[netfilter-cvslog] r6394 - trunk/iptables/extensions
kaber at netfilter.org
kaber at netfilter.org
Thu Jan 12 10:12:50 CET 2006
Author: kaber at netfilter.org
Date: 2006-01-12 10:12:47 +0100 (Thu, 12 Jan 2006)
New Revision: 6394
Modified:
trunk/iptables/extensions/libip6t_policy.c
trunk/iptables/extensions/libipt_policy.c
Log:
Don't allow using --next option without specifying a policy element
Modified: trunk/iptables/extensions/libip6t_policy.c
===================================================================
--- trunk/iptables/extensions/libip6t_policy.c 2006-01-12 06:33:43 UTC (rev 6393)
+++ trunk/iptables/extensions/libip6t_policy.c 2006-01-12 09:12:47 UTC (rev 6394)
@@ -220,7 +220,7 @@
if (e->match.spi)
exit_error(PARAMETER_PROBLEM,
"policy match: double --spi option");
-
+
e->match.spi = 1;
e->invert.spi = invert;
e->spi = strtol(argv[optind-1], NULL, 0x10);
@@ -272,7 +272,7 @@
if (e->match.mode)
exit_error(PARAMETER_PROBLEM,
"policy match: double --mode option");
-
+
mode = parse_mode(argv[optind-1]);
e->match.mode = 1;
e->invert.mode = invert;
@@ -283,6 +283,11 @@
exit_error(PARAMETER_PROBLEM,
"policy match: can't invert --next option");
+ if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ exit_error(PARAMETER_PROBLEM,
+ "policy match: --next without policy element specification");
+
if (++info->len == IP6T_POLICY_MAX_ELEM)
exit_error(PARAMETER_PROBLEM,
"policy match: maximum policy depth reached");
Modified: trunk/iptables/extensions/libipt_policy.c
===================================================================
--- trunk/iptables/extensions/libipt_policy.c 2006-01-12 06:33:43 UTC (rev 6393)
+++ trunk/iptables/extensions/libipt_policy.c 2006-01-12 09:12:47 UTC (rev 6394)
@@ -180,7 +180,7 @@
if (e->match.spi)
exit_error(PARAMETER_PROBLEM,
"policy match: double --spi option");
-
+
e->match.spi = 1;
e->invert.spi = invert;
e->spi = strtol(argv[optind-1], NULL, 0x10);
@@ -232,7 +232,7 @@
if (e->match.mode)
exit_error(PARAMETER_PROBLEM,
"policy match: double --mode option");
-
+
mode = parse_mode(argv[optind-1]);
e->match.mode = 1;
e->invert.mode = invert;
@@ -243,6 +243,11 @@
exit_error(PARAMETER_PROBLEM,
"policy match: can't invert --next option");
+ if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ exit_error(PARAMETER_PROBLEM,
+ "policy match: --next without policy element specification");
+
if (++info->len == IPT_POLICY_MAX_ELEM)
exit_error(PARAMETER_PROBLEM,
"policy match: maximum policy depth reached");
More information about the netfilter-cvslog
mailing list