summaryrefslogtreecommitdiffstats
path: root/net/dccp
diff options
context:
space:
mode:
authorMadhu Koriginja <madhu.koriginja@nxp.com>2023-03-21 16:58:44 +0100
committerFlorian Westphal <fw@strlen.de>2023-03-22 21:50:23 +0100
commitb0e214d212030fe497d4d150bb3474e50ad5d093 (patch)
tree21c0b2358d1100e938e8b12f50a9d4be1860c779 /net/dccp
parentxtables: move icmp/icmpv6 logic to xt_tcpudp (diff)
downloadlinux-b0e214d212030fe497d4d150bb3474e50ad5d093.tar.xz
linux-b0e214d212030fe497d4d150bb3474e50ad5d093.zip
netfilter: keep conntrack reference until IPsecv6 policy checks are done
Keep the conntrack reference until policy checks have been performed for IPsec V6 NAT support, just like ipv4. The reference needs to be dropped before a packet is queued to avoid having the conntrack module unloadable. Fixes: 58a317f1061c ("netfilter: ipv6: add IPv6 NAT support") Signed-off-by: Madhu Koriginja <madhu.koriginja@nxp.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'net/dccp')
-rw-r--r--net/dccp/ipv6.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 47fb10834223..93c98990d726 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -784,6 +784,7 @@ lookup:
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
+ nf_reset_ct(skb);
return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4,
refcounted) ? -1 : 0;