On Tue, Jul 16, 2019 at 07:05:20AM -0400, Charles Eidsness wrote: > > Are these the steps to reproduce this? > > > > nft add table testD > > nft add chain testD test6 > > nft add chain testD test8 > > nft add rule ip testD test6 jump test8 > > > > It's working fine with nftables git HEAD (git.netfilter.org/nftables). > > Yes, those are the steps, release 0.9.1 works for me on linux kernel > 5.2, it doesn't with linux kernel version 4.14 (on an arm system). > Release 0.9.0 works fine on both systems. > > Is there some difference in the netlink message sent for that command > between nftables 0.9.1 and nftables 0.9.0? These two commits: c64457cff967 src: Allow goto and jump to a variable f1e8a129ee42 src: Introduce chain_expr in jump and goto statements Could you try the following patch? Thanks.
diff --git a/src/evaluate.c b/src/evaluate.c index f95f42e1067a..cd566e856a11 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1984,17 +1984,9 @@ static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt) case EXPR_VERDICT: if (stmt->expr->verdict != NFT_CONTINUE) stmt->flags |= STMT_F_TERMINAL; - if (stmt->expr->chain != NULL) { - if (expr_evaluate(ctx, &stmt->expr->chain) < 0) - return -1; - if ((stmt->expr->chain->etype != EXPR_SYMBOL && - stmt->expr->chain->etype != EXPR_VALUE) || - stmt->expr->chain->symtype != SYMBOL_VALUE) { - return stmt_error(ctx, stmt, - "invalid verdict chain expression %s\n", - expr_name(stmt->expr->chain)); - } - } + if (stmt->expr->chain != NULL && + expr_evaluate(ctx, &stmt->expr->chain) < 0) + return -1; break; case EXPR_MAP: break;