A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.
Thanks to Florian Westphal for reporting and debugging the issue.
Reported-by: Florian Westphal <fwestpha@xxxxxxxxxx>
Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
---
security/selinux/hooks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6c90d49..e1e0827 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
case PF_INET6:
if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
return NF_ACCEPT;
+ break;
default:
return NF_DROP_ERR(-ECONNREFUSED);
}
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
