netfilter: ipset: Fix subcounter update skip

If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
must be set, not unset.

Fixes: 27b81a8aa373a ("netfilter: ipset: set match: add support to match the counters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index cd747c0962fd609c738d51f913a42ef92e1b375b..5a67f79665742c3a2907baa7acab75cdec6ea32f 100644 (file)
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -59,7 +59,7 @@ list_set_ktest(struct ip_set *set, const struct sk_buff *skb,
        /* Don't lookup sub-counters at all */
        opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS;
        if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE)
-               opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE;
+               opt->cmdflags |= IPSET_FLAG_SKIP_COUNTER_UPDATE;
        list_for_each_entry_rcu(e, &map->members, list) {
                ret = ip_set_test(e->id, skb, par, opt);
                if (ret <= 0)