ipsec-2026-01-14

-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmlnh0AACgkQrB3Eaf9P W7fhlQ//ZsSZ1+7UlmSmuzfdS+0erXDqNuIvmX1GudWmUfSWu988+efsCgZcIRSh B7YPHjO75mNRQLOxGI4f61JZUwX+h+p/1vbqW1z3/AycPxi3UGBS2P+QaPCK7q+3 P7Xgch0WCV7acZDMBOSRZb2j3Iu72u2G0AXGfPYJHTOyIIwaBX+c77nvqw+4t2Si N31OSQICwdocGSRyFpAb1InklRrW7fixiwXctC0q3MBahBXU2RqjXp/jLm8xY2Nx WJupmMng7cxz4vgsKY+tY+2EAvbuAwHEcBK4rjNKdm4E2m0nNpohAoiV3xYnkmoN Q4I+Yr9xpBGf2+Eoq7MwuLl1y5A+k5H8PgbnuO5zMP7grzOzCWka6Gx7fDXKuMCY t5c/dVG2beQI8MlV60PbUb+UuIhhMUAyKalm5OdQ1uk7mv/RhYO0Pg6g+sIT9uk9 TvT0UGZOI/Af0uhwYLp7Vl9HicFMYtPhBlEWO+JcUgZXXbqUBnNDml5KG7wcOXh2 Mj7GHSAfwtl/rNdiVPbo6cPezhuj5mY/QOAPl9/qr6BG7Tusf8TcAnRV5jphYfwV Dbo9qjIg5LmtscyfhB5CYk+X8e6Ca1X89lgT1JjW5yyO63yJ2vsORsDC+iakGTEl H4pQwIcObseM9X7klH9K2MZYUNhe17p88qQ+atGxUXExXHqil0U= =Y9BD -----END PGP SIGNATURE----- Merge tag 'ipsec-2026-01-14' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2026-01-14 1) Fix inner mode lookup in tunnel mode GSO segmentation. The protocol was taken from the wrong field. 2) Set ipv4 no_pmtu_disc flag only on output SAs. The insertation of input SAs can fail if no_pmtu_disc is set. Please pull or let me know if there are problems. ipsec-2026-01-14 * tag 'ipsec-2026-01-14' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec: xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set xfrm: Fix inner mode lookup in tunnel mode GSO segmentation ==================== Link: https://patch.msgid.link/20260114121817.1106134-1-steffen.klassert@secunet.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-31 10:33:41 +02:00 · 2026-01-15 12:46:12 +01:00 · 2026-01-15 12:46:12 +01:00 · 5ce234a8fe
commit 5ce234a8fe
parent 4156c3745f c196def07b
3 changed files with 5 additions and 4 deletions
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
 						struct sk_buff *skb,
 						netdev_features_t features)
 {
-	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
-					XFRM_MODE_SKB_CB(skb)->protocol);
+	struct xfrm_offload *xo = xfrm_offload(skb);
+	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
 	__be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
 						     : htons(ETH_P_IP);

--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
 						struct sk_buff *skb,
 						netdev_features_t features)
 {
-	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
-					XFRM_MODE_SKB_CB(skb)->protocol);
+	struct xfrm_offload *xo = xfrm_offload(skb);
+	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
 	__be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
 						    : htons(ETH_P_IPV6);

--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack)
 	int err;

 	if (family == AF_INET &&
+	    (!x->dir || x->dir == XFRM_SA_DIR_OUT) &&
 	    READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
 		x->props.flags |= XFRM_STATE_NOPMTUDISC;