[NETFILTER 12/14]: Fix ip6t_policy address matching

Patrick McHardy kaber at trash.net
Fri Feb 3 14:44:16 CET 2006


[NETFILTER]: Fix ip6t_policy address matching

Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
  the address comparison

Signed-off-by: Patrick McHardy <kaber at trash.net>

---
commit 13518265c8c2fc265520844ada5dd15b10aa4653
tree d374d2abc2678f3ba4da1ab282f1f24a832a9cae
parent 0140ae42a6acc87e5c63ac8367473670dcffba8e
author Patrick McHardy <kaber at trash.net> Fri, 03 Feb 2006 13:27:12 +0100
committer Patrick McHardy <kaber at trash.net> Fri, 03 Feb 2006 13:27:12 +0100

 net/ipv6/netfilter/ip6t_policy.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index 9f38cd0..1d0f482 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -26,8 +26,9 @@ MODULE_LICENSE("GPL");
 static inline int
 match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
 {
-#define MATCH_ADDR(x,y,z)	(!e->match.x || \
-				 ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
+#define MATCH_ADDR(x,y,z)	(!e->match.x ||				 \
+				 ((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
+				  ^ e->invert.x))
 #define MATCH(x,y)		(!e->match.x || ((e->x == (y)) ^ e->invert.x))
 	
 	return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&



More information about the netfilter-devel mailing list