[PATCH nft] evaluate: flag fwd and queue statements as terminal

[PATCH nft] evaluate: flag fwd and queue statements as terminal

[Florian Westphal]

Both queue and fwd statement end evaluation of a rule:

in
... fwd to "eth0" accept
... queue accept

"accept" is redundant and never evaluated in the kernel.
Add the missing "TERMINAL" flag so the evaluation step will catch
any trailing expressions:

nft add rule filter input queue counter
Error: Statement after terminal statement has no effect

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/evaluate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index b8bcf4866d8d..29fe966008b1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2963,6 +2963,7 @@ static int stmt_evaluate_fwd(struct eval_ctx *ctx, struct stmt *stmt)
 	default:
 		return stmt_error(ctx, stmt, "unsupported family");
 	}
+	stmt->flags |= STMT_F_TERMINAL;
 	return 0;
 }
 
@@ -2982,6 +2983,7 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
 					  "fanout requires a range to be "
 					  "specified");
 	}
+	stmt->flags |= STMT_F_TERMINAL;
 	return 0;
 }
 
-- 
2.21.0

Re: [PATCH nft] evaluate: flag fwd and queue statements as terminal

[Pablo Neira Ayuso]

On Fri, Sep 06, 2019 at 04:43:37PM +0200, Florian Westphal wrote:
> Both queue and fwd statement end evaluation of a rule:
> 
> in
> ... fwd to "eth0" accept
> ... queue accept
> 
> "accept" is redundant and never evaluated in the kernel.
> Add the missing "TERMINAL" flag so the evaluation step will catch
> any trailing expressions:
> 
> nft add rule filter input queue counter
> Error: Statement after terminal statement has no effect
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>