net/sched: act_ct: fix err check for nf_conntrack_confirm
commit 8955b90c3cdad199137809aac8ccbbb585355913 upstream.
The confirm operation should be checked. If there are any failed,
the packet should be dropped like in ovs and netfilter.
Fixes: b57dc7c13e
("net/sched: Introduce action ct")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
2497307356
commit
813d45499f
@ -474,7 +474,8 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
|
|||||||
/* This will take care of sending queued events
|
/* This will take care of sending queued events
|
||||||
* even if the connection is already confirmed.
|
* even if the connection is already confirmed.
|
||||||
*/
|
*/
|
||||||
nf_conntrack_confirm(skb);
|
if (nf_conntrack_confirm(skb) != NF_ACCEPT)
|
||||||
|
goto drop;
|
||||||
}
|
}
|
||||||
|
|
||||||
out_push:
|
out_push:
|
||||||
|
Loading…
Reference in New Issue
Block a user