From 41d48cb6de2c68f05a9122353b1608f34ed33957 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 31 Mar 2020 13:30:31 +0200 Subject: evaluate: improve error reporting in netdev ingress chain # nft -f /tmp/x.nft /tmp/x.nft:3:20-24: Error: The netdev family does not support this hook type filter hook input device eth0 priority 0 ^^^^^ # nft -f /tmp/x.nft /tmp/x.nft:3:3-49: Error: Missing `device' in this chain definition type filter hook ingress device eth0 priority 0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 759cdaaf..84fe89ee 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3786,8 +3786,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) chain->hook.num = str2hooknum(chain->handle.family, chain->hook.name); if (chain->hook.num == NF_INET_NUMHOOKS) - return chain_error(ctx, chain, "invalid hook %s", - chain->hook.name); + return __stmt_binary_error(ctx, &chain->hook.loc, NULL, + "The %s family does not support this hook", + family2str(chain->handle.family)); if (!evaluate_priority(ctx, &chain->priority, chain->handle.family, chain->hook.num)) @@ -3799,6 +3800,12 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) return chain_error(ctx, chain, "invalid policy expression %s", expr_name(chain->policy)); } + + if (chain->handle.family == NFPROTO_NETDEV) { + if (!chain->dev_expr) + return __stmt_binary_error(ctx, &chain->loc, NULL, + "Missing `device' in this chain definition"); + } } list_for_each_entry(rule, &chain->rules, list) { -- cgit v1.2.3