evaluate: bail out if ct saddr/daddr dependency cannot be inserted

If we have an incomplete rule like "ct original saddr" in inet
family, this function generates an error because it can't determine the required protocol
dependency, hinting at missing ip/ip6 keyword.

We should not go on in this case to avoid a redundant followup error:

nft add rule inet f c ct original saddr 1.2.3.4
Error: cannot determine ip protocol version, use "ip saddr" or "ip6 saddr" instead
add rule inet f c ct original saddr 1.2.3.4
                  ^^^^^^^^^^^^^^^^^
Error: Could not parse symbolic invalid expression
add rule inet f c ct original saddr 1.2.3.4

After this change only the first error is shown.

Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index f73edc916406cbaa49a37ed2f1f0a075f4152d4f..d13b1141324418b36da16ea12e39476e202c8ab3 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1190,7 +1190,8 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
        switch (ct->ct.key) {
        case NFT_CT_SRC:
        case NFT_CT_DST:
-               ct_gen_nh_dependency(ctx, ct);
+               if (ct_gen_nh_dependency(ctx, ct) < 0)
+                       return -1;
                break;
        case NFT_CT_SRC_IP:
        case NFT_CT_DST_IP: