Re: [PATCH] [NETFILTER]: Keep conntrack reference until IPsecv6 policy checks are done

From: Florian Westphal
Date: Wed Mar 01 2023 - 10:08:08 EST

Next message: Mario Limonciello: "[PATCH 2/2] platform/x86/amd: pmc: Add a check for PMFW version on PS platform"
Previous message: syzbot: "[syzbot] [fscrypt?] possible deadlock in fscrypt_initialize (2)"
In reply to: Madhu Koriginja: "[PATCH] [NETFILTER]: Keep conntrack reference until IPsecv6 policy checks are done"
Next in thread: Madhu Koriginja: "RE: [EXT] Re: [PATCH] [NETFILTER]: Keep conntrack reference until IPsecv6 policy checks are done"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Madhu Koriginja <madhu.koriginja@xxxxxxx> wrote:
> Keep the conntrack reference until policy checks have been performed for
> IPsec V6 NAT support. The reference needs to be dropped before a packet is
> queued to avoid having the conntrack module unloadable.

In the old days there was no ipv6 nat so its not surpising
that ipv6 discards the conntrack entry earlier than ipv4.

> - if (!(ipprot->flags & INET6_PROTO_NOPOLICY) &&
> - !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
> - goto discard;
> +
> + if (!ipprot->flags & INET6_PROTO_NOPOLICY) {

This looks wrong, why did you drop the () ?

if (!(ipprot->flags & INET6_PROTO_NOPOLICY)) { ...

rest LGTM.

Next message: Mario Limonciello: "[PATCH 2/2] platform/x86/amd: pmc: Add a check for PMFW version on PS platform"
Previous message: syzbot: "[syzbot] [fscrypt?] possible deadlock in fscrypt_initialize (2)"
In reply to: Madhu Koriginja: "[PATCH] [NETFILTER]: Keep conntrack reference until IPsecv6 policy checks are done"
Next in thread: Madhu Koriginja: "RE: [EXT] Re: [PATCH] [NETFILTER]: Keep conntrack reference until IPsecv6 policy checks are done"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]