net/sched: act_ct: fix err check for nf_conntrack_confirm

commit 8955b90c3c upstream. The confirm operation should be checked. If there are any failed, the packet should be dropped like in ovs and netfilter. Fixes: b57dc7c13e ("net/sched: Introduce action ct") Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-03-26 12:30:23 +09:00 · 2021-07-02 11:34:31 +08:00
parent fc40fdefd9
commit c3bc9ce7d4
1 changed files with 2 additions and 1 deletions
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -1023,7 +1023,8 @@ do_nat:
 		/* This will take care of sending queued events
 		 * even if the connection is already confirmed.
 		 */
-		nf_conntrack_confirm(skb);
+		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
+			goto drop;
 	}

 	if (!skip_add)