libnftables: keep evaluating until parser_max_errors

Bail out after parser_max_errors has been reached, eg.

 # nft -f /tmp/errors.nft
 /tmp/errors.nft:1:23-23: Error: syntax error, unexpected newline
 filter input tcp dport
                       ^
 /tmp/errors.nft:2:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
 filter input tcp dport tcp
              ~~~~~~~~~ ^^^
 /tmp/errors.nft:3:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
 filter input tcp sport udp
              ~~~~~~~~~ ^^^

Fixes: f211921e25e6 ("src: perform evaluation after parsing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/libnftables.c b/src/libnftables.c
index eae78e8be9d79f6a1577d323eb02add8df2dbcd8..e9dc03cf2909ec5c9df29947bb83ebd8cdba4ce7 100644 (file)
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -393,7 +393,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
                        .nft    = nft,
                        .msgs   = msgs,
                };
-               if (cmd_evaluate(&ectx, cmd) < 0)
+               if (cmd_evaluate(&ectx, cmd) < 0 &&
+                   ++nft->state->nerrs == nft->parser_max_errors)
                        return -1;
        }