[netfilter-cvslog] r6395 - trunk/iptables/extensions

kaber at netfilter.org kaber at netfilter.org
Thu Jan 12 10:43:22 CET 2006


Author: kaber at netfilter.org
Date: 2006-01-12 10:43:18 +0100 (Thu, 12 Jan 2006)
New Revision: 6395

Modified:
   trunk/iptables/extensions/libip6t_policy.c
   trunk/iptables/extensions/libipt_policy.c
Log:
Move empty policy element check to also catch last element


Modified: trunk/iptables/extensions/libip6t_policy.c
===================================================================
--- trunk/iptables/extensions/libip6t_policy.c	2006-01-12 09:12:47 UTC (rev 6394)
+++ trunk/iptables/extensions/libip6t_policy.c	2006-01-12 09:43:18 UTC (rev 6395)
@@ -283,11 +283,6 @@
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: can't invert --next option");
 
-                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
-                      e->match.daddr || e->match.proto || e->match.mode))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "policy match: --next without policy element specification");
-
 		if (++info->len == IP6T_POLICY_MAX_ELEM)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: maximum policy depth reached");
@@ -331,6 +326,12 @@
 
 	for (i = 0; i < info->len; i++) {
 		e = &info->pol[i];
+
+                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+                      e->match.daddr || e->match.proto || e->match.mode))
+                        exit_error(PARAMETER_PROBLEM,
+                                   "policy match: empty policy element");
+
 		if ((e->match.saddr || e->match.daddr)
 		    && ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
 		        (e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))

Modified: trunk/iptables/extensions/libipt_policy.c
===================================================================
--- trunk/iptables/extensions/libipt_policy.c	2006-01-12 09:12:47 UTC (rev 6394)
+++ trunk/iptables/extensions/libipt_policy.c	2006-01-12 09:43:18 UTC (rev 6395)
@@ -243,11 +243,6 @@
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: can't invert --next option");
 
-		if (!(e->match.reqid || e->match.spi || e->match.saddr ||
-		      e->match.daddr || e->match.proto || e->match.mode))
-			exit_error(PARAMETER_PROBLEM,
-			           "policy match: --next without policy element specification");
-
 		if (++info->len == IPT_POLICY_MAX_ELEM)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: maximum policy depth reached");
@@ -291,6 +286,12 @@
 
 	for (i = 0; i < info->len; i++) {
 		e = &info->pol[i];
+
+		if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+		      e->match.daddr || e->match.proto || e->match.mode))
+			exit_error(PARAMETER_PROBLEM,
+			           "policy match: empty policy element");
+
 		if ((e->match.saddr || e->match.daddr)
 		    && ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) ||
 		        (e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode)))




More information about the netfilter-cvslog mailing list