main: Fix for misleading error with negative chain priority

getopt_long() would try to parse the negative priority as an option and
return -1 as it is not known:

| # nft add chain x y { type filter hook input priority -30\; }
| nft: invalid option -- '3'

Fix this by prefixing optstring with a plus character. This instructs
getopt_long() to not collate arguments but just stop after the first
non-option, leaving the rest for manual handling. In fact, this is just
what nft desires: mixing options with nft syntax leads to confusive
command lines anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/main.c b/src/main.c
index f77d8a820a028f35df7eb1b9b597f6590f7ee185..577850e54f68c20cca4f97de18dffb7559292ab0 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -45,7 +45,7 @@ enum opt_vals {
        OPT_NUMERIC_TIME        = 't',
        OPT_INVALID             = '?',
 };
-#define OPTSTRING      "hvcf:iI:jvnsNaeSupypt"
+#define OPTSTRING      "+hvcf:iI:jvnsNaeSupypt"
 
 static const struct option options[] = {
        {

diff --git a/tests/shell/testcases/chains/0039negative_priority_0 b/tests/shell/testcases/chains/0039negative_priority_0
new file mode 100755 (executable)
index 0000000..ba17b8c
--- /dev/null
+++ b/tests/shell/testcases/chains/0039negative_priority_0
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Test parsing of negative priority values
+
+set -e
+
+$NFT add table t
+$NFT add chain t c { type filter hook input priority -30\; }