> + /* If skb->dst->xfrm is non-NULL then the packet is undergoing an > IPsec > + * packet transformation so allow the packet to pass without > any checks > + * since we'll have another chance to perform access > control checks > + * when the packet is on it's final way out. */ > + if (skb->dst->xfrm != NULL) > + return NF_ACCEPT; Just in case anyone is playing with this right now, the if statement above is wrong, it should be: if (skb->dst != NULL && skb->dst->xfrm != NULL) return NF_ACCEPT; ... it turns out some IPv6 multicast code never sets skb->dst which causes some problems :) I'll be delaying posting a new patchset for a few days to try and catch some more bugs, however, I have updated the git tree for those of you who are interested. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
