netfilter: ipv6: move xfrm_lookup at end of ip6_route_me_harder

xfrm_lookup should be called after ip6_route_output skb_dst_set,
otherwise skb_dst_set of xfrm_lookup is pointless

Signed-off-by: Ulrich Weber <uweber@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index d5ed92b143469488f475816a1ebb08a5c1803558..a74951c039b6abdcc8844202b082eefd15da7da1 100644 (file)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb)
        };
 
        dst = ip6_route_output(net, skb->sk, &fl);
-
-#ifdef CONFIG_XFRM
-       if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
-           xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
-               struct dst_entry *dst2 = skb_dst(skb);
-
-               if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) {
-                       skb_dst_set(skb, NULL);
-                       return -1;
-               }
-               skb_dst_set(skb, dst2);
-       }
-#endif
-
        if (dst->error) {
                IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
                LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb)
        skb_dst_drop(skb);
 
        skb_dst_set(skb, dst);
+
+#ifdef CONFIG_XFRM
+       if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
+           xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
+               skb_dst_set(skb, NULL);
+               if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
+                       return -1;
+               skb_dst_set(skb, dst);
+       }
+#endif
+
        return 0;
 }
 EXPORT_SYMBOL(ip6_route_me_harder);