[netfilter-cvslog] r6426 - trunk/iptables/extensions

kaber at netfilter.org kaber at netfilter.org
Sun Jan 22 14:47:14 CET 2006


Author: kaber at netfilter.org
Date: 2006-01-22 14:47:07 +0100 (Sun, 22 Jan 2006)
New Revision: 6426

Modified:
   trunk/iptables/extensions/libip6t_policy.c
   trunk/iptables/extensions/libipt_policy.c
Log:
Fix "empty policy element" complaining in non-strict mode.
Noticed by Tom Eastep <teastep at shorewall.net>.


Modified: trunk/iptables/extensions/libip6t_policy.c
===================================================================
--- trunk/iptables/extensions/libip6t_policy.c	2006-01-22 13:18:09 UTC (rev 6425)
+++ trunk/iptables/extensions/libip6t_policy.c	2006-01-22 13:47:07 UTC (rev 6426)
@@ -327,7 +327,8 @@
 	for (i = 0; i < info->len; i++) {
 		e = &info->pol[i];
 
-                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+                if (info->flags & IP6T_POLICY_MATCH_STRICT &&
+		    !(e->match.reqid || e->match.spi || e->match.saddr ||
                       e->match.daddr || e->match.proto || e->match.mode))
                         exit_error(PARAMETER_PROBLEM,
                                    "policy match: empty policy element");

Modified: trunk/iptables/extensions/libipt_policy.c
===================================================================
--- trunk/iptables/extensions/libipt_policy.c	2006-01-22 13:18:09 UTC (rev 6425)
+++ trunk/iptables/extensions/libipt_policy.c	2006-01-22 13:47:07 UTC (rev 6426)
@@ -287,7 +287,8 @@
 	for (i = 0; i < info->len; i++) {
 		e = &info->pol[i];
 
-		if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+		if (info->flags & IPT_POLICY_MATCH_STRICT &&
+		    !(e->match.reqid || e->match.spi || e->match.saddr ||
 		      e->match.daddr || e->match.proto || e->match.mode))
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: empty policy element");




More information about the netfilter-cvslog mailing list