diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index b0460abbde2d085947e5fda34196d9aed9083302..321858bf3af23f57ff52a8c8e33f17c0ed2a14e5 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -963,6 +963,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, * are implied between each two transformations. */ for (i = pol->xfrm_nr-1, k = 0; i >= 0; i--) { + if (pol->xfrm_vec[i].optional) + continue; k = xfrm_policy_ok(pol->xfrm_vec+i, sp, k, family); if (k < 0) goto reject;