Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b59c2701 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: Keep conntrack reference until IPsec policy checks are done 



Keep the conntrack reference until policy checks have been performed for
IPsec NAT support. The reference needs to be dropped before a packet is
queued to avoid having the conntrack module unloadable.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5c901daa

net/dccp/ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -1099,6 +1099,7 @@ int dccp_v4_destroy_sock(struct sock *sk) 
		kfree_skb(sk->sk_send_head);

		sk->sk_send_head = NULL;

	}

	nf_reset(skb);



	/* Clean up a referenced DCCP bind bucket. */

	if (inet_csk(sk)->icsk_bind_hash != NULL)

net/ipv4/ip_input.c

+6 −9
Original line number Diff line number Diff line
@@ -185,7 +185,6 @@ int ip_call_ra_chain(struct sk_buff *skb) 
					raw_rcv(last, skb2);

			}

			last = sk;

			nf_reset(skb);

		}

	}
@@ -204,10 +203,6 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb) 


	__skb_pull(skb, ihl);



	/* Free reference early: we don't need it any more, and it may

           hold ip_conntrack module loaded indefinitely. */

	nf_reset(skb);



        /* Point into the IP datagram, just past the header. */

        skb->h.raw = skb->data;
@@ -232,11 +227,13 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb) 
		if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) {

			int ret;



			if (!ipprot->no_policy &&

			    !xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {

			if (!ipprot->no_policy) {

				if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {

					kfree_skb(skb);

					goto out;

				}

				nf_reset(skb);

			}

			ret = ipprot->handler(skb);

			if (ret < 0) {

				protocol = -ret;

net/ipv4/raw.c

+1 −0
Original line number Diff line number Diff line
@@ -255,6 +255,7 @@ int raw_rcv(struct sock *sk, struct sk_buff *skb) 
		kfree_skb(skb);

		return NET_RX_DROP;

	}

	nf_reset(skb);



	skb_push(skb, skb->data - skb->nh.raw);

net/ipv4/tcp_ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -1080,6 +1080,7 @@ int tcp_v4_rcv(struct sk_buff *skb) 


	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))

		goto discard_and_relse;

	nf_reset(skb);



	if (sk_filter(sk, skb, 0))

		goto discard_and_relse;

net/ipv4/udp.c

+2 −0
Original line number Diff line number Diff line
@@ -989,6 +989,7 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb) 
		kfree_skb(skb);

		return -1;

	}

	nf_reset(skb);



	if (up->encap_type) {

		/*
@@ -1149,6 +1150,7 @@ int udp_rcv(struct sk_buff *skb) 


	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))

		goto drop;

	nf_reset(skb);



	/* No socket. Drop packet silently, if checksum is wrong */

	if (udp_checksum_complete(skb))