selinux: fix a problem with IPv6 traffic denials in selinux_ip_postroute()
authorPaul Moore <pmoore@redhat.com>
Wed, 3 Sep 2014 14:51:59 +0000 (10:51 -0400)
committerPaul Moore <pmoore@redhat.com>
Wed, 3 Sep 2014 14:51:59 +0000 (10:51 -0400)
A previous commit c0828e50485932b7e019df377a6b0a8d1ebd3080 ("selinux:
process labeled IPsec TCP SYN-ACK packets properly in
selinux_ip_postroute()") mistakenly left out a 'break' from a switch
statement which caused problems with IPv6 traffic.

Thanks to Florian Westphal for reporting and debugging the issue.

Reported-by: Florian Westphal <fwestpha@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
security/selinux/hooks.c

index 6c90d491fab4d4692bb7e6b69ad0439e757eb93f..e1e082796a49a02918174b1e80340aeb1fc400fa 100644 (file)
@@ -4993,6 +4993,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
                        case PF_INET6:
                                if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
                                        return NF_ACCEPT;
+                               break;
                        default:
                                return NF_DROP_ERR(-ECONNREFUSED);
                        }