[PATCH v4 6/6] iptables: Allow to set valid policy verdicts only

Daniel Wagner Wed, 06 Mar 2013 05:26:47 -0800

From: Daniel Wagner <[email protected]>

---
 src/iptables.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)


diff --git a/src/iptables.c b/src/iptables.c
index 93778fa..66a7d2a 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -275,6 +275,19 @@ static int target_to_verdict(const char *target_name)
        return 0;
 }
 
+static int target_to_policy(const char *policy_name)
+{
+       int verdict;
+
+       verdict = target_to_verdict(policy_name);
+
+       /* Only ACCEPT or DROP are valid chain policies */
+       if (verdict == (-NF_ACCEPT - 1) || verdict == (-NF_DROP - 1))
+               return verdict;
+
+       return 0;
+}
+
 static gboolean is_builtin_target(const char *target_name)
 {
        if (!strcmp(target_name, LABEL_ACCEPT) ||
@@ -1060,7 +1073,7 @@ static int iptables_change_policy(struct connman_iptables 
*table,
        struct xt_standard_target *t;
        int verdict;
 
-       verdict = target_to_verdict(policy);
+       verdict = target_to_policy(policy);
        if (verdict == 0)
                return -EINVAL;
 
-- 
1.8.1.3.566.gaa39828

_______________________________________________
connman mailing list
[email protected]
http://lists.connman.net/listinfo/connman

[PATCH v4 6/6] iptables: Allow to set valid policy verdicts only

Reply via email to