For the record, the patch has been backported in Lunar/Jammy/Focal: https://lists.ubuntu.com/archives/kernel-team/2023-August/141562.html
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2024187 Title: xfrm: packets sent trough a raw socket don't match ipsec policies with proto selector Status in linux package in Ubuntu: Expired Bug description: [Impact] When a userland application sends packets through an IPv4 or IPv6 raw socket, these packets don't match ipsec policies that are configured with a protocol selector. The problem has been fixed in linux v6.4 with commit 3632679d9e4f ("ipv{4,6}/raw: fix output xfrm lookup wrt protocol"). https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3632679d9e4f This commit has been backported in linux 5.15.115: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=395d846c61c5 [Test Case] Configure an ipsec policy with a protocol selector and send ip packets that match this policy through an IP raw socket. Example to match the proto icmp: ip xfrm policy add src 10.100.0.0/24 dst 10.200.0.0/24 proto icmp dir out tmpl src 10.125.0.1 dst 10.125.0.2 proto esp mode tunnel reqid 1 [Regression Potential] The patch introduces a new API to fix this problem, thus the regression potential is low for existing applications. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2024187/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
