netfilter: keep conntrack reference until IPsecv6 policy checks are done

[ Upstream commit b0e214d212030fe497d4d150bb3474e50ad5d093 ] Keep the conntrack reference until policy checks have been performed for IPsec V6 NAT support, just like ipv4. The reference needs to be dropped before a packet is queued to avoid having the conntrack module unloadable. Fixes: 58a317f1061c ("netfilter: ipv6: add IPv6 NAT support") Signed-off-by: Madhu Koriginja <madhu.koriginja@nxp.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Madhu Koriginja <madhu.koriginja@nxp.com> 2023-03-21 21:28:44 +0530
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-05-11 23:03:18 +0900
commit: 2361aee1c52cf237a9d85ad9e2625fb8a473a4ff (patch)
tree: c3dd53a60384530d8d0efb961f9737d6f1d3b09d /net/dccp
parent: 8d05f25475a25719c6592bde3ee1245a860d1769 (diff)
download: linux-2361aee1c52cf237a9d85ad9e2625fb8a473a4ff.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index b9d7c3dd1cb3..c0fd8f5f3b94 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -783,6 +783,7 @@ lookup:
 
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
+	nf_reset_ct(skb);
 
 	return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4,
 				refcounted) ? -1 : 0;
author	Madhu Koriginja <madhu.koriginja@nxp.com>	2023-03-21 21:28:44 +0530
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-05-11 23:03:18 +0900
commit	2361aee1c52cf237a9d85ad9e2625fb8a473a4ff (patch)
tree	c3dd53a60384530d8d0efb961f9737d6f1d3b09d /net/dccp
parent	8d05f25475a25719c6592bde3ee1245a860d1769 (diff)
download	linux-2361aee1c52cf237a9d85ad9e2625fb8a473a4ff.tar.gz