Re: [PATCH net-next v5 1/2] icmp: fix ICMP error source address when xfrm... | netdev

Re: [PATCH net-next v5 1/2] icmp: fix ICMP error source address when xfrm policy matches

From: David Ahern <dsahern@kernel.org>
Date: 2026-02-26 16:18:48
Also in: lkml

On 2/26/26 3:27 AM, Antony Antony wrote:

When an IPsec gateway generates an ICMP error (e.g., Destination Host
Unreachable), the source address incorrectly shows the unreachable
destination instead of the gateway's address. IPv6 behaves correctly.

Before fix:
  ping 10.1.6.3
  From 10.1.6.3 icmp_seq=1 Destination Host Unreachable
  (wrong - 10.1.6.3 is the unreachable host)

After fix:
  ping 10.1.6.3
  From 10.1.5.2 icmp_seq=1 Destination Host Unreachable
  (correct - 10.1.5.2 is the gateway)

The fix removes the memcpy that overwrote fl4 with fl4_dec after
xfrm_lookup(). A follow-up commit adds a selftest.

Fixes: 415b3334a21a ("icmp: Fix regression in nexthop resolution during replies.")
Cc: stable+noautosel@kernel.org # Avoid false positives in tests
Signed-off-by: Antony Antony <redacted>
Acked-by: Tobias Brunner <redacted>
---
 net/ipv4/icmp.c | 1 -
 1 file changed, 1 deletion(-)

Reviewed-by: David Ahern <dsahern@kernel.org>

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help