net/sched: act_ct: fix err check for nf_conntrack_confirm

The confirm operation should be checked. If there are any failed, the packet should be dropped like in ovs and netfilter. Fixes: b57dc7c1 ("net/sched: Introduce action ct") Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: David S. Miller <davem@davemloft.net>

net/sched: act_ct: fix err check for nf_conntrack_confirm
The confirm operation should be checked. If there are any failed, the packet should be dropped like in ovs and netfilter. Fixes: b57dc7c1 ("net/sched: Introduce action ct") Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
8955b90c · wenxu · David S. Miller · 1bfa4d0c · 8955b90c
Commit 8955b90c authored Jul 02, 2021 by wenxu Committed by David S. Miller Jul 02, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

net/sched/act_ct.c net/sched/act_ct.c +2 -1

No files found.
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1026,7 +1026,8 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
 		/* This will take care of sending queued events
 		 * even if the connection is already confirmed.
 		 */
-		nf_conntrack_confirm(skb);
+		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
+			goto drop;
 	}
 	if (!skip_add)