提交 90348e0e 编写于 作者: U Ulrich Weber 提交者: Patrick McHardy

netfilter: ipv6: move xfrm_lookup at end of ip6_route_me_harder

xfrm_lookup should be called after ip6_route_output skb_dst_set,
otherwise skb_dst_set of xfrm_lookup is pointless
Signed-off-by: NUlrich Weber <uweber@astaro.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
上级 e179e632
...@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb) ...@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb)
}; };
dst = ip6_route_output(net, skb->sk, &fl); dst = ip6_route_output(net, skb->sk, &fl);
#ifdef CONFIG_XFRM
if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
struct dst_entry *dst2 = skb_dst(skb);
if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) {
skb_dst_set(skb, NULL);
return -1;
}
skb_dst_set(skb, dst2);
}
#endif
if (dst->error) { if (dst->error) {
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
...@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb) ...@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb)
skb_dst_drop(skb); skb_dst_drop(skb);
skb_dst_set(skb, dst); skb_dst_set(skb, dst);
#ifdef CONFIG_XFRM
if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
skb_dst_set(skb, NULL);
if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
return -1;
skb_dst_set(skb, dst);
}
#endif
return 0; return 0;
} }
EXPORT_SYMBOL(ip6_route_me_harder); EXPORT_SYMBOL(ip6_route_me_harder);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册