diff --git a/doc/ChangeLog b/doc/ChangeLog index db4cf4a5c..3236d2e43 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -5,9 +5,11 @@ group expansion is done the same way in the UI and for the compiler, also fixed #2502 (consolidate logic for DynamicGroup). - * Took out checks (added for #2514) for empty path in an Address + * Modified checks (added for #2514) for empty path in an Address Table object. It's valid to have an empty path for the situation where a user wants to use an ipset in place of the table. + However, if there is a path and it comes out blank in + getSourceNameAsPath() then that means %DATADIR% expansion failed. 2011-07-11 theron * Implemented #2514, support for address table alternate paths. diff --git a/src/iptlib/NATCompiler_ipt.cpp b/src/iptlib/NATCompiler_ipt.cpp index e8bf9adc0..2c047b5fb 100644 --- a/src/iptlib/NATCompiler_ipt.cpp +++ b/src/iptlib/NATCompiler_ipt.cpp @@ -2318,6 +2318,10 @@ bool NATCompiler_ipt::processMultiAddressObjectsInRE::processNext() { string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); + if (path.empty() && !atrt->getSourceName().empty()) { + compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); + return true; + } rule->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); } @@ -2357,6 +2361,10 @@ bool NATCompiler_ipt::processMultiAddressObjectsInRE::processNext() nre->addRef( atrt ); string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); + if (path.empty() && !atrt->getSourceName().empty()) { + compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); + return true; + } r->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); diff --git a/src/iptlib/PolicyCompiler_ipt.cpp b/src/iptlib/PolicyCompiler_ipt.cpp index cba4eb183..61b4ae385 100644 --- a/src/iptlib/PolicyCompiler_ipt.cpp +++ b/src/iptlib/PolicyCompiler_ipt.cpp @@ -3896,6 +3896,10 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext() { string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); + if (path.empty() && !atrt->getSourceName().empty()) { + compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); + return true; + } rule->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); } @@ -3939,6 +3943,10 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext() nre->addRef( atrt ); string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt()); + if (path.empty() && !atrt->getSourceName().empty()) { + compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName()); + return true; + } r->setStr("address_table_file", path); osconf->registerMultiAddressObject(atrt); diff --git a/src/pflib/TableFactory.cpp b/src/pflib/TableFactory.cpp index 168255d81..d9e7004f8 100644 --- a/src/pflib/TableFactory.cpp +++ b/src/pflib/TableFactory.cpp @@ -238,7 +238,7 @@ string TableFactory::PrintTables() string path = atrt->getSourceNameAsPath(firewall->getOptionsObject()); if (path.empty()) { - compiler->abort("Error: Empty path or data directory for address table: " + atrt->getName()); + compiler->abort("Error: Firewall's data directory not set for address table: " + atrt->getName()); } output << " file \"" << path << "\"";