When nft -f is used, ctx->cmd points to the table object, which
contains the corresponding chain, set and rule lists. The reject
statement evaluator relies on ctx->cmd->rule to add the payload
dependencies, which is doesn't point to the rule in that case.
This patch adds the rule context to the eval_ctx structure to update
the rule list of statements when generating dependencies, as the reject
statement needs.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=993
Reported-by: Ting-Wei Lan <lantw44@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* @msgs: message queue
* @cmd: current command
* @table: current table
+ * @rule: current rule
* @set: current set
* @stmt: current statement
* @ectx: expression context
struct list_head *msgs;
struct cmd *cmd;
struct table *table;
+ struct rule *rule;
struct set *set;
struct stmt *stmt;
struct expr_ctx ectx;
if (payload_gen_dependency(ctx, payload, &nstmt) < 0)
return -1;
- list_add(&nstmt->list, &ctx->cmd->rule->stmts);
+ list_add(&nstmt->list, &ctx->rule->stmts);
return 0;
}
proto_ctx_init(&ctx->pctx, rule->handle.family);
memset(&ctx->ectx, 0, sizeof(ctx->ectx));
+ ctx->rule = rule;
list_for_each_entry(stmt, &rule->stmts, list) {
if (tstmt != NULL)
return stmt_binary_error(ctx, stmt, tstmt,
projects / thirdparty / nftables.git / commitdiff
