Commit 37bc21bb authored May 14, 2020 by Phil Sutter Committed by Greg Kroah-Hartman Jun 03, 2020

netfilter: ipset: Fix subcounter update skip



commit a164b95ad6055c50612795882f35e0efda1f1390 upstream.

If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
must be set, not unset.

Fixes: 6e01781d ("netfilter: ipset: set match: add support to match the counters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent f7d80955

net/netfilter/ipset/ip_set_list_set.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -63,7 +63,7 @@ list_set_ktest(struct ip_set set, const struct sk_buff skb,
		/* Don't lookup sub-counters at all */
		opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS;
		if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE)
		opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE;
		opt->cmdflags \|= IPSET_FLAG_SKIP_COUNTER_UPDATE;
		list_for_each_entry_rcu(e, &map->members, list) {
		ret = ip_set_test(e->id, skb, par, opt);
		if (ret <= 0)