src: allow variable in chain policy

This patch allows you to use variables in chain policy definition, e.g.

define default_policy = "accept"

add table ip foo
add chain ip foo bar {type filter hook input priority filter; policy $default_policy}

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 24 insertions, 0 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index 1879eb0f..831eb7c2 100755
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3476,6 +3476,25 @@ static uint32_t str2hooknum(uint32_t family, const char *hook)
 	return NF_INET_NUMHOOKS;
 }
 
+static bool evaluate_policy(struct eval_ctx *ctx, struct expr **exprp)
+{
+	struct expr *expr;
+
+	ctx->ectx.dtype = &policy_type;
+	ctx->ectx.len = NFT_NAME_MAXLEN * BITS_PER_BYTE;
+	if (expr_evaluate(ctx, exprp) < 0)
+		return false;
+
+	expr = *exprp;
+	if (expr->etype != EXPR_VALUE) {
+		expr_error(ctx->msgs, expr, "%s is not a valid "
+			   "policy expression", expr_name(expr));
+		return false;
+	}
+
+	return true;
+}
+
 static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 {
 	struct table *table;
@@ -3509,6 +3528,11 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 			return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
 						   "invalid priority expression %s in this context.",
 						   expr_name(chain->priority.expr));
+		if (chain->policy) {
+			if (!evaluate_policy(ctx, &chain->policy))
+				return chain_error(ctx, chain, "invalid policy expression %s",
+						   expr_name(chain->policy));
+		}
 	}
 
 	list_for_each_entry(rule, &chain->rules, list) {