evaluate: improve error reporting in netdev ingress chain

 # nft -f /tmp/x.nft
 /tmp/x.nft:3:20-24: Error: The netdev family does not support this hook
                 type filter hook input device eth0 priority 0
                                  ^^^^^

 # nft -f /tmp/x.nft
 /tmp/x.nft:3:3-49: Error: Missing `device' in this chain definition
                 type filter hook ingress device eth0 priority 0
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 9 insertions, 2 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index 759cdaaf..84fe89ee 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3786,8 +3786,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 		chain->hook.num = str2hooknum(chain->handle.family,
 					      chain->hook.name);
 		if (chain->hook.num == NF_INET_NUMHOOKS)
-			return chain_error(ctx, chain, "invalid hook %s",
-					   chain->hook.name);
+			return __stmt_binary_error(ctx, &chain->hook.loc, NULL,
+						   "The %s family does not support this hook",
+						   family2str(chain->handle.family));
 
 		if (!evaluate_priority(ctx, &chain->priority,
 				       chain->handle.family, chain->hook.num))
@@ -3799,6 +3800,12 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 				return chain_error(ctx, chain, "invalid policy expression %s",
 						   expr_name(chain->policy));
 		}
+
+		if (chain->handle.family == NFPROTO_NETDEV) {
+			if (!chain->dev_expr)
+				return __stmt_binary_error(ctx, &chain->loc, NULL,
+							   "Missing `device' in this chain definition");
+		}
 	}
 
 	list_for_each_entry(rule, &chain->rules, list) {