From 6968c2632e0c7a625ca57cd4501b6b980fdebc55 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 16 Feb 2023 15:49:11 +0100 Subject: evaluate: print error on missing family in nat statement Print error message in case family cannot be inferred, before this patch, $? shows 1 after nft execution but no error message was printed. While at it, update error reporting for consistency in similar use cases. Fixes: e5c9c8fe0bcc ("evaluate: stmt_evaluate_nat_map() only if stmt->nat.ipportmap == true") Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index fe6384a4..98f3e926 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3483,6 +3483,28 @@ static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt, BYTEORDER_BIG_ENDIAN, expr); } +static const char *stmt_name(const struct stmt *stmt) +{ + switch (stmt->ops->type) { + case STMT_NAT: + switch (stmt->nat.type) { + case NFT_NAT_SNAT: + return "snat"; + case NFT_NAT_DNAT: + return "dnat"; + case NFT_NAT_REDIR: + return "redirect"; + case NFT_NAT_MASQ: + return "masquerade"; + } + break; + default: + break; + } + + return stmt->ops->name; +} + static int stmt_evaluate_l3proto(struct eval_ctx *ctx, struct stmt *stmt, uint8_t family) { @@ -3512,9 +3534,11 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt, if (pctx->family == NFPROTO_INET) { dtype = get_addr_dtype(family); - if (dtype->size == 0) + if (dtype->size == 0) { return stmt_error(ctx, stmt, - "ip or ip6 must be specified with address for inet tables."); + "specify `%s ip' or '%s ip6' in %s table to disambiguate", + stmt_name(stmt), stmt_name(stmt), family2str(pctx->family)); + } err = stmt_evaluate_arg(ctx, stmt, dtype, dtype->size, BYTEORDER_BIG_ENDIAN, addr); @@ -3540,7 +3564,9 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt) addr_type = TYPE_IP6ADDR; break; default: - return -1; + return stmt_error(ctx, stmt, + "specify `%s ip' or '%s ip6' in %s table to disambiguate", + stmt_name(stmt), stmt_name(stmt), family2str(pctx->family)); } dtype = concat_type_alloc((addr_type << TYPE_BITS) | TYPE_INET_SERVICE); -- cgit v1.2.3