There is something wrong with IPv6 ACL processing. The bug appears even without the last change (SHA: aaf7486) which masks host bits in the configured ACL address. Network byte ordering bug with the prefix length, maybe?

Fixed by a htonl() in config parsing - masks need to be in network byte order when comparing addresses.
SHA: 2b6d72d

To be accurate, it was broken when it wasn't being done on a 32-bit boundary. Matching for a /64, /96 or /128 worked fine.