1 files changed, 2 insertions, 2 deletions
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 85330856a29c..0c50b2894055 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -122,7 +122,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
                  const union nf_inet_addr *umask, unsigned int l3proto)
 {
        if (l3proto == AF_INET)
-                return (kaddr->ip & umask->ip) == uaddr->ip;
+                return ((kaddr->ip ^ uaddr->ip) & umask->ip) == 0;
        else if (l3proto == AF_INET6)
                return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
                       &uaddr->in6) == 0;
@@ -231,7 +231,7 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
                        if (test_bit(IPS_DST_NAT_BIT, &ct->status))
                                statebit |= XT_CONNTRACK_STATE_DNAT;
                }
-                if ((info->state_mask & statebit) ^
+                if (!!(info->state_mask & statebit) ^
                    !(info->invert_flags & XT_CONNTRACK_STATE))
                        return false;
        }

diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index 85330856a29c..0c50b2894055 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c
@@ -122,7 +122,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
122	const union nf_inet_addr *umask, unsigned int l3proto)	122	const union nf_inet_addr *umask, unsigned int l3proto)
123	{	123	{
124	if (l3proto == AF_INET)	124	if (l3proto == AF_INET)
125	return (kaddr->ip & umask->ip) == uaddr->ip;	125	return ((kaddr->ip ^ uaddr->ip) & umask->ip) == 0;
126	else if (l3proto == AF_INET6)	126	else if (l3proto == AF_INET6)
127	return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,	127	return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
128	&uaddr->in6) == 0;	128	&uaddr->in6) == 0;
@@ -231,7 +231,7 @@ conntrack_mt(const struct sk_buff skb, const struct net_device in,
231	if (test_bit(IPS_DST_NAT_BIT, &ct->status))	231	if (test_bit(IPS_DST_NAT_BIT, &ct->status))
232	statebit \|= XT_CONNTRACK_STATE_DNAT;	232	statebit \|= XT_CONNTRACK_STATE_DNAT;
233	}	233	}
234	if ((info->state_mask & statebit) ^	234	if (!!(info->state_mask & statebit) ^
235	!(info->invert_flags & XT_CONNTRACK_STATE))	235	!(info->invert_flags & XT_CONNTRACK_STATE))
236	return false;	236	return false;
237	}	237	}