netfilter: nft_quota: fix overquota logic

Use xor to decide to break further rule evaluation or not, since the
existing logic doesn't achieve the expected inversion.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index 6eafbf987ed9c682f5c01ebae1e5665d8fccdb87..92b6ff16dbb387510d61ee9c0bec8291ea49e016 100644 (file)
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -33,7 +33,7 @@ static void nft_quota_eval(const struct nft_expr *expr,
 {
        struct nft_quota *priv = nft_expr_priv(expr);
 
-       if (nft_quota(priv, pkt) < 0 && !priv->invert)
+       if ((nft_quota(priv, pkt) < 0) ^ priv->invert)
                regs->verdict.code = NFT_BREAK;
 }