| Message ID | 1402288645-6904-1-git-send-email-huizhang@marvell.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Hui Zhang <huizhang@marvell.com> Date: Mon, 9 Jun 2014 12:37:25 +0800 > Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781 > > When a local output ipsec packet match the mangle table rule, > and be set mark value, the packet will be route again in > route_me_harder -> _session_decoder6 > > In this case, the nhoff in CB of skb was still the default > value 0. So the protocal match can't success and the packet can't match > correct SA rule,and then the packet be send out in plaintext. > > To fixed up the issue. The CB->nhoff must be set. > > Signed-off-by: Hui Zhang <huizhang@marvell.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c index 827f795..589f6b9 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c @@ -106,6 +106,7 @@ int __ip6_local_out(struct sk_buff *skb) if (len > IPV6_MAXPLEN) len = 0; ipv6_hdr(skb)->payload_len = htons(len); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev, dst_output);
Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781 When a local output ipsec packet match the mangle table rule, and be set mark value, the packet will be route again in route_me_harder -> _session_decoder6 In this case, the nhoff in CB of skb was still the default value 0. So the protocal match can't success and the packet can't match correct SA rule,and then the packet be send out in plaintext. To fixed up the issue. The CB->nhoff must be set. Signed-off-by: Hui Zhang <huizhang@marvell.com> --- net/ipv6/output_core.c | 1 + 1 file changed, 1 insertion(+)