Commit 69aeb538 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nft_flow_offload: IPCB is only valid for ipv4 family 



Guard this with a check vs. ipv4, IPCB isn't valid in ipv6 case.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 91a9048f

net/netfilter/nft_flow_offload.c

+11 −6
Original line number Original line Diff line number Diff line
@@ -48,14 +48,19 @@ static int nft_flow_route(const struct nft_pktinfo *pkt, 
	return 0;

	return 0;

}

}





static bool nft_flow_offload_skip(struct sk_buff *skb)

static bool nft_flow_offload_skip(struct sk_buff *skb, int family)

{

{

	struct ip_options *opt  = &(IPCB(skb)->opt);

	if (skb_sec_path(skb))

		return true;



	if (family == NFPROTO_IPV4) {

		const struct ip_options *opt;



		opt = &(IPCB(skb)->opt);





		if (unlikely(opt->optlen))

		if (unlikely(opt->optlen))

			return true;

			return true;

	if (skb_sec_path(skb))

	}

		return true;





	return false;

	return false;

}

}
@@ -74,7 +79,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, 
	struct nf_conn *ct;

	struct nf_conn *ct;

	int ret;

	int ret;





	if (nft_flow_offload_skip(pkt->skb))

	if (nft_flow_offload_skip(pkt->skb, nft_pf(pkt)))

		goto out;

		goto out;





	ct = nf_ct_get(pkt->skb, &ctinfo);

	ct = nf_ct_get(pkt->skb, &ctinfo);

CRA Git | Maintained and supported by SUSTech CRA and CCSE