Commit 69aeb538 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: nft_flow_offload: IPCB is only valid for ipv4 family

Guard this with a check vs. ipv4, IPCB isn't valid in ipv6 case.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 91a9048f
...@@ -48,15 +48,20 @@ static int nft_flow_route(const struct nft_pktinfo *pkt, ...@@ -48,15 +48,20 @@ static int nft_flow_route(const struct nft_pktinfo *pkt,
return 0; return 0;
} }
static bool nft_flow_offload_skip(struct sk_buff *skb) static bool nft_flow_offload_skip(struct sk_buff *skb, int family)
{ {
struct ip_options *opt = &(IPCB(skb)->opt);
if (unlikely(opt->optlen))
return true;
if (skb_sec_path(skb)) if (skb_sec_path(skb))
return true; return true;
if (family == NFPROTO_IPV4) {
const struct ip_options *opt;
opt = &(IPCB(skb)->opt);
if (unlikely(opt->optlen))
return true;
}
return false; return false;
} }
...@@ -74,7 +79,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr, ...@@ -74,7 +79,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
struct nf_conn *ct; struct nf_conn *ct;
int ret; int ret;
if (nft_flow_offload_skip(pkt->skb)) if (nft_flow_offload_skip(pkt->skb, nft_pf(pkt)))
goto out; goto out;
ct = nf_ct_get(pkt->skb, &ctinfo); ct = nf_ct_get(pkt->skb, &ctinfo);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment