ip6tables: Warn about use of DROP in nat table

Clone of 1eada72b with 9bb76094 and e0390bee on top.

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 2731209e5df97cf586d46ace3f9636549756fa88..c48ddf9e90cb600973c1a2f428b53ffe0d7fd3c6 100644 (file)
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1720,6 +1720,13 @@ int do_command6(int argc, char *argv[], char **table,
                cs.invert = FALSE;
        }
 
+       if (strcmp(*table, "nat") == 0 &&
+           ((policy != NULL && strcmp(policy, "DROP") == 0) ||
+           (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0)))
+               xtables_error(PARAMETER_PROBLEM,
+                       "\nThe \"nat\" table is not intended for filtering, "
+                       "the use of DROP is therefore inhibited.\n\n");
+
        for (matchp = cs.matches; matchp; matchp = matchp->next)
                xtables_option_mfcall(matchp->match);
        if (cs.target != NULL)