Re: [PATCH ipsec-next v8 03/14] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP

Next message: Nathan Chancellor: "Re: [PATCH v2 2/3] dt-bindings: wire style checker into dt_binding_check"
Previous message: Marcus Gren&#xE4;ngen: "[PATCH v3 0/3] platform/x86: fix fn-lock on ASUS ProArt P16 (WMI DEVS no-op)"
In reply to: Antony Antony: "[PATCH ipsec-next v8 03/14] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP"
Next in thread: Antony Antony: "[PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sabrina Dubroca

Date: Thu May 07 2026 - 05:34:10 EST

2026-05-05, 06:32:30 +0200, Antony Antony wrote:
> The current code prevents migrating an SA from UDP encapsulation to
> plain ESP. This is needed when moving from a NATed path to a non-NATed
> one, for example when switching from IPv4+NAT to IPv6.
>
> Only copy the existing encapsulation during migration if the encap
> attribute is explicitly provided.
>
> Note: PF_KEY's SADB_X_MIGRATE always passes encap=NULL and never
> supported encapsulation in migration. PF_KEY is deprecated and was
> in feature freeze when UDP encapsulation was added to xfrm.
>
> Signed-off-by: Antony Antony <antony.antony@xxxxxxxxxxx>
> Tested-by: Yan Yan <evitayan@xxxxxxxxxx>
> ---
> net/xfrm/xfrm_state.c | 10 ++--------
> 1 file changed, 2 insertions(+), 8 deletions(-)

Reviewed-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>

If someone complains about this we can add a sysctl
"preserve_old_encap_on_migrate".

--
Sabrina