From b0e214d212030fe497d4d150bb3474e50ad5d093 Mon Sep 17 00:00:00 2001
From: Madhu Koriginja <madhu.koriginja@nxp.com>
Date: Tue, 21 Mar 2023 21:28:44 +0530
Subject: netfilter: keep conntrack reference until IPsecv6 policy checks are
 done

Keep the conntrack reference until policy checks have been performed for
IPsec V6 NAT support, just like ipv4.

The reference needs to be dropped before a packet is
queued to avoid having the conntrack module unloadable.

Fixes: 58a317f1061c ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Madhu Koriginja <madhu.koriginja@nxp.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/dccp/ipv6.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'net/dccp')

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 47fb10834223..93c98990d726 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -784,6 +784,7 @@ lookup:
 
 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
 		goto discard_and_relse;
+	nf_reset_ct(skb);
 
 	return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4,
 				refcounted) ? -1 : 0;
-- 
cgit v1.2.3