@@ -44,6 +44,14 @@ static int nft_dup_netdev_init(const struct nft_ctx *ctx,
sizeof(int));
}
+static int nft_dup_netdev_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
+{
+ return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) |
+ (1 << NF_NETDEV_EGRESS));
+}
+
static int nft_dup_netdev_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
struct nft_dup_netdev *priv = nft_expr_priv(expr);
@@ -79,6 +87,7 @@ static const struct nft_expr_ops nft_dup_netdev_ops = {
.eval = nft_dup_netdev_eval,
.init = nft_dup_netdev_init,
.dump = nft_dup_netdev_dump,
+ .validate = nft_dup_netdev_validate,
.reduce = NFT_REDUCE_READONLY,
.offload = nft_dup_netdev_offload,
.offload_action = nft_dup_netdev_offload_action,
This only supports for netdev family and ingress and egress hooks. Fixes: 502061f81d3e ("netfilter: nf_tables: add packet duplication to the netdev family") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nft_dup_netdev.c | 9 +++++++++ 1 file changed, 9 insertions(+)