summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorhuizhang <huizhang@marvell.com>2014-06-09 06:37:25 +0200
committerDavid S. Miller <davem@davemloft.net>2014-06-11 09:47:31 +0200
commitf6c20c596f41fe6331cee2053b270bf12142b04e (patch)
tree8465b77d7c1b2e08a012e7a772a839593a7f7280
parentip_tunnel: fix i_key matching in ip_tunnel_find (diff)
downloadlinux-f6c20c596f41fe6331cee2053b270bf12142b04e.tar.xz
linux-f6c20c596f41fe6331cee2053b270bf12142b04e.zip
net: ipv6: Fixed up ipsec packet be re-routing issue
Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781 When a local output ipsec packet match the mangle table rule, and be set mark value, the packet will be route again in route_me_harder -> _session_decoder6 In this case, the nhoff in CB of skb was still the default value 0. So the protocal match can't success and the packet can't match correct SA rule,and then the packet be send out in plaintext. To fixed up the issue. The CB->nhoff must be set. Signed-off-by: Hui Zhang <huizhang@marvell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/output_core.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 56596ce390a1..a2bbc0d08d92 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -104,6 +104,7 @@ int __ip6_local_out(struct sk_buff *skb)
if (len > IPV6_MAXPLEN)
len = 0;
ipv6_hdr(skb)->payload_len = htons(len);
+ IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
skb_dst(skb)->dev, dst_output);