Fix "empty policy element" complaining in non-strict mode.

Noticed by Tom Eastep <teastep@shorewall.net>.

diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index 7498e989d81dbc622a086d29148ac8daaba0b9e0..54cd5f2badafa5dc203670c4b294889be9b08bc0 100644 (file)
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -327,7 +327,8 @@ static void final_check(unsigned int flags)
        for (i = 0; i < info->len; i++) {
                e = &info->pol[i];
 
-                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+                if (info->flags & IP6T_POLICY_MATCH_STRICT &&
+                   !(e->match.reqid || e->match.spi || e->match.saddr ||
                       e->match.daddr || e->match.proto || e->match.mode))
                         exit_error(PARAMETER_PROBLEM,
                                    "policy match: empty policy element");

diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index 593bb11f4a346f506a6c39ae1a39026ac4bfe33b..55b969d15873702d7374ab473d8800e0df757a27 100644 (file)
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -287,7 +287,8 @@ static void final_check(unsigned int flags)
        for (i = 0; i < info->len; i++) {
                e = &info->pol[i];
 
-               if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+               if (info->flags & IPT_POLICY_MATCH_STRICT &&
+                   !(e->match.reqid || e->match.spi || e->match.saddr ||
                      e->match.daddr || e->match.proto || e->match.mode))
                        exit_error(PARAMETER_PROBLEM,
                                   "policy match: empty policy element");