Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a7a91a19 authored by Paul Moore's avatar Paul Moore
Browse files

selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute() 



A previous commit c0828e50 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.

Thanks to Florian Westphal for reporting and debugging the issue.

Reported-by: default avatarFlorian Westphal <fwestpha@redhat.com>
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 7b0d0b40

security/selinux/hooks.c

+1 −0
Original line number Diff line number Diff line
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, 
			case PF_INET6:

				if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)

					return NF_ACCEPT;

				break;

			default:

				return NF_DROP_ERR(-ECONNREFUSED);

			}