On 20 November 2014 at 13:07, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> @@ -1146,9 +1147,17 @@ check_extension: */
>> cs.fw.ethproto = htons(cs.fw.ethproto);
>>
>> if (command == 'P') {
>> - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0)
>> + if (selected_chain < 0) {
>> xtables_error(PARAMETER_PROBLEM,
>> - "Policy RETURN only allowed for user defined chains");
>> + "Default policy in user-defined"
>> + " chains is mandatory RETURN");
>
> Wait.
>
> This changes the existing behaviour. I mean, this check rejects rules
> using RETURN from base chains, that should still be there to mimic
> ebtables behaviour. Why change this?
>
I don't see such behaviour change:
Bridge chain: test2, entries: 2, policy: RETURN
-i eth0 -j ACCEPT
-i eth0 -j RETURN
I can still use rules with RETURN target.
The change is in the -P path, not in -j.
>> + }
>> + if (strcmp(policy, "ACCEPT") != 0 &&
>> + strcmp(policy, "DROP") != 0) {
>> + xtables_error(PARAMETER_PROBLEM,
>> + "Default policy in default chains"
>> + " is either ACCEPT or DROP");
>
> Please use the same error message the ebtables uses:
>
> "Policy RETURN only allowed for user defined chains");
>
> And explicitly check for RETURN instead. This is a compat tool, we
> should spot the same errors than the original.
>
Ok, sending v2.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
