Madhu Koriginja <madhu.koriginja@xxxxxxx> wrote: > Keep the conntrack reference until policy checks have been performed for > IPsec V6 NAT support. The reference needs to be dropped before a packet is > queued to avoid having the conntrack module unloadable. In the old days there was no ipv6 nat so its not surpising that ipv6 discards the conntrack entry earlier than ipv4. > - if (!(ipprot->flags & INET6_PROTO_NOPOLICY) && > - !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) > - goto discard; > + > + if (!ipprot->flags & INET6_PROTO_NOPOLICY) { This looks wrong, why did you drop the () ? if (!(ipprot->flags & INET6_PROTO_NOPOLICY)) { ... rest LGTM.