[PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration

[PATCH ipsec-next v8 00/14] xfrm: XFRM_MSG_MIGRATE_STATE new netlink message · Antony Antony <hidden> · 2026-05-05
[PATCH ipsec-next v8 01/14] xfrm: remove redundant assignments · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 01/14] xfrm: remove redundant assignments · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 02/14] xfrm: add extack to xfrm_init_state · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 02/14] xfrm: add extack to xfrm_init_state · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 03/14] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 03/14] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
Re: [PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration · Steffen Klassert <steffen.klassert@secunet.com> · 2026-05-07
Re: [PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 05/14] xfrm: rename reqid in xfrm_migrate · Antony Antony <hidden> · 2026-05-05
[PATCH ipsec-next v8 06/14] xfrm: split xfrm_state_migrate into create and install functions · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 06/14] xfrm: split xfrm_state_migrate into create and install functions · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 07/14] xfrm: check family before comparing addresses in migrate · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 07/14] xfrm: check family before comparing addresses in migrate · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 08/14] xfrm: add state synchronization after migration · Antony Antony <hidden> · 2026-05-05
[PATCH ipsec-next v8 09/14] xfrm: add error messages to state migration · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 09/14] xfrm: add error messages to state migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 10/14] xfrm: move encap and xuo into struct xfrm_migrate · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 10/14] xfrm: move encap and xuo into struct xfrm_migrate · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-07
[PATCH ipsec-next v8 11/14] xfrm: refactor XFRMA_MTIMER_THRESH validation into a helper · Antony Antony <hidden> · 2026-05-05
[PATCH ipsec-next v8 12/14] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 12/14] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Steffen Klassert <steffen.klassert@secunet.com> · 2026-05-07
Re: [PATCH ipsec-next v8 12/14] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-11
Re: [devel-ipsec] Re: [PATCH ipsec-next v8 12/14] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration · Antony Antony <hidden> · 2026-05-26
[PATCH ipsec-next v8 13/14] xfrm: restrict netlink attributes for XFRM_MSG_MIGRATE_STATE · Antony Antony <hidden> · 2026-05-05
[PATCH ipsec-next v8 14/14] xfrm: add documentation for XFRM_MSG_MIGRATE_STATE · Antony Antony <hidden> · 2026-05-05
Re: [PATCH ipsec-next v8 14/14] xfrm: add documentation for XFRM_MSG_MIGRATE_STATE · Sabrina Dubroca <sd@queasysnail.net> · 2026-05-11
Re: [devel-ipsec] Re: [PATCH ipsec-next v8 14/14] xfrm: add documentation for XFRM_MSG_MIGRATE_STATE · Antony Antony <hidden> · 2026-05-26

COLD16d

Revisions (4)

2026-03-09 v6 [diff vs current]
2026-04-12 v7 [diff vs current]
2026-05-05 v8 current
2026-05-26 v9 [diff vs current]

From: Antony Antony <hidden>
Date: 2026-05-05 04:32:59
Also in: linux-doc, lkml, selinux
Subsystem: networking [general], networking [ipsec], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Steffen Klassert, Herbert Xu, Linus Torvalds

During SA migration via xfrm_state_clone_and_setup(),
nat_keepalive_interval was silently dropped and never copied to the new
SA. mapping_maxage was unconditionally copied even when migrating to a
non-encapsulated SA.

Both fields are only meaningful when UDP encapsulation (NAT-T) is in
use. Move mapping_maxage and add nat_keepalive_interval inside the
existing if (encap) block, so both are inherited when migrating with
encapsulation and correctly absent when migrating without it.

Signed-off-by: Antony Antony <redacted>

---
v5->v6: added this patch
---
 net/xfrm/xfrm_state.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 933541bc9093..b9de931d84c1 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c

@@ -2012,6 +2012,8 @@ static struct xfrm_state *xfrm_state_clone_and_setup(struct xfrm_state *orig,
 		x->encap = kmemdup(encap, sizeof(*x->encap), GFP_KERNEL);
 		if (!x->encap)
 			goto error;
+		x->mapping_maxage = orig->mapping_maxage;
+		x->nat_keepalive_interval = orig->nat_keepalive_interval;
 	}
 
 	if (orig->security)

@@ -2046,7 +2048,6 @@ static struct xfrm_state *xfrm_state_clone_and_setup(struct xfrm_state *orig,
 	x->km.seq = orig->km.seq;
 	x->replay = orig->replay;
 	x->preplay = orig->preplay;
-	x->mapping_maxage = orig->mapping_maxage;
 	x->lastused = orig->lastused;
 	x->new_mapping = 0;
 	x->new_mapping_sport = 0;

-- 
2.47.3

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help