[PATCH] ipv6: netfilter: move xfrm_lookup at end of ip6_route_me

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ipv6: netfilter: move xfrm_lookup at end of ip6_route_me_harder
@ 2010-04-15  9:42 Ulrich Weber
  2010-04-15 10:37 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Ulrich Weber @ 2010-04-15  9:42 UTC (permalink / raw)
  To: kaber; +Cc: netfilter-devel

xfrm_lookup should be called after ip6_route_output skb_dst_set,
otherwise skb_dst_set of xfrm_lookup is pointless

Signed-off-by: Ulrich Weber <uweber@astaro.com>
---
 net/ipv6/netfilter.c |   25 +++++++++++--------------
 1 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index d5ed92b..a74951c 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb)
 	};
 
 	dst = ip6_route_output(net, skb->sk, &fl);
-
-#ifdef CONFIG_XFRM
-	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
-	    xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
-		struct dst_entry *dst2 = skb_dst(skb);
-
-		if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) {
-			skb_dst_set(skb, NULL);
-			return -1;
-		}
-		skb_dst_set(skb, dst2);
-	}
-#endif
-
 	if (dst->error) {
 		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
 		LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb)
 	skb_dst_drop(skb);
 
 	skb_dst_set(skb, dst);
+
+#ifdef CONFIG_XFRM
+	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
+	    xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
+		skb_dst_set(skb, NULL);
+		if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
+			return -1;
+		skb_dst_set(skb, dst);
+	}
+#endif
+
 	return 0;
 }
 EXPORT_SYMBOL(ip6_route_me_harder);
-- 
1.6.3.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ipv6: netfilter: move xfrm_lookup at end of ip6_route_me_harder
  2010-04-15  9:42 [PATCH] ipv6: netfilter: move xfrm_lookup at end of ip6_route_me_harder Ulrich Weber
@ 2010-04-15 10:37 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2010-04-15 10:37 UTC (permalink / raw)
  To: Ulrich Weber; +Cc: netfilter-devel

Ulrich Weber wrote:
> xfrm_lookup should be called after ip6_route_output skb_dst_set,
> otherwise skb_dst_set of xfrm_lookup is pointless
> 

Applied, thanks Ulrich.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-04-15 10:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-15  9:42 [PATCH] ipv6: netfilter: move xfrm_lookup at end of ip6_route_me_harder Ulrich Weber
2010-04-15 10:37 ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).