From cebbd9678b7ee6f74b3bd4eefc23de5b27135799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= <ecklm94@gmail.com>
Date: Thu, 23 Aug 2018 12:51:07 +0200
Subject: src: Make invalid chain priority error more specific
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:

	nft> add chain ip x h { type filter hook prerouting priority first; }
	Error: 'first' is invalid priority in this context.
	add chain ip x h { type filter hook prerouting priority first; }
	                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

With this patch this reference is made specific to the priority
specification:

	nft> add chain ip x h { type filter hook prerouting priority first; }
	Error: 'first' is invalid priority in this context.
	add chain ip x h { type filter hook prerouting priority first; }
	                                               ^^^^^^^^^^^^^^

`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically
provides the mathematical set of integer numbers.

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h     |  1 +
 src/evaluate.c     | 11 ++++++-----
 src/parser_bison.y | 23 +++++++++++++++--------
 3 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/include/rule.h b/include/rule.h
index d564cb01..cfbbcf1f 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -172,6 +172,7 @@ enum chain_flags {
 struct prio_spec {
 	const char  *str;
 	int          num;
+	struct location loc;
 };
 
 /**
diff --git a/src/evaluate.c b/src/evaluate.c
index 647e1606..685924df 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3028,8 +3028,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
 		return chain_error(ctx, ft, "invalid hook %s", ft->hookstr);
 
 	if (!evaluate_priority(&ft->priority, NFPROTO_NETDEV, ft->hooknum))
-		return chain_error(ctx, ft, "'%s' is invalid priority.",
-				   ft->priority.str);
+		return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
+					   "'%s' is invalid priority.",
+					   ft->priority.str);
 
 	if (!ft->dev_expr)
 		return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
@@ -3186,9 +3187,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 
 		if (!evaluate_priority(&chain->priority, chain->handle.family,
 				       chain->hooknum))
-			return chain_error(ctx, chain,
-					   "'%s' is invalid priority in this context.",
-					   chain->priority.str);
+			return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
+						   "'%s' is invalid priority in this context.",
+						   chain->priority.str);
 	}
 
 	list_for_each_entry(rule, &chain->rules, list) {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index cc114717..ff795047 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -528,8 +528,8 @@ int nft_lex(void *, void *, void *);
 %destructor { handle_free(&$$); } table_spec tableid_spec chain_spec chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec index_spec
 %type <handle>			set_spec setid_spec set_identifier flowtable_identifier obj_spec objid_spec obj_identifier
 %destructor { handle_free(&$$); } set_spec setid_spec set_identifier obj_spec objid_spec obj_identifier
-%type <val>			family_spec family_spec_explicit chain_policy prio_spec
-%type <prio_spec>		extended_prio_spec
+%type <val>			family_spec family_spec_explicit chain_policy int_num
+%type <prio_spec>		extended_prio_spec prio_spec
 
 %type <string>			dev_spec quota_unit
 %destructor { xfree($$); }	dev_spec quota_unit
@@ -1647,7 +1647,7 @@ flowtable_block_alloc	:	/* empty */
 flowtable_block		:	/* empty */	{ $$ = $<flowtable>-1; }
 			|	flowtable_block	common_block
 			|	flowtable_block	stmt_separator
-			|	flowtable_block	HOOK		STRING	PRIORITY	extended_prio_spec	stmt_separator
+			|	flowtable_block	HOOK		STRING	prio_spec	stmt_separator
 			{
 				$$->hookstr	= chain_hookname_lookup($3);
 				if ($$->hookstr == NULL) {
@@ -1658,7 +1658,7 @@ flowtable_block		:	/* empty */	{ $$ = $<flowtable>-1; }
 				}
 				xfree($3);
 
-				$$->priority = $5;
+				$$->priority = $4;
 			}
 			|	flowtable_block	DEVICES		'='	flowtable_expr	stmt_separator
 			{
@@ -1780,7 +1780,7 @@ type_identifier		:	STRING	{ $$ = $1; }
 			|	CLASSID { $$ = xstrdup("classid"); }
 			;
 
-hook_spec		:	TYPE		STRING		HOOK		STRING		dev_spec	PRIORITY	extended_prio_spec
+hook_spec		:	TYPE		STRING		HOOK		STRING		dev_spec	prio_spec
 			{
 				const char *chain_type = chain_type_name_lookup($2);
 
@@ -1803,12 +1803,19 @@ hook_spec		:	TYPE		STRING		HOOK		STRING		dev_spec	PRIORITY	extended_prio_spec
 				xfree($4);
 
 				$<chain>0->dev		= $5;
-				$<chain>0->priority	= $7;
+				$<chain>0->priority	= $6;
 				$<chain>0->flags	|= CHAIN_F_BASECHAIN;
 			}
 			;
 
-extended_prio_spec	:	prio_spec
+prio_spec		:	PRIORITY extended_prio_spec
+			{
+				$$ = $2;
+				$$.loc = @$;
+			}
+			;
+
+extended_prio_spec	:	int_num
 			{
 				struct prio_spec spec = {0};
 				spec.num = $1;
@@ -1836,7 +1843,7 @@ extended_prio_spec	:	prio_spec
 			}
 			;
 
-prio_spec		:	NUM			{ $$ = $1; }
+int_num		:	NUM			{ $$ = $1; }
 			|	DASH	NUM		{ $$ = -$2; }
 			;
 
-- 
cgit v1.2.3