're sending incorrect ICMP packets when IPsec/xfrm is
>> enabled and this is a legitimate fix. My concern with backporting is about
>> potential disruption rather than the correctness of the fix itself.
>> The issue is that some existing test scripts and monitoring tools may have
>> hardcoded expectations for the current(incorrect) source address behavior.
>> When this one-line fix gets backported to all maintained kernels, those
>> tests would start failing, potentially triggering regression reports and
>> requests to revert the fix from stable kernels.
>>
>> Additionally, without the
>> commit 63b21caba17e ("xfrm: introduce forwarding of ICMP Error messages")
>> being present in older kernels, the behavior change could be viewed
>> differently in stable branches.
>>
>> This is also the sense I got from IPsec users.
>> Given these considerations, I opted for the safer path of targeting net-next
>> with stable+noautosel, no backporting.
> 
> libreswan is unaffected, other than the old code showing a weird
> unexplainable log message.  So we are not really affected by whether or
> not this get backported. We would slightly prefer the backport just to
> get proper icmp messages out there (and we might need to fix a few test
> cases but that is okay with us). If someone reaches out with strong
> arguments to not backport, we would be fine with not doing it.

I think the main concern is that without Antony's patch that adds ICMP
forwarding via reverse lookup (63b21caba17e ("xfrm: introduce forwarding
of ICMP Error messages")), which was not backported, packets with the
correct source IP will not get tunneled if the gateway's IP is not
contained in the traffic selectors.  So if at all, backporting should
only be considered to v6.9+ and not anything earlier (the commit
Antony's Fixes tag references, 415b3334a21a, was released with v3.1).

Regards,
Tobias