The kernel doesn't accept nat type chains with a priority of -200 or below. Catch this and provide a better error message than the kernel's EOPNOTSUPP. Signed-off-by: Phil Sutter <phil@xxxxxx> --- Changes since v1: - Pull mpz_export_data() call out of the conditional. - Check priority value before calling strcmp(), it's less expensive. - Reword the error message as suggested. --- src/evaluate.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index d24f8b66b0de8..21831201519dd 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4842,6 +4842,8 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) } if (chain->flags & CHAIN_F_BASECHAIN) { + int priority; + chain->hook.num = str2hooknum(chain->handle.family, chain->hook.name); if (chain->hook.num == NF_INET_NUMHOOKS) @@ -4854,6 +4856,13 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) return __stmt_binary_error(ctx, &chain->priority.loc, NULL, "invalid priority expression %s in this context.", expr_name(chain->priority.expr)); + + mpz_export_data(&priority, chain->priority.expr->value, + BYTEORDER_HOST_ENDIAN, sizeof(int)); + if (priority <= -200 && !strcmp(chain->type.str, "nat")) + return __stmt_binary_error(ctx, &chain->priority.loc, NULL, + "Chains of type \"nat\" must have a priority value above -200."); + if (chain->policy) { expr_set_context(&ctx->ectx, &policy_type, NFT_NAME_MAXLEN * BITS_PER_BYTE); -- 2.38.0