Reject invalid chain priority values in user space

The kernel doesn't accept nat type chains with a priority of -200 or
below. Catch this and provide a better error message than the kernel's
EOPNOTSUPP.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/src/evaluate.c b/src/evaluate.c
index 47caf3b0d7167418e68298f5586cba9a21111bde..663ace26f897970f497600860be161eac3d790cd 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4885,6 +4885,8 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
        }
 
        if (chain->flags & CHAIN_F_BASECHAIN) {
+               int priority;
+
                chain->hook.num = str2hooknum(chain->handle.family,
                                              chain->hook.name);
                if (chain->hook.num == NF_INET_NUMHOOKS)
@@ -4897,6 +4899,13 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
                        return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
                                                   "invalid priority expression %s in this context.",
                                                   expr_name(chain->priority.expr));
+
+               mpz_export_data(&priority, chain->priority.expr->value,
+                               BYTEORDER_HOST_ENDIAN, sizeof(int));
+               if (priority <= -200 && !strcmp(chain->type.str, "nat"))
+                       return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
+                                                  "Chains of type \"nat\" must have a priority value above -200.");
+
                if (chain->policy) {
                        expr_set_context(&ctx->ectx, &policy_type,
                                         NFT_NAME_MAXLEN * BITS_PER_BYTE);