Madhu Koriginja <madhu.koriginja@xxxxxxx> wrote:
> Keep the conntrack reference until policy checks have been performed for
> IPsec V6 NAT support. The reference needs to be dropped before a packet is
> queued to avoid having the conntrack module unloadable.
In the old days there was no ipv6 nat so its not surpising
that ipv6 discards the conntrack entry earlier than ipv4.
> - if (!(ipprot->flags & INET6_PROTO_NOPOLICY) &&
> - !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
> - goto discard;
> +
> + if (!ipprot->flags & INET6_PROTO_NOPOLICY) {
This looks wrong, why did you drop the () ?
if (!(ipprot->flags & INET6_PROTO_NOPOLICY)) { ...
rest LGTM.
