Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / b59c270104f03960069596722fea70340579244d^! / . / net / ipv4 / tcp_ipv4.c
commitb59c270104f03960069596722fea70340579244d[log] [tgz]
authorPatrick McHardy <kaber@trash.net>Fri Jan 06 23:06:10 2006 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>Sat Jan 07 12:57:36 2006 -0800
tree5d038835626047899097b622695ead5c1eb1c499
parent5c901daaea3be0d900b3ae1fc9b5f64ff94e4f02 [diff] [blame]
[NETFILTER]: Keep conntrack reference until IPsec policy checks are done

Keep the conntrack reference until policy checks have been performed for
IPsec NAT support. The reference needs to be dropped before a packet is
queued to avoid having the conntrack module unloadable.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index e9f83e5..6ea3539 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c

@@ -1080,6 +1080,7 @@
 
 	if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
+	nf_reset(skb);
 
 	if (sk_filter(sk, skb, 0))
 		goto discard_and_relse;