On 20 November 2014 at 13:07, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >> @@ -1146,9 +1147,17 @@ check_extension: */ >> cs.fw.ethproto = htons(cs.fw.ethproto); >> >> if (command == 'P') { >> - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0) >> + if (selected_chain < 0) { >> xtables_error(PARAMETER_PROBLEM, >> - "Policy RETURN only allowed for user defined chains"); >> + "Default policy in user-defined" >> + " chains is mandatory RETURN"); > > Wait. > > This changes the existing behaviour. I mean, this check rejects rules > using RETURN from base chains, that should still be there to mimic > ebtables behaviour. Why change this? > I don't see such behaviour change: Bridge chain: test2, entries: 2, policy: RETURN -i eth0 -j ACCEPT -i eth0 -j RETURN I can still use rules with RETURN target. The change is in the -P path, not in -j. >> + } >> + if (strcmp(policy, "ACCEPT") != 0 && >> + strcmp(policy, "DROP") != 0) { >> + xtables_error(PARAMETER_PROBLEM, >> + "Default policy in default chains" >> + " is either ACCEPT or DROP"); > > Please use the same error message the ebtables uses: > > "Policy RETURN only allowed for user defined chains"); > > And explicitly check for RETURN instead. This is a compat tool, we > should spot the same errors than the original. > Ok, sending v2. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html