evaluate: improve error reporting in netdev ingress chain

 # nft -f /tmp/x.nft
 /tmp/x.nft:3:20-24: Error: The netdev family does not support this hook
                 type filter hook input device eth0 priority 0
                                  ^^^^^

 # nft -f /tmp/x.nft
 /tmp/x.nft:3:3-49: Error: Missing `device' in this chain definition
                 type filter hook ingress device eth0 priority 0
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 759cdaafb0ea7d7e8bb03e83b97869210d139740..84fe89eed6570ee40ab9317359b7ded6c1d5e552 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3786,8 +3786,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
                chain->hook.num = str2hooknum(chain->handle.family,
                                              chain->hook.name);
                if (chain->hook.num == NF_INET_NUMHOOKS)
-                       return chain_error(ctx, chain, "invalid hook %s",
-                                          chain->hook.name);
+                       return __stmt_binary_error(ctx, &chain->hook.loc, NULL,
+                                                  "The %s family does not support this hook",
+                                                  family2str(chain->handle.family));
 
                if (!evaluate_priority(ctx, &chain->priority,
                                       chain->handle.family, chain->hook.num))
@@ -3799,6 +3800,12 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
                                return chain_error(ctx, chain, "invalid policy expression %s",
                                                   expr_name(chain->policy));
                }
+
+               if (chain->handle.family == NFPROTO_NETDEV) {
+                       if (!chain->dev_expr)
+                               return __stmt_binary_error(ctx, &chain->loc, NULL,
+                                                          "Missing `device' in this chain definition");
+               }
        }
 
        list_for_each_entry(rule, &chain->rules, list) {