On Mon, Nov 24, 2014 at 01:12:33PM +0100, Arturo Borrero Gonzalez wrote:
> On 24 November 2014 at 12:12, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >> --- a/iptables/xtables-eb.c
> >> +++ b/iptables/xtables-eb.c
> >> @@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table)
> >> case 'E': /* Rename chain */
> >> case 'X': /* Delete chain */
> >> /* We allow -N chainname -P policy */
> >> + /* XXX: Not in ebtables-compat */
> >> if (command == 'N' && c == 'P') {
> >> command = c;
> >> optind--; /* No table specified */
> >> @@ -1146,9 +1147,15 @@ check_extension: */
> >> cs.fw.ethproto = htons(cs.fw.ethproto);
> >>
> >> if (command == 'P') {
> >> - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0)
> >> + if (selected_chain < 0) {
> >> + xtables_error(PARAMETER_PROBLEM,
> >> + "Default policy in user-defined"
> >> + " chains is mandatory RETURN");
> >
> > The intended error should something like:
> >
> > ... , "Policy %s only allowed from base chains", policy);
> >
> > right? I can mangle the patch here. Thanks.
>
> Ok, thanks.
Applied, thanks.
I have used "Policy XYZ not allowed for user defined chains" so we
basically disable policies from user-defined chains in
ebtables-compat.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
