ip6tables: Fix checking existence of rule

Pass the proper entry size when creating a match mask for checking the
existence of a rule. Failing to do so causes wrong results.

Reported-by: Jonathan Caicedo <jonathan@jcaicedo.com>
Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables")
Signed-off-by: Markus Boehme <markubo@amazon.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 345af4519bfe7ab15fd96ce780bf34ae2a011df9..9afc32c1a21ed1f3e06bcdefd5413073fdf19c54 100644 (file)
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -331,7 +331,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
        int ret = 1;
        unsigned char *mask;
 
-       mask = make_delete_mask(matches, target, sizeof(fw));
+       mask = make_delete_mask(matches, target, sizeof(*fw));
        for (i = 0; i < nsaddrs; i++) {
                fw->ipv6.src = saddrs[i];
                fw->ipv6.smsk = smasks[i];