src: improve error reporting when setting policy on non-base chain

When trying to set a policy to non-base chain:

 # nft add chain x y { policy accept\; }
 Error: Could not process rule: Operation not supported
 add chain x y { policy accept; }
                 ^^^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/mnl.c b/src/mnl.c
index f959196922fc5bd032d6874e8b1454f163a24223..28ab582dc032c1bd68fd4205c204f9b8176912e7 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -619,11 +619,6 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
                        nftnl_chain_set_str(nlc, NFTNL_CHAIN_TYPE,
                                            cmd->chain->type);
                }
-               if (cmd->chain->policy) {
-                       mpz_export_data(&policy, cmd->chain->policy->value,
-                                       BYTEORDER_HOST_ENDIAN, sizeof(int));
-                       nftnl_chain_set_u32(nlc, NFTNL_CHAIN_POLICY, policy);
-               }
                if (cmd->chain->dev_expr) {
                        dev_array = xmalloc(sizeof(char *) * 8);
                        dev_array_len = 8;
@@ -658,6 +653,13 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
        cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.chain.location);
        mnl_attr_put_strz(nlh, NFTA_CHAIN_NAME, cmd->handle.chain.name);
 
+       if (cmd->chain && cmd->chain->policy) {
+               mpz_export_data(&policy, cmd->chain->policy->value,
+                               BYTEORDER_HOST_ENDIAN, sizeof(int));
+               cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->chain->policy->location);
+               mnl_attr_put_u32(nlh, NFTA_CHAIN_POLICY, htonl(policy));
+       }
+
        nftnl_chain_nlmsg_build_payload(nlh, nlc);
        nftnl_chain_free(nlc);
 

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 819c78bfa6d1cf0d773440039e9fe7e557ff0e38..cc77d0420cb0bae04ff7bec98e32c5236273c7b5 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2160,7 +2160,8 @@ policy_spec               :       POLICY          policy_expr
                                        expr_free($2);
                                        YYERROR;
                                }
-                               $<chain>0->policy       = $2;
+                               $<chain>0->policy               = $2;
+                               $<chain>0->policy->location     = @$;
                        }
                        ;