src: improve error reporting for unsupported chain type

commit 573788e053631a5c069f887caed7c62d521b022d upstream.

8c75d3a16960 ("Reject invalid chain priority values in user space")
provides error reporting from the evaluation phase. Instead, this patch
infers the error after the kernel reports EOPNOTSUPP.

test.nft:3:28-40: Error: Chains of type "nat" must have a priority value above -200
                type nat hook prerouting priority -300;
                                         ^^^^^^^^^^^^^

This patch also adds another common issue for users compiling their own
kernels if they forget to enable CONFIG_NFT_NAT in their .config file.

Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/cmd.c b/src/cmd.c
index 63692422e7655add37f93bc721283d8b1f7d646e..22cf5cfa1566a4eb553b39c38d409c3708974460 100644 (file)
--- a/src/cmd.c
+++ b/src/cmd.c
@@ -233,6 +233,33 @@ static void nft_cmd_enoent(struct netlink_ctx *ctx, const struct cmd *cmd,
        netlink_io_error(ctx, loc, "Could not process rule: %s", strerror(err));
 }
 
+static int nft_cmd_chain_error(struct netlink_ctx *ctx, struct cmd *cmd,
+                              struct mnl_err *err)
+{
+       struct chain *chain = cmd->chain;
+       int priority;
+
+       switch (err->err) {
+       case EOPNOTSUPP:
+               if (!(chain->flags & CHAIN_F_BASECHAIN))
+                       break;
+
+               mpz_export_data(&priority, chain->priority.expr->value,
+                               BYTEORDER_HOST_ENDIAN, sizeof(int));
+               if (priority <= -200 && !strcmp(chain->type.str, "nat"))
+                       return netlink_io_error(ctx, &chain->priority.loc,
+                                               "Chains of type \"nat\" must have a priority value above -200");
+
+               return netlink_io_error(ctx, &chain->loc,
+                                       "Chain of type \"%s\" is not supported, perhaps kernel support is missing?",
+                                       chain->type.str);
+       default:
+               break;
+       }
+
+       return 0;
+}
+
 void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd,
                   struct mnl_err *err)
 {
@@ -255,6 +282,15 @@ void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd,
                loc = &cmd->location;
        }
 
+       switch (cmd->obj) {
+       case CMD_OBJ_CHAIN:
+               if (nft_cmd_chain_error(ctx, cmd, err) < 0)
+                       return;
+               break;
+       default:
+               break;
+       }
+
        netlink_io_error(ctx, loc, "Could not process rule: %s",
                         strerror(err->err));
 }