evaluate: print error on missing family in nat statement

commit 6968c2632e0c7a625ca57cd4501b6b980fdebc55 upstream.

Print error message in case family cannot be inferred, before this
patch, $? shows 1 after nft execution but no error message was printed.

While at it, update error reporting for consistency in similar use
cases.

Fixes: e5c9c8fe0bcc ("evaluate: stmt_evaluate_nat_map() only if stmt->nat.ipportmap == true")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index b40cae230d412a8410079653815e6f55cd5f115d..a91f6b8788a49dfcb3406d4bedf3175053337bf6 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3361,6 +3361,28 @@ static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
                                 BYTEORDER_BIG_ENDIAN, expr);
 }
 
+static const char *stmt_name(const struct stmt *stmt)
+{
+       switch (stmt->ops->type) {
+       case STMT_NAT:
+               switch (stmt->nat.type) {
+               case NFT_NAT_SNAT:
+                       return "snat";
+               case NFT_NAT_DNAT:
+                       return "dnat";
+               case NFT_NAT_REDIR:
+                       return "redirect";
+               case NFT_NAT_MASQ:
+                       return "masquerade";
+               }
+               break;
+       default:
+               break;
+       }
+
+       return stmt->ops->name;
+}
+
 static int stmt_evaluate_l3proto(struct eval_ctx *ctx,
                                 struct stmt *stmt, uint8_t family)
 {
@@ -3388,9 +3410,11 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
 
        if (ctx->pctx.family == NFPROTO_INET) {
                dtype = get_addr_dtype(family);
-               if (dtype->size == 0)
+               if (dtype->size == 0) {
                        return stmt_error(ctx, stmt,
-                                         "ip or ip6 must be specified with address for inet tables.");
+                                         "specify `%s ip' or '%s ip6' in %s table to disambiguate",
+                                         stmt_name(stmt), stmt_name(stmt), family2str(ctx->pctx.family));
+               }
 
                err = stmt_evaluate_arg(ctx, stmt, dtype, dtype->size,
                                        BYTEORDER_BIG_ENDIAN, addr);
@@ -3416,7 +3440,9 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
                addr_type = TYPE_IP6ADDR;
                break;
        default:
-               return -1;
+               return stmt_error(ctx, stmt,
+                                 "specify `%s ip' or '%s ip6' in %s table to disambiguate",
+                                 stmt_name(stmt), stmt_name(stmt), family2str(ctx->pctx.family));
        }
        dtype = concat_type_alloc((addr_type << TYPE_BITS) | TYPE_INET_SERVICE);