# nft -f /tmp/x.nft
/tmp/x.nft:3:20-24: Error: The netdev family does not support this hook
type filter hook input device eth0 priority 0
^^^^^
# nft -f /tmp/x.nft
/tmp/x.nft:3:3-49: Error: Missing `device' in this chain definition
type filter hook ingress device eth0 priority 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/evaluate.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 759cdaafb0ea..84fe89eed657 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3786,8 +3786,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
chain->hook.num = str2hooknum(chain->handle.family,
chain->hook.name);
if (chain->hook.num == NF_INET_NUMHOOKS)
- return chain_error(ctx, chain, "invalid hook %s",
- chain->hook.name);
+ return __stmt_binary_error(ctx, &chain->hook.loc, NULL,
+ "The %s family does not support this hook",
+ family2str(chain->handle.family));
if (!evaluate_priority(ctx, &chain->priority,
chain->handle.family, chain->hook.num))
@@ -3799,6 +3800,12 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
return chain_error(ctx, chain, "invalid policy expression %s",
expr_name(chain->policy));
}
+
+ if (chain->handle.family == NFPROTO_NETDEV) {
+ if (!chain->dev_expr)
+ return __stmt_binary_error(ctx, &chain->loc, NULL,
+ "Missing `device' in this chain definition");
+ }
}
list_for_each_entry(rule, &chain->rules, list) {
--
2.11.0
