netfilter: keep conntrack reference until IPsecv6 policy checks are done

Keep the conntrack reference until policy checks have been performed for IPsec V6 NAT support, just like ipv4. The reference needs to be dropped before a packet is queued to avoid having the conntrack module unloadable. Fixes: 58a317f1061c ("netfilter: ipv6: add IPv6 NAT support") Signed-off-by: Madhu Koriginja <madhu.koriginja@nxp.com> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Madhu Koriginja <madhu.koriginja@nxp.com> 2023-03-21 21:28:44 +0530
committer: Florian Westphal <fw@strlen.de> 2023-03-22 21:50:23 +0100
commit: b0e214d212030fe497d4d150bb3474e50ad5d093 (patch)
tree: 21c0b2358d1100e938e8b12f50a9d4be1860c779 /net/ipv6/raw.c
parent: 36ce9982ef2fb63fdf39996900866965d71f5a5e (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 6ac2f2690c44..4ab62a9c5c8e 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -194,10 +194,8 @@ static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr)
 			struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC);
 
 			/* Not releasing hash table! */
-			if (clone) {
-				nf_reset_ct(clone);
+			if (clone)
 				rawv6_rcv(sk, clone);
-			}
 		}
 	}
 	rcu_read_unlock();
@@ -391,6 +389,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
 		kfree_skb_reason(skb, SKB_DROP_REASON_XFRM_POLICY);
 		return NET_RX_DROP;
 	}
+	nf_reset_ct(skb);
 
 	if (!rp->checksum)
 		skb->ip_summed = CHECKSUM_UNNECESSARY;
author	Madhu Koriginja <madhu.koriginja@nxp.com>	2023-03-21 21:28:44 +0530
committer	Florian Westphal <fw@strlen.de>	2023-03-22 21:50:23 +0100
commit	b0e214d212030fe497d4d150bb3474e50ad5d093 (patch)
tree	21c0b2358d1100e938e8b12f50a9d4be1860c779 /net/ipv6/raw.c
parent	36ce9982ef2fb63fdf39996900866965d71f5a5e (diff)