src: improve error reporting for unsupported chain type

8c75d3a16960 ("Reject invalid chain priority values in user space")
provides error reporting from the evaluation phase. Instead, this patch
infers the error after the kernel reports EOPNOTSUPP.

test.nft:3:28-40: Error: Chains of type "nat" must have a priority value above -200
                type nat hook prerouting priority -300;
                                         ^^^^^^^^^^^^^

This patch also adds another common issue for users compiling their own
kernels if they forget to enable CONFIG_NFT_NAT in their .config file.

Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 0 insertions, 9 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index 663ace26..47caf3b0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4885,8 +4885,6 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 	}
 
 	if (chain->flags & CHAIN_F_BASECHAIN) {
-		int priority;
-
 		chain->hook.num = str2hooknum(chain->handle.family,
 					      chain->hook.name);
 		if (chain->hook.num == NF_INET_NUMHOOKS)
@@ -4899,13 +4897,6 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 			return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
 						   "invalid priority expression %s in this context.",
 						   expr_name(chain->priority.expr));
-
-		mpz_export_data(&priority, chain->priority.expr->value,
-				BYTEORDER_HOST_ENDIAN, sizeof(int));
-		if (priority <= -200 && !strcmp(chain->type.str, "nat"))
-			return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
-						   "Chains of type \"nat\" must have a priority value above -200.");
-
 		if (chain->policy) {
 			expr_set_context(&ctx->ectx, &policy_type,
 					 NFT_NAME_MAXLEN * BITS_PER_BYTE);