diff options
author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2019-08-02 12:12:10 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-08-08 12:43:10 +0200 |
commit | dba4a9b4b5fe2c4b6929be799fdb9332fc653e1b (patch) | |
tree | 800a99b457f9a37fd7790a8308c0d4ec33809510 /src/evaluate.c | |
parent | 627c451b2351310da9ad82dbdb64747b1fada8e5 (diff) |
src: allow variable in chain policy
This patch allows you to use variables in chain policy definition, e.g.
define default_policy = "accept"
add table ip foo
add chain ip foo bar {type filter hook input priority filter; policy $default_policy}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rwxr-xr-x | src/evaluate.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 1879eb0f..831eb7c2 100755 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3476,6 +3476,25 @@ static uint32_t str2hooknum(uint32_t family, const char *hook) return NF_INET_NUMHOOKS; } +static bool evaluate_policy(struct eval_ctx *ctx, struct expr **exprp) +{ + struct expr *expr; + + ctx->ectx.dtype = &policy_type; + ctx->ectx.len = NFT_NAME_MAXLEN * BITS_PER_BYTE; + if (expr_evaluate(ctx, exprp) < 0) + return false; + + expr = *exprp; + if (expr->etype != EXPR_VALUE) { + expr_error(ctx->msgs, expr, "%s is not a valid " + "policy expression", expr_name(expr)); + return false; + } + + return true; +} + static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) { struct table *table; @@ -3509,6 +3528,11 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) return __stmt_binary_error(ctx, &chain->priority.loc, NULL, "invalid priority expression %s in this context.", expr_name(chain->priority.expr)); + if (chain->policy) { + if (!evaluate_policy(ctx, &chain->policy)) + return chain_error(ctx, chain, "invalid policy expression %s", + expr_name(chain->policy)); + } } list_for_each_entry(rule, &chain->rules, list) { |