diff mbox series

[nft,1/2] evaluate: check for device in non-netdev chains

Message ID 20200331182932.34515-1-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show
Series [nft,1/2] evaluate: check for device in non-netdev chains | expand

Commit Message

Pablo Neira Ayuso March 31, 2020, 6:29 p.m. UTC 
# nft -f /tmp/x
 /tmp/x:3:26-36: Error: This chain type cannot be bound to device
                 type filter hook input device eth0 priority 0
                                        ^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/src/evaluate.c b/src/evaluate.c
index 84fe89eed657..fcc79386b325 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3805,6 +3805,9 @@  static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 			if (!chain->dev_expr)
 				return __stmt_binary_error(ctx, &chain->loc, NULL,
 							   "Missing `device' in this chain definition");
+		} else if (chain->dev_expr) {
+			return __stmt_binary_error(ctx, &chain->dev_expr->location, NULL,
+						   "This chain type cannot be bound to device");
 		}
 	}