Hi Pablo, On Tue, Jul 16, 2019 at 01:51:20PM +0200, Pablo Neira Ayuso wrote: [...] > diff --git a/src/evaluate.c b/src/evaluate.c > index f95f42e1067a..cd566e856a11 100644 > --- a/src/evaluate.c > +++ b/src/evaluate.c > @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt) > case EXPR_VERDICT: > if (stmt->expr->verdict != NFT_CONTINUE) > stmt->flags |= STMT_F_TERMINAL; > - if (stmt->expr->chain != NULL) { > - if (expr_evaluate(ctx, &stmt->expr->chain) < 0) > - return -1; > - if ((stmt->expr->chain->etype != EXPR_SYMBOL && > - stmt->expr->chain->etype != EXPR_VALUE) || > - stmt->expr->chain->symtype != SYMBOL_VALUE) { > - return stmt_error(ctx, stmt, > - "invalid verdict chain expression %s\n", > - expr_name(stmt->expr->chain)); > - } > - } According to my logs, this bit was added by Fernando to cover for invalid variable values[1]. So I fear we can't just drop this check. Cheers, Phil [1] I didn't check with current sources, but back then the following variable contents were problematic: * define foo = @set1 (a set named 'set1' must exist) * define foo = { 1024 } * define foo = *