diff options
author | Paul Moore <pmoore@redhat.com> | 2014-09-03 10:51:59 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2014-09-03 10:51:59 -0400 |
commit | a7a91a1928fe69cc98814cb746d5171ae14d757e (patch) | |
tree | b7a68a5bc2002ccf0980d84dd1356876591107be /security | |
parent | 7b0d0b40cd78cadb525df760ee4cac151533c2b5 (diff) |
selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()
A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.
Thanks to Florian Westphal for reporting and debugging the issue.
Reported-by: Florian Westphal <fwestpha@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6c90d491fab4..e1e082796a49 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4993 | case PF_INET6: | 4993 | case PF_INET6: |
4994 | if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) | 4994 | if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) |
4995 | return NF_ACCEPT; | 4995 | return NF_ACCEPT; |
4996 | break; | ||
4996 | default: | 4997 | default: |
4997 | return NF_DROP_ERR(-ECONNREFUSED); | 4998 | return NF_DROP_ERR(-ECONNREFUSED); |
4998 | } | 4999 | } |