From 5b1fecc7d017df093db7c667bcd1718e45b1df67 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Fri, 7 Jan 2011 12:26:59 +0100
Subject: iptables: abort on empty interface specification

Fiedler Roman brings to attention that if, in a faulty script,
"$some_variable" expands to an empty string, iptables should probably
catch this most likely undesired invocation. If no/all interfaces were
really desired, one can either omit -i completely, or use -i +.

References: http://marc.info/?l=netfilter&m=129439862903487&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'iptables.c')

diff --git a/iptables.c b/iptables.c
index 6549c1dd..e0efbf1b 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1590,6 +1590,10 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 
 
 		case 'i':
+			if (*optarg == '\0')
+				xtables_error(PARAMETER_PROBLEM,
+					"Empty interface is likely to be "
+					"undesired");
 			xtables_check_inverse(optarg, &invert, &optind, argc, argv);
 			set_option(&options, OPT_VIANAMEIN, &fw.ip.invflags,
 				   invert);
@@ -1599,6 +1603,10 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			break;
 
 		case 'o':
+			if (*optarg == '\0')
+				xtables_error(PARAMETER_PROBLEM,
+					"Empty interface is likely to be "
+					"undesired");
 			xtables_check_inverse(optarg, &invert, &optind, argc, argv);
 			set_option(&options, OPT_VIANAMEOUT, &fw.ip.invflags,
 				   invert);
-- 
cgit v1.2.3