netfilter: nat: propagate errors from xfrm_me_harder()

Propagate errors from ip_xfrm_me_harder() instead of returning EPERM in
all cases.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 5 insertions, 4 deletions

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 8d5769c6d16e..346f871cf096 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -87,9 +87,10 @@ int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family)
         struct flowi fl;
         unsigned int hh_len;
         struct dst_entry *dst;
+        int err;
 
-        if (xfrm_decode_session(skb, &fl, family) < 0)
-                return -1;
+        err = xfrm_decode_session(skb, &fl, family);
+                return err;
 
         dst = skb_dst(skb);
         if (dst->xfrm)
@@ -98,7 +99,7 @@ int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family)
 
         dst = xfrm_lookup(dev_net(dst->dev), dst, &fl, skb->sk, 0);
         if (IS_ERR(dst))
-                return -1;
+                return PTR_ERR(dst);
 
         skb_dst_drop(skb);
         skb_dst_set(skb, dst);
@@ -107,7 +108,7 @@ int nf_xfrm_me_harder(struct sk_buff *skb, unsigned int family)
         hh_len = skb_dst(skb)->dev->hard_header_len;
         if (skb_headroom(skb) < hh_len &&
             pskb_expand_head(skb, hh_len - skb_headroom(skb), 0, GFP_ATOMIC))
-                return -1;
+                return -ENOMEM;
         return 0;
 }
 EXPORT_SYMBOL(nf_xfrm_me_harder);