* [PATCH] selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()
@ 2014-09-03 17:58 Paul Moore
0 siblings, 0 replies; only message in thread
From: Paul Moore @ 2014-09-03 17:58 UTC (permalink / raw)
To: selinux; +Cc: Florian Westphal
A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.
Thanks to Florian Westphal for reporting and debugging the issue.
Reported-by: Florian Westphal <fwestpha@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
security/selinux/hooks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6c90d49..e1e0827 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
case PF_INET6:
if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
return NF_ACCEPT;
+ break;
default:
return NF_DROP_ERR(-ECONNREFUSED);
}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2014-09-03 17:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-03 17:58 [PATCH] selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute() Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.