summaryrefslogtreecommitdiffstats
path: root/src/evaluate.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2021-09-28 22:34:10 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2021-09-29 18:59:44 +0200
commit50780456a01a077d778c236c4d4b64a00ed5acac (patch)
tree789fd2f3e610fc833db2b06f8c39d60a558901dc /src/evaluate.c
parent82f3b6171d0f79d27662266ddd9876d416879dc8 (diff)
evaluate: check for missing transport protocol match in nat map with concatenations
Restore this error with NAT maps: # nft add rule 'ip ipfoo c dnat to ip daddr map @y' Error: transport protocol mapping is only valid after transport protocol match add rule ip ipfoo c dnat to ip daddr map @y ~~~~ ^^^^^^^^^^^^^^^ Allow for transport protocol match in the map too, which is implicitly pulling in a transport protocol dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r--src/evaluate.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index f3d7ca42..0bc799eb 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3081,6 +3081,11 @@ static bool nat_evaluate_addr_has_th_expr(const struct expr *map)
list_for_each_entry(i, &concat->expressions, list) {
enum proto_bases base;
+ if (i->etype == EXPR_PAYLOAD &&
+ i->payload.base == PROTO_BASE_TRANSPORT_HDR &&
+ i->payload.desc != &proto_th)
+ return true;
+
if ((i->flags & EXPR_F_PROTOCOL) == 0)
continue;
@@ -3160,10 +3165,17 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
{
+ struct proto_ctx *pctx = &ctx->pctx;
struct expr *one, *two, *data, *tmp;
const struct datatype *dtype;
int addr_type, err;
+ if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
+ !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
+ return stmt_binary_error(ctx, stmt->nat.addr, stmt,
+ "transport protocol mapping is only "
+ "valid after transport protocol match");
+
switch (stmt->nat.family) {
case NFPROTO_IPV4:
addr_type = TYPE_IPADDR;