[NETFILTER]: Fix ip6t_policy address matching

Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
  the address comparison

Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index 9f38cd0a6489486420188d80d253aee9153a3d94..1d0f482761235f08f48f886ab6870c4fef868e7b 100644 (file)
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -26,8 +26,9 @@ MODULE_LICENSE("GPL");
 static inline int
 match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
 {
-#define MATCH_ADDR(x,y,z)      (!e->match.x || \
-                                ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
+#define MATCH_ADDR(x,y,z)      (!e->match.x ||                          \
+                                ((!ip6_masked_addrcmp(&e->x, &e->y, z)) \
+                                 ^ e->invert.x))
 #define MATCH(x,y)             (!e->match.x || ((e->x == (y)) ^ e->invert.x))
        
        return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&