From 003e935b55c6f15f09648e93b33be0c2fa24f18c Mon Sep 17 00:00:00 2001
From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter
 Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org"
 </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org>
Date: Thu, 12 Jan 2006 09:43:18 +0000
Subject: Move empty policy element check to also catch last element

---
 extensions/libip6t_policy.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'extensions/libip6t_policy.c')

diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index 189ca6e..7498e98 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -283,11 +283,6 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: can't invert --next option");
 
-                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
-                      e->match.daddr || e->match.proto || e->match.mode))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "policy match: --next without policy element specification");
-
 		if (++info->len == IP6T_POLICY_MAX_ELEM)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: maximum policy depth reached");
@@ -331,6 +326,12 @@ static void final_check(unsigned int flags)
 
 	for (i = 0; i < info->len; i++) {
 		e = &info->pol[i];
+
+                if (!(e->match.reqid || e->match.spi || e->match.saddr ||
+                      e->match.daddr || e->match.proto || e->match.mode))
+                        exit_error(PARAMETER_PROBLEM,
+                                   "policy match: empty policy element");
+
 		if ((e->match.saddr || e->match.daddr)
 		    && ((e->mode == IP6T_POLICY_MODE_TUNNEL && e->invert.mode) ||
 		        (e->mode == IP6T_POLICY_MODE_TRANSPORT && !e->invert.mode)))
-- 
cgit v1.2.3