diff options
Diffstat (limited to 'src/evaluate.c')
-rwxr-xr-x | src/evaluate.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 1879eb0f..831eb7c2 100755 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3476,6 +3476,25 @@ static uint32_t str2hooknum(uint32_t family, const char *hook) return NF_INET_NUMHOOKS; } +static bool evaluate_policy(struct eval_ctx *ctx, struct expr **exprp) +{ + struct expr *expr; + + ctx->ectx.dtype = &policy_type; + ctx->ectx.len = NFT_NAME_MAXLEN * BITS_PER_BYTE; + if (expr_evaluate(ctx, exprp) < 0) + return false; + + expr = *exprp; + if (expr->etype != EXPR_VALUE) { + expr_error(ctx->msgs, expr, "%s is not a valid " + "policy expression", expr_name(expr)); + return false; + } + + return true; +} + static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) { struct table *table; @@ -3509,6 +3528,11 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) return __stmt_binary_error(ctx, &chain->priority.loc, NULL, "invalid priority expression %s in this context.", expr_name(chain->priority.expr)); + if (chain->policy) { + if (!evaluate_policy(ctx, &chain->policy)) + return chain_error(ctx, chain, "invalid policy expression %s", + expr_name(chain->policy)); + } } list_for_each_entry(rule, &chain->rules, list) { |