From: Jan Engelhardt <jengelh@medozas.de>
Date: Wed, 13 Aug 2008 12:41:32 +0000 (+0200)
Subject: Warn about use of DROP in nat table
X-Git-Tag: v1.4.2~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1eada72b;p=thirdparty%2Fiptables.git

Warn about use of DROP in nat table

Consensus is that we should warn for now.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---

diff --git a/iptables.c b/iptables.c
index 41e18361..6a105f80 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1917,6 +1917,14 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
 		invert = FALSE;
 	}
 
+	if (strcmp(*table, "nat") == 0 &&
+	    ((policy != NULL && strcmp(policy, "DROP") == 0) ||
+	    (jumpto != NULL && strcmp(jumpto, "DROP") == 0)))
+		fprintf(stderr, "\nThe \"nat\" table is not intended for "
+		        "filtering, hence the use of DROP is deprecated and "
+		        "will permanently be disabled in the next iptables "
+		        "release. Please adjust your scripts.\n\n");
+
 	for (matchp = matches; matchp; matchp = matchp->next)
 		if (matchp->match->final_check != NULL)
 			matchp->match->final_check(matchp->match->mflags);