netfilter: ipt_ecn: fix inversion for IP header ECN match

Userspace allows to specify inversion for IP header ECN matches, the kernel silently accepts it, but doesn't invert the match result. Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2011-06-16 11:24:55 -0400
committer: Patrick McHardy <kaber@trash.net> 2011-06-16 11:24:55 -0400
commit: db898aa2ef6529fa80891e754d353063611c77de (patch)
tree: 7ac085f1acb6d79516ac0043357fdac26505161f /net
parent: 58d5a0257d2fd89fbe4451f704193cc95b0a9c97 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index aaa85be1b2d8..2b57e52c746c 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -25,7 +25,8 @@ MODULE_LICENSE("GPL");
 static inline bool match_ip(const struct sk_buff *skb,
                            const struct ipt_ecn_info *einfo)
 {
-        return (ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect;
+        return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
+               !!(einfo->invert & IPT_ECN_OP_MATCH_IP);
 }
 static inline bool match_tcp(const struct sk_buff *skb,
author	Patrick McHardy <kaber@trash.net>	2011-06-16 11:24:55 -0400
committer	Patrick McHardy <kaber@trash.net>	2011-06-16 11:24:55 -0400
commit	db898aa2ef6529fa80891e754d353063611c77de (patch)
tree	7ac085f1acb6d79516ac0043357fdac26505161f /net
parent	58d5a0257d2fd89fbe4451f704193cc95b0a9c97 (diff)

diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index aaa85be1b2d8..2b57e52c746c 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -25,7 +25,8 @@ MODULE_LICENSE("GPL");
25	static inline bool match_ip(const struct sk_buff *skb,	25	static inline bool match_ip(const struct sk_buff *skb,
26	const struct ipt_ecn_info *einfo)	26	const struct ipt_ecn_info *einfo)
27	{	27	{
28	return (ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect;	28	return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^
		29	!!(einfo->invert & IPT_ECN_OP_MATCH_IP);
29	}	30	}
30		31
31	static inline bool match_tcp(const struct sk_buff *skb,	32	static inline bool match_tcp(const struct sk_buff *skb,