src: ensure chain policy evaluation when specified

Set on CHAIN_F_BASECHAIN when policy is specified in chain, otherwise chain priority is not evaluated. Toggling this flag requires needs three adjustments to work though: 1) chain_evaluate() needs skip evaluation of hook name and priority if not specified to allow for updating the default chain policy, e.g. chain ip x y { policy accept; } 2) update netlink bytecode generation for chain to skip NFTA_CHAIN_HOOK so update path is exercised in the kernel. 3) error reporting needs to check if basechain priority and type is set on, otherwise skip further hints. Fixes: acdfae9c3126 ("src: allow to specify the default policy for base chains") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2025-08-17 21:01:30 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2025-08-19 14:53:57 +0200
commit: 01277922fede9fef8aacf5cc871bfbd55bbd78ef (patch)
tree: a39a2f7f4690a0eca283141b143cdb7c2012d658 /src/cmd.c
parent: c44995e31ba60c4823bb81fecd29020452b9e702 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/cmd.c b/src/cmd.c
index ff634af2..9d5544f0 100644
--- a/src/cmd.c
+++ b/src/cmd.c
@@ -282,6 +282,9 @@ static int nft_cmd_chain_error(struct netlink_ctx *ctx, struct cmd *cmd,
 		if (!(chain->flags & CHAIN_F_BASECHAIN))
 			break;
 
+		if (!chain->priority.expr || !chain->type.str)
+			break;
+
 		mpz_export_data(&priority, chain->priority.expr->value,
 				BYTEORDER_HOST_ENDIAN, sizeof(int));
 		if (priority <= -200 && !strcmp(chain->type.str, "nat"))
author	Pablo Neira Ayuso <pablo@netfilter.org>	2025-08-17 21:01:30 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2025-08-19 14:53:57 +0200
commit	01277922fede9fef8aacf5cc871bfbd55bbd78ef (patch)
tree	a39a2f7f4690a0eca283141b143cdb7c2012d658 /src/cmd.c
parent	c44995e31ba60c4823bb81fecd29020452b9e702 (diff)