[NETFILTER 12/14]: Fix ip6t_policy address matching
Patrick McHardy
kaber at trash.net
Fri Feb 3 14:44:16 CET 2006
[NETFILTER]: Fix ip6t_policy address matching
Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
the address comparison
Signed-off-by: Patrick McHardy <kaber at trash.net>
---
commit 13518265c8c2fc265520844ada5dd15b10aa4653
tree d374d2abc2678f3ba4da1ab282f1f24a832a9cae
parent 0140ae42a6acc87e5c63ac8367473670dcffba8e
author Patrick McHardy <kaber at trash.net> Fri, 03 Feb 2006 13:27:12 +0100
committer Patrick McHardy <kaber at trash.net> Fri, 03 Feb 2006 13:27:12 +0100
net/ipv6/netfilter/ip6t_policy.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index 9f38cd0..1d0f482 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -26,8 +26,9 @@ MODULE_LICENSE("GPL");
static inline int
match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
{
-#define MATCH_ADDR(x,y,z) (!e->match.x || \
- ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
+#define MATCH_ADDR(x,y,z) (!e->match.x || \
+ ((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
+ ^ e->invert.x))
#define MATCH(x,y) (!e->match.x || ((e->x == (y)) ^ e->invert.x))
return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&
More information about the netfilter-devel
mailing list