aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <pmoore@redhat.com>2014-09-03 10:51:59 -0400
committerPaul Moore <pmoore@redhat.com>2014-09-03 10:51:59 -0400
commita7a91a1928fe69cc98814cb746d5171ae14d757e (patch)
treeb7a68a5bc2002ccf0980d84dd1356876591107be /security
parent7b0d0b40cd78cadb525df760ee4cac151533c2b5 (diff)
selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()
A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()") mistakenly left out a 'break' from a switch statement which caused problems with IPv6 traffic. Thanks to Florian Westphal for reporting and debugging the issue. Reported-by: Florian Westphal <fwestpha@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6c90d491fab4..e1e082796a49 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4993 case PF_INET6: 4993 case PF_INET6:
4994 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 4994 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4995 return NF_ACCEPT; 4995 return NF_ACCEPT;
4996 break;
4996 default: 4997 default:
4997 return NF_DROP_ERR(-ECONNREFUSED); 4998 return NF_DROP_ERR(-ECONNREFUSED);
4998 } 4999 }