If we have an incomplete rule like "ct original saddr" in inet
family, this function generates an error because it can't determine the required protocol
dependency, hinting at missing ip/ip6 keyword.
We should not go on in this case to avoid a redundant followup error:
nft add rule inet f c ct original saddr 1.2.3.4
Error: cannot determine ip protocol version, use "ip saddr" or "ip6 saddr" instead
add rule inet f c ct original saddr 1.2.3.4
^^^^^^^^^^^^^^^^^
Error: Could not parse symbolic invalid expression
add rule inet f c ct original saddr 1.2.3.4
After this change only the first error is shown.
Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/evaluate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 0c8af09492d1..d6bb18ba2aa0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1190,7 +1190,8 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
switch (ct->ct.key) {
case NFT_CT_SRC:
case NFT_CT_DST:
- ct_gen_nh_dependency(ctx, ct);
+ if (ct_gen_nh_dependency(ctx, ct) < 0)
+ return -1;
break;
case NFT_CT_SRC_IP:
case NFT_CT_DST_IP:
--
2.49.0
