From 31d99c29ff580b116142d113e82055580b48e661 Mon Sep 17 00:00:00 2001 From: Jonas Lochmann Date: Fri, 28 Jun 2024 14:52:23 +0200 Subject: [PATCH] Assume that rules with output interfaces not part of the routing table never match This has an effect if a routing table was specified only. The current implementation keeps the interfaces if they are not part of the routing table. Due to the over approximation, this assumes that traffic is allowed while it is not. This modifieds the generated code which is a bad practice. However, I could not make isabelle generate code at all. --- haskell_tool/lib/Network/IPTables/Generated.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/haskell_tool/lib/Network/IPTables/Generated.hs b/haskell_tool/lib/Network/IPTables/Generated.hs index 50379916..d8a17016 100644 --- a/haskell_tool/lib/Network/IPTables/Generated.hs +++ b/haskell_tool/lib/Network/IPTables/Generated.hs @@ -3662,7 +3662,7 @@ ipassmt_iface_replace_dstip_mexpr :: Iface -> Match_expr (Common_primitive a); ipassmt_iface_replace_dstip_mexpr ipassmt ifce = (case ipassmt ifce of { - Nothing -> Match (OIface ifce); + Nothing -> MatchNot MatchAny; Just ips -> match_list_to_match_expr (map (Match . Dst) (map (uncurry IpAddrNetmask) ips));