diff options
| author | Ulrich Weber <uweber@astaro.com> | 2010-04-15 12:37:18 +0200 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2010-04-15 12:37:18 +0200 |
| commit | 90348e0ede4e74f9404c4d08cce1dbb1baa05b06 (patch) | |
| tree | 92675a833d78e47afff9f6763c5b96a7fa588edd /net | |
| parent | netfilter: bridge-netfilter: Fix MAC header handling with IP DNAT (diff) | |
| download | linux-90348e0ede4e74f9404c4d08cce1dbb1baa05b06.tar.xz linux-90348e0ede4e74f9404c4d08cce1dbb1baa05b06.zip | |
netfilter: ipv6: move xfrm_lookup at end of ip6_route_me_harder
xfrm_lookup should be called after ip6_route_output skb_dst_set,
otherwise skb_dst_set of xfrm_lookup is pointless
Signed-off-by: Ulrich Weber <uweber@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv6/netfilter.c | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index d5ed92b14346..a74951c039b6 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c @@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb) }; dst = ip6_route_output(net, skb->sk, &fl); - -#ifdef CONFIG_XFRM - if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && - xfrm_decode_session(skb, &fl, AF_INET6) == 0) { - struct dst_entry *dst2 = skb_dst(skb); - - if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) { - skb_dst_set(skb, NULL); - return -1; - } - skb_dst_set(skb, dst2); - } -#endif - if (dst->error) { IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); @@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb) skb_dst_drop(skb); skb_dst_set(skb, dst); + +#ifdef CONFIG_XFRM + if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && + xfrm_decode_session(skb, &fl, AF_INET6) == 0) { + skb_dst_set(skb, NULL); + if (xfrm_lookup(net, &dst, &fl, skb->sk, 0)) + return -1; + skb_dst_set(skb, dst); + } +#endif + return 0; } EXPORT_SYMBOL(ip6_route_me_harder); |