Commit 878c41ce authored Feb 04, 2006 by Patrick McHardy Committed by David S. Miller Feb 04, 2006

[NETFILTER]: Fix ip6t_policy address matching



Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
  the address comparison

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent e55f1bc5

net/ipv6/netfilter/ip6t_policy.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -27,7 +27,8 @@ static inline int
		match_xfrm_state(struct xfrm_state x, const struct ip6t_policy_elem e)
		{
		#define MATCH_ADDR(x,y,z) (!e->match.x \|\| \
		((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
		((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
		^ e->invert.x))
		#define MATCH(x,y) (!e->match.x \|\| ((e->x == (y)) ^ e->invert.x))

		return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&