evaluate: flag fwd and queue statements as terminal

Both queue and fwd statement end evaluation of a rule:

in
... fwd to "eth0" accept
... queue accept

"accept" is redundant and never evaluated in the kernel.
Add the missing "TERMINAL" flag so the evaluation step will catch
any trailing expressions:

nft add rule filter input queue counter
Error: Statement after terminal statement has no effect

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index b8bcf4866d8d1245ed716e4947035f36d142e690..29fe966008b1bc90913751181ed456cb06b57e38 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2963,6 +2963,7 @@ static int stmt_evaluate_fwd(struct eval_ctx *ctx, struct stmt *stmt)
        default:
                return stmt_error(ctx, stmt, "unsupported family");
        }
+       stmt->flags |= STMT_F_TERMINAL;
        return 0;
 }
 
@@ -2982,6 +2983,7 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
                                          "fanout requires a range to be "
                                          "specified");
        }
+       stmt->flags |= STMT_F_TERMINAL;
        return 0;
 }