diff options
| author | Madhu Koriginja <madhu.koriginja@nxp.com> | 2023-03-21 16:58:44 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-03-22 21:50:23 +0100 |
| commit | b0e214d212030fe497d4d150bb3474e50ad5d093 (patch) | |
| tree | 21c0b2358d1100e938e8b12f50a9d4be1860c779 /net/ipv6/ip6_input.c | |
| parent | xtables: move icmp/icmpv6 logic to xt_tcpudp (diff) | |
| download | linux-b0e214d212030fe497d4d150bb3474e50ad5d093.tar.xz linux-b0e214d212030fe497d4d150bb3474e50ad5d093.zip | |
netfilter: keep conntrack reference until IPsecv6 policy checks are done
Keep the conntrack reference until policy checks have been performed for
IPsec V6 NAT support, just like ipv4.
The reference needs to be dropped before a packet is
queued to avoid having the conntrack module unloadable.
Fixes: 58a317f1061c ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Madhu Koriginja <madhu.koriginja@nxp.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'net/ipv6/ip6_input.c')
| -rw-r--r-- | net/ipv6/ip6_input.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index e1ebf5e42ebe..d94041bb4287 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c @@ -404,10 +404,6 @@ resubmit_final: /* Only do this once for first final protocol */ have_final = true; - /* Free reference early: we don't need it any more, - and it may hold ip_conntrack module loaded - indefinitely. */ - nf_reset_ct(skb); skb_postpull_rcsum(skb, skb_network_header(skb), skb_network_header_len(skb)); @@ -430,10 +426,12 @@ resubmit_final: goto discard; } } - if (!(ipprot->flags & INET6_PROTO_NOPOLICY) && - !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { - SKB_DR_SET(reason, XFRM_POLICY); - goto discard; + if (!(ipprot->flags & INET6_PROTO_NOPOLICY)) { + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { + SKB_DR_SET(reason, XFRM_POLICY); + goto discard; + } + nf_reset_ct(skb); } ret = INDIRECT_CALL_2(ipprot->handler, tcp_v6_rcv, udpv6_rcv, |