[netfilter-cvslog] r6395 - trunk/iptables/extensions
kaber at netfilter.org
kaber at netfilter.org
Thu Jan 12 10:43:22 CET 2006
Author: kaber at netfilter.org
Date: 2006-01-12 10:43:18 +0100 (Thu, 12 Jan 2006)
New Revision: 6395
Modified:
trunk/iptables/extensions/libip6t_policy.c
trunk/iptables/extensions/libipt_policy.c
Log:
Move empty policy element check to also catch last element
Modified: trunk/iptables/extensions/libip6t_policy.c
===================================================================
--- trunk/iptables/extensions/libip6t_policy.c 2006-01-12 09:12:47 UTC (rev 6394)
+++ trunk/iptables/extensions/libip6t_policy.c 2006-01-12 09:43:18 UTC (rev 6395)
@@ -283,11 +283,6 @@
exit_error(PARAMETER_PROBLEM,
"policy match: can't invert --next option");
- if (!(e->match.reqid || e->match.spi || e->match.saddr ||
- e->match.daddr || e->match.proto || e->match.mode))
- exit_error(PARAMETER_PROBLEM,
- "policy match: --next without policy element specification");
-
if (++info->len == IP6T_POLICY_MAX_ELEM)
exit_error(PARAMETER_PROBLEM,
"policy match: maximum policy depth reached");
@@ -331,6 +326,12 @@
for (i = 0; i < info->len; i++) {
e = &info->pol[i];
+
+ if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ exit_error(PARAMETER_PROBLEM,
+ "policy match: empty policy element");
+
if ((e->match.saddr || e->match.daddr)
&& ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
(e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))
Modified: trunk/iptables/extensions/libipt_policy.c
===================================================================
--- trunk/iptables/extensions/libipt_policy.c 2006-01-12 09:12:47 UTC (rev 6394)
+++ trunk/iptables/extensions/libipt_policy.c 2006-01-12 09:43:18 UTC (rev 6395)
@@ -243,11 +243,6 @@
exit_error(PARAMETER_PROBLEM,
"policy match: can't invert --next option");
- if (!(e->match.reqid || e->match.spi || e->match.saddr ||
- e->match.daddr || e->match.proto || e->match.mode))
- exit_error(PARAMETER_PROBLEM,
- "policy match: --next without policy element specification");
-
if (++info->len == IPT_POLICY_MAX_ELEM)
exit_error(PARAMETER_PROBLEM,
"policy match: maximum policy depth reached");
@@ -291,6 +286,12 @@
for (i = 0; i < info->len; i++) {
e = &info->pol[i];
+
+ if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+ e->match.daddr || e->match.proto || e->match.mode))
+ exit_error(PARAMETER_PROBLEM,
+ "policy match: empty policy element");
+
if ((e->match.saddr || e->match.daddr)
&& ((e->mode == IPT_POLICY_MODE_TUNNEL && e->invert.mode) ||
(e->mode == IPT_POLICY_MODE_TRANSPORT && !e->invert.mode)))
More information about the netfilter-cvslog
mailing list