net/sched: act_ct: fix err check for nf_conntrack_confirm

The confirm operation should be checked. If there are any failed, the packet should be dropped like in ovs and netfilter. Fixes: b57dc7c ("net/sched: Introduce action ct") Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
mariux64 · Jul 2, 2021 · 8955b90 · 8955b90
1 parent 1bfa4d0
commit 8955b90
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
@@ -1026,7 +1026,8 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 		/* This will take care of sending queued events
 		 * even if the connection is already confirmed.
 		 */
-		nf_conntrack_confirm(skb);
+		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
+			goto drop;
 	}
 
 	if (!skip_add)