summaryrefslogtreecommitdiffstats
path: root/src/evaluate.c
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-09-29 13:54:21 +0200
committerFlorian Westphal <fw@strlen.de>2017-09-29 13:54:21 +0200
commitd53f6caace0759c0e79fe6e7b647bd6f20201e28 (patch)
treef793ace2785a17a767d58ac521451ae659eddecd /src/evaluate.c
parent2440711cf07ee582db4f0fff3b274acd158dd98f (diff)
src: rt: add keyword distinction for nexthop vs nexthop6
the rt expression currently always sets NFT_RT_NEXTHOP4 and then uses the network base to determine if its really supposed to be NEXTHOP6. For inet, this will fail because the network base is not known, so this currently enforces need for "meta nfproto" to dermine the type. Allow following syntax instead: rt ip nexthop rt ip6 nexthop There is no need for a dependency anymore, as rt expression checks the hook protocol, ie. NEXTHOP4 will break if the hook pf is not NFPROTO_IPV4. Cc: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r--src/evaluate.c22
1 files changed, 9 insertions, 13 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 8735bb76..ca9180b7 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -662,32 +662,28 @@ static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **exprp)
return 0;
}
-static int expr_error_base(struct list_head *msgs, const struct expr *e)
-{
- return expr_error(msgs, e,
- "meta nfproto ipv4 or ipv6 must be specified "
- "before %s expression", e->ops->name);
-}
-
/*
* RT expression: validate protocol dependencies.
*/
static int expr_evaluate_rt(struct eval_ctx *ctx, struct expr **expr)
{
- const struct proto_desc *base;
+ static const char emsg[] = "cannot determine ip protocol version, use \"ip nexthop\" or \"ip6 nexthop\" instead";
struct expr *rt = *expr;
rt_expr_update_type(&ctx->pctx, rt);
- base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
switch (rt->rt.key) {
case NFT_RT_NEXTHOP4:
- if (base != &proto_ip)
- return expr_error_base(ctx->msgs, rt);
+ if (rt->dtype != &ipaddr_type)
+ return expr_error(ctx->msgs, rt, "%s", emsg);
+ if (ctx->pctx.family == NFPROTO_IPV6)
+ return expr_error(ctx->msgs, rt, "%s nexthop will not match", "ip");
break;
case NFT_RT_NEXTHOP6:
- if (base != &proto_ip6)
- return expr_error_base(ctx->msgs, rt);
+ if (rt->dtype != &ip6addr_type)
+ return expr_error(ctx->msgs, rt, "%s", emsg);
+ if (ctx->pctx.family == NFPROTO_IPV4)
+ return expr_error(ctx->msgs, rt, "%s nexthop will not match", "ip6");
break;
default:
break;