Try #2 at fixing error checking. We still do want an error for the case

that the user forgets to set a data directory on a firewall and then
refers to it from an Address Table.  Made the error message a little
explicit since now the only way the error can happen is if the firewall
is missing the data directory setting.

doc/ChangeLog

@@ -5,9 +5,11 @@
 	group expansion is done the same way in the UI and for the
 	compiler, also fixed #2502 (consolidate logic for DynamicGroup).
 
-	* Took out checks (added for #2514) for empty path in an Address
+	* Modified checks (added for #2514) for empty path in an Address
 	Table object.  It's valid to have an empty path for the situation
 	where a user wants to use an ipset in place of the table.
+	However, if there is a path and it comes out blank in
+	getSourceNameAsPath() then that means %DATADIR% expansion failed.
 
 2011-07-11  theron	<theron@netcitadel.com>
 	* Implemented #2514, support for address table alternate paths.

src/iptlib/NATCompiler_ipt.cpp

@@ -2318,6 +2318,10 @@ bool NATCompiler_ipt::processMultiAddressObjectsInRE::processNext()
             {
                 string path =
                     atrt->getSourceNameAsPath(compiler->getCachedFwOpt());
+                if (path.empty() && !atrt->getSourceName().empty()) {
+                    compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName());
+                    return true;
+                }
                 rule->setStr("address_table_file", path);
                 osconf->registerMultiAddressObject(atrt);
             }
@@ -2357,6 +2361,10 @@ bool NATCompiler_ipt::processMultiAddressObjectsInRE::processNext()
             nre->addRef( atrt );
 
             string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt());
+            if (path.empty() && !atrt->getSourceName().empty()) {
+                compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName());
+                return true;
+            }
             r->setStr("address_table_file", path);
 
             osconf->registerMultiAddressObject(atrt);

src/iptlib/PolicyCompiler_ipt.cpp

@@ -3896,6 +3896,10 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext()
             {
                 string path =
                     atrt->getSourceNameAsPath(compiler->getCachedFwOpt());
+                if (path.empty() && !atrt->getSourceName().empty()) {
+                    compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName());
+                    return true;
+                }
                 rule->setStr("address_table_file", path);
                 osconf->registerMultiAddressObject(atrt);
             }
@@ -3939,6 +3943,10 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext()
         nre->addRef( atrt );
 
         string path = atrt->getSourceNameAsPath(compiler->getCachedFwOpt());
+        if (path.empty() && !atrt->getSourceName().empty()) {
+            compiler->abort(rule, "Firewall's data directory not set for address table: " + atrt->getName());
+            return true;
+        }
         r->setStr("address_table_file", path);
 
         osconf->registerMultiAddressObject(atrt);

src/pflib/TableFactory.cpp

@@ -238,7 +238,7 @@ string TableFactory::PrintTables()
                 string path =
                     atrt->getSourceNameAsPath(firewall->getOptionsObject());
                 if (path.empty()) {
-                    compiler->abort("Error: Empty path or data directory for address table: " + atrt->getName());
+                    compiler->abort("Error: Firewall's data directory not set for address table: " + atrt->getName());
                 }
                 
                 output << " file \"" << path << "\"";