Skip to content

Commit

Permalink
selinux: fix a problem with IPv6 traffic denials in selinux_ip_postro…
Browse files Browse the repository at this point in the history 
…ute()

A previous commit c0828e5 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.

Thanks to Florian Westphal for reporting and debugging the issue.

Reported-by: Florian Westphal <fwestpha@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
  • Loading branch information
Paul Moore committed Sep 3, 2014
1 parent 7b0d0b4 commit a7a91a1
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions security/selinux/hooks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
case PF_INET6:
if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
return NF_ACCEPT;
break;
default:
return NF_DROP_ERR(-ECONNREFUSED);
}
Expand Down

0 comments on commit a7a91a1

Please sign in to comment.