Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add... | netdev

[PATCH ipsec-next v5 0/8] xfrm: XFRM_MSG_MIGRATE_STATE new netlink message · Antony Antony <hidden> · 2026-01-27
[PATCH ipsec-next v5 1/8] xfrm: add missing __rcu annotation to nlsk · Antony Antony <hidden> · 2026-01-27
Re: [PATCH ipsec-next v5 1/8] xfrm: add missing __rcu annotation to nlsk · Sabrina Dubroca <sd@queasysnail.net> · 2026-02-26
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 1/8] xfrm: add missing __rcu annotation to nlsk · Antony Antony <hidden> · 2026-03-05
[PATCH ipsec-next v5 2/8] xfrm: remove redundant assignments · Antony Antony <hidden> · 2026-01-27
[PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP · Antony Antony <hidden> · 2026-01-27
Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP · Sabrina Dubroca <sd@queasysnail.net> · 2026-01-30
Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP · Antony Antony <hidden> · 2026-02-02
[PATCH ipsec-next v5 4/8] xfrm: rename reqid in xfrm_migrate · Antony Antony <hidden> · 2026-01-27
[PATCH ipsec-next v5 5/8] xfrm: split xfrm_state_migrate into create and install functions · Antony Antony <hidden> · 2026-01-27
[PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration · Antony Antony <hidden> · 2026-01-27
Re: [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-01-30
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration · Antony Antony <hidden> · 2026-02-26
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-02-26
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration · Antony Antony <hidden> · 2026-03-02
[PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-01-27
Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-02-03
Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-02-26
Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-02-26
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-03-02
Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Yan Yan <hidden> · 2026-02-27
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-02-27
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Yan Yan <hidden> · 2026-02-27
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-03-08
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-03-10
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-03-10
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Yan Yan <hidden> · 2026-03-14
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-04-07
Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-03-05
[PATCH ipsec-next v5 6/8] xfrm: add state synchronization after migration · Antony Antony <hidden> · 2026-01-27

Re: [devel-ipsec] Re: [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration

From: Yan Yan <hidden>
Date: 2026-02-27 23:14:34
Also in: lkml, selinux

Anything that we leave as implicit copy will have to be "forever"

implicitly copied with this new MIGRATE_STATE op -- unless we find a
way to pass a new "clear these properties" flag (probably via a list
of XFRMA_* attribute names)

That is true. I also have the concern that if all updatable attributes
follow the "omit-to-clear" pattern, we lose the extensibility. Thus
ideally we should switch to an "omit-to-inherit" model for some, if
not all, attributes to ensure that adding new SA properties doesn't
break backward compatibility.

On Fri, Feb 27, 2026 at 3:26 AM Sabrina Dubroca [off-list ref] wrote:

2026-02-26, 17:44:51 -0800, Yan Yan via Devel wrote:

quoted

Hi Antony,

May I request that we also support updating the XFRMA_SET_MARK as part
of the new XFRM_MSG_MIGRATE_STATE message?

In Android, the primary use case for migration is switching the
underlying physical network for an IPsec tunnel (e.g. VPN, Wifi
calling). Currently, due to the limits of XFRM_MSG_MIGRATE, we are
forced to use a separate UPDSA call to update the set-mark. Supporting
XFRMA_SET_MARK within the migrate message would allow us to update the
addresses and the routing mark together in one atomic call.

Regarding the logic, I believe the set-mark can follow the same
omit-to-clear pattern as XFRMA_ENCAP and XFRMA_OFFLOAD_DEV.

I think this raises a wider question: clearly definining and
documenting which attributes need to be explicitly provided
("omit-to-clear" as you write), and which will be implicitly copied.

Currently it looks like we copy:
 - all the crypto stuff (aalg/aead/etc)
 - security context stuff
 - coaddr
 - replay/replay_esn
 - pcpu_num, if_id, tfcpad
 - dir
 - mark
 - extra_flags

but not
 - nat_keepalive_interval
 - offload
 - encap

[gathered from a quick read of xfrm_state_clone_and_setup + the
definition of xfrma_policy]

Anything that we leave as implicit copy will have to be "forever"
implicitly copied with this new MIGRATE_STATE op -- unless we find a
way to pass a new "clear these properties" flag (probably via a list
of XFRMA_* attribute names), but then we could also implement that
with the existing MIGRATE code.

--
Sabrina



--
--
Best,
Yan

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help