evaluate: reject: fix dependency generation from nft -f

When nft -f is used, ctx->cmd points to the table object, which
contains the corresponding chain, set and rule lists. The reject
statement evaluator relies on ctx->cmd->rule to add the payload
dependencies, which is doesn't point to the rule in that case.

This patch adds the rule context to the eval_ctx structure to update
the rule list of statements when generating dependencies, as the reject
statement needs.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=993
Reported-by: Ting-Wei Lan <lantw44@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index 8f0acf72..2c4e8116 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1203,7 +1203,7 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
 	if (payload_gen_dependency(ctx, payload, &nstmt) < 0)
 		return -1;
 
-	list_add(&nstmt->list, &ctx->cmd->rule->stmts);
+	list_add(&nstmt->list, &ctx->rule->stmts);
 	return 0;
 }
 
@@ -1722,6 +1722,7 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
 	proto_ctx_init(&ctx->pctx, rule->handle.family);
 	memset(&ctx->ectx, 0, sizeof(ctx->ectx));
 
+	ctx->rule = rule;
 	list_for_each_entry(stmt, &rule->stmts, list) {
 		if (tstmt != NULL)
 			return stmt_binary_error(ctx, stmt, tstmt,