[NETFILTER]: Keep conntrack reference until IPsec policy checks are done
Keep the conntrack reference until policy checks have been performed for IPsec NAT support. The reference needs to be dropped before a packet is queued to avoid having the conntrack module unloadable. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy
committed by
David S. Miller
David S. Miller
parent
5c901daaea
commit
b59c270104
@@ -1080,6 +1080,7 @@ process:
|
||||
|
||||
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
|
||||
goto discard_and_relse;
|
||||
nf_reset(skb);
|
||||
|
||||
if (sk_filter(sk, skb, 0))
|
||||
goto discard_and_relse;
|
||||
|
||||
Reference in New Issue
Block a user