From b81c4e04ad26fd73dfdd024efd9fc60561ce0ab2 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 8 Nov 2018 12:42:43 -0500
Subject: [PATCH 21/34] rich rules: allow catch-all rules

Since we now support rich rule priorities it makes sense to allow
catch-all rules if priority is specified. But disallow it for
priority==0 as this will cause unexpected results for the user (always
drop everything).

(cherry picked from commit df846d7a6c20582a2db79d690526662990e8541f)
---
 src/firewall/core/rich.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index c415bf39212f..f0e4af54f32c 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -544,7 +544,7 @@ class Rich_Rule(object):
         if self.element is None:
             if self.action is None:
                 raise FirewallError(errors.INVALID_RULE, "no element, no action")
-            if self.source is None and self.destination is None:
+            if self.source is None and self.destination is None and self.priority == 0:
                 raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination")
 
         if type(self.element) not in [ Rich_IcmpBlock,
-- 
2.18.0