netfilter: nft_quota: fix overquota logic

ummakynes · ummakynes · commit db6d857b819a · 2016-09-07T11:00:56.000+02:00
Use xor to decide to break further rule evaluation or not, since the
existing logic doesn't achieve the expected inversion.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
@@ -33,7 +33,7 @@ static void nft_quota_eval(const struct nft_expr *expr,
 {
 	struct nft_quota *priv = nft_expr_priv(expr);
 
-	if (nft_quota(priv, pkt) < 0 && !priv->invert)
+	if ((nft_quota(priv, pkt) < 0) ^ priv->invert)
 		regs->verdict.code = NFT_BREAK;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ static void nft_quota_eval(const struct nft_expr *expr,`
`33`	`33`	`{`
`34`	`34`	`struct nft_quota *priv = nft_expr_priv(expr);`
`35`	`35`
`36`		`- if (nft_quota(priv, pkt) < 0 && !priv->invert)`
	`36`	`+ if ((nft_quota(priv, pkt) < 0) ^ priv->invert)`
`37`	`37`	`regs->verdict.code = NFT_BREAK;`
`38`	`38`	`}`
`39`	`39`