The kernel doesn't accept nat type chains with a priority of -200 or
below. Catch this and provide a better error message than the kernel's
EOPNOTSUPP.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
src/evaluate.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index d24f8b66b0de8..af4844c1ef6cc 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4842,6 +4842,8 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
}
if (chain->flags & CHAIN_F_BASECHAIN) {
+ int priority;
+
chain->hook.num = str2hooknum(chain->handle.family,
chain->hook.name);
if (chain->hook.num == NF_INET_NUMHOOKS)
@@ -4854,6 +4856,14 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
"invalid priority expression %s in this context.",
expr_name(chain->priority.expr));
+
+ if (!strcmp(chain->type.str, "nat") &&
+ (mpz_export_data(&priority, chain->priority.expr->value,
+ BYTEORDER_HOST_ENDIAN, sizeof(int))) &&
+ priority <= -200)
+ return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
+ "Nat type chains must have a priority value above -200.");
+
if (chain->policy) {
expr_set_context(&ctx->ectx, &policy_type,
NFT_NAME_MAXLEN * BITS_PER_BYTE);
--
2.38.0
