diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-01-07 02:06:10 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-01-07 15:57:36 -0500 |
| commit | b59c270104f03960069596722fea70340579244d (patch) | |
| tree | 5d038835626047899097b622695ead5c1eb1c499 /net/ipv4/ip_input.c | |
| parent | 5c901daaea3be0d900b3ae1fc9b5f64ff94e4f02 (diff) | |
[NETFILTER]: Keep conntrack reference until IPsec policy checks are done
Keep the conntrack reference until policy checks have been performed for
IPsec NAT support. The reference needs to be dropped before a packet is
queued to avoid having the conntrack module unloadable.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/ip_input.c')
| -rw-r--r-- | net/ipv4/ip_input.c | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index e45846ae570b..18d7fad474d7 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c | |||
| @@ -185,7 +185,6 @@ int ip_call_ra_chain(struct sk_buff *skb) | |||
| 185 | raw_rcv(last, skb2); | 185 | raw_rcv(last, skb2); |
| 186 | } | 186 | } |
| 187 | last = sk; | 187 | last = sk; |
| 188 | nf_reset(skb); | ||
| 189 | } | 188 | } |
| 190 | } | 189 | } |
| 191 | 190 | ||
| @@ -204,10 +203,6 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb) | |||
| 204 | 203 | ||
| 205 | __skb_pull(skb, ihl); | 204 | __skb_pull(skb, ihl); |
| 206 | 205 | ||
| 207 | /* Free reference early: we don't need it any more, and it may | ||
| 208 | hold ip_conntrack module loaded indefinitely. */ | ||
| 209 | nf_reset(skb); | ||
| 210 | |||
| 211 | /* Point into the IP datagram, just past the header. */ | 206 | /* Point into the IP datagram, just past the header. */ |
| 212 | skb->h.raw = skb->data; | 207 | skb->h.raw = skb->data; |
| 213 | 208 | ||
| @@ -232,10 +227,12 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb) | |||
| 232 | if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) { | 227 | if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) { |
| 233 | int ret; | 228 | int ret; |
| 234 | 229 | ||
| 235 | if (!ipprot->no_policy && | 230 | if (!ipprot->no_policy) { |
| 236 | !xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { | 231 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { |
| 237 | kfree_skb(skb); | 232 | kfree_skb(skb); |
| 238 | goto out; | 233 | goto out; |
| 234 | } | ||
| 235 | nf_reset(skb); | ||
| 239 | } | 236 | } |
| 240 | ret = ipprot->handler(skb); | 237 | ret = ipprot->handler(skb); |
| 241 | if (ret < 0) { | 238 | if (ret < 0) { |