diff options
author | Madhu Koriginja <madhu.koriginja@nxp.com> | 2023-03-21 18:58:44 +0300 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-03-22 23:50:23 +0300 |
commit | b0e214d212030fe497d4d150bb3474e50ad5d093 (patch) | |
tree | 21c0b2358d1100e938e8b12f50a9d4be1860c779 /net/ipv6/udp.c | |
parent | 36ce9982ef2fb63fdf39996900866965d71f5a5e (diff) | |
download | linux-b0e214d212030fe497d4d150bb3474e50ad5d093.tar.xz |
netfilter: keep conntrack reference until IPsecv6 policy checks are done
Keep the conntrack reference until policy checks have been performed for
IPsec V6 NAT support, just like ipv4.
The reference needs to be dropped before a packet is
queued to avoid having the conntrack module unloadable.
Fixes: 58a317f1061c ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Madhu Koriginja <madhu.koriginja@nxp.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'net/ipv6/udp.c')
-rw-r--r-- | net/ipv6/udp.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index d350e57c4792..4caa70a1b871 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -704,6 +704,7 @@ static int udpv6_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb) drop_reason = SKB_DROP_REASON_XFRM_POLICY; goto drop; } + nf_reset_ct(skb); if (static_branch_unlikely(&udpv6_encap_needed_key) && up->encap_type) { int (*encap_rcv)(struct sock *sk, struct sk_buff *skb); @@ -1027,6 +1028,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) goto discard; + nf_reset_ct(skb); if (udp_lib_checksum_complete(skb)) goto csum_error; |