evaluate: check for device in non-netdev chains

 # nft -f /tmp/x
 /tmp/x:3:26-36: Error: This chain type cannot be bound to device
                 type filter hook input device eth0 priority 0
                                        ^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 84fe89eed6570ee40ab9317359b7ded6c1d5e552..fcc79386b3250590663378f8af9c5821e051a04d 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3805,6 +3805,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
                        if (!chain->dev_expr)
                                return __stmt_binary_error(ctx, &chain->loc, NULL,
                                                           "Missing `device' in this chain definition");
+               } else if (chain->dev_expr) {
+                       return __stmt_binary_error(ctx, &chain->dev_expr->location, NULL,
+                                                  "This chain type cannot be bound to device");
                }
        }