@@ -4842,6 +4842,8 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
}
if (chain->flags & CHAIN_F_BASECHAIN) {
+ int priority;
+
chain->hook.num = str2hooknum(chain->handle.family,
chain->hook.name);
if (chain->hook.num == NF_INET_NUMHOOKS)
@@ -4854,6 +4856,13 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
"invalid priority expression %s in this context.",
expr_name(chain->priority.expr));
+
+ mpz_export_data(&priority, chain->priority.expr->value,
+ BYTEORDER_HOST_ENDIAN, sizeof(int));
+ if (priority <= -200 && !strcmp(chain->type.str, "nat"))
+ return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
+ "Chains of type \"nat\" must have a priority value above -200.");
+
if (chain->policy) {
expr_set_context(&ctx->ectx, &policy_type,
NFT_NAME_MAXLEN * BITS_PER_BYTE);
The kernel doesn't accept nat type chains with a priority of -200 or below. Catch this and provide a better error message than the kernel's EOPNOTSUPP. Signed-off-by: Phil Sutter <phil@nwl.cc> --- Changes since v1: - Pull mpz_export_data() call out of the conditional. - Check priority value before calling strcmp(), it's less expensive. - Reword the error message as suggested. --- src/evaluate.c | 9 +++++++++ 1 file changed, 9 insertions(+)