On Thu, Apr 03, 2025 at 01:09:22AM +0200, Florian Westphal wrote:
> If we have an incomplete rule like "ct original saddr" in inet
> family, this function generates an error because it can't determine the required protocol
> dependency, hinting at missing ip/ip6 keyword.
>
> We should not go on in this case to avoid a redundant followup error:
>
> nft add rule inet f c ct original saddr 1.2.3.4
> Error: cannot determine ip protocol version, use "ip saddr" or "ip6 saddr" instead
> add rule inet f c ct original saddr 1.2.3.4
> ^^^^^^^^^^^^^^^^^
> Error: Could not parse symbolic invalid expression
> add rule inet f c ct original saddr 1.2.3.4
>
> After this change only the first error is shown.
>
> Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Thanks Florian
> ---
> src/evaluate.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 0c8af09492d1..d6bb18ba2aa0 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1190,7 +1190,8 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
> switch (ct->ct.key) {
> case NFT_CT_SRC:
> case NFT_CT_DST:
> - ct_gen_nh_dependency(ctx, ct);
> + if (ct_gen_nh_dependency(ctx, ct) < 0)
> + return -1;
> break;
> case NFT_CT_SRC_IP:
> case NFT_CT_DST_IP:
> --
> 2.49.0
>
>
