From 50780456a01a077d778c236c4d4b64a00ed5acac Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 28 Sep 2021 22:34:10 +0200 Subject: evaluate: check for missing transport protocol match in nat map with concatenations Restore this error with NAT maps: # nft add rule 'ip ipfoo c dnat to ip daddr map @y' Error: transport protocol mapping is only valid after transport protocol match add rule ip ipfoo c dnat to ip daddr map @y ~~~~ ^^^^^^^^^^^^^^^ Allow for transport protocol match in the map too, which is implicitly pulling in a transport protocol dependency. Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/evaluate.c') diff --git a/src/evaluate.c b/src/evaluate.c index f3d7ca42..0bc799eb 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3081,6 +3081,11 @@ static bool nat_evaluate_addr_has_th_expr(const struct expr *map) list_for_each_entry(i, &concat->expressions, list) { enum proto_bases base; + if (i->etype == EXPR_PAYLOAD && + i->payload.base == PROTO_BASE_TRANSPORT_HDR && + i->payload.desc != &proto_th) + return true; + if ((i->flags & EXPR_F_PROTOCOL) == 0) continue; @@ -3160,10 +3165,17 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt, static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt) { + struct proto_ctx *pctx = &ctx->pctx; struct expr *one, *two, *data, *tmp; const struct datatype *dtype; int addr_type, err; + if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL && + !nat_evaluate_addr_has_th_expr(stmt->nat.addr)) + return stmt_binary_error(ctx, stmt->nat.addr, stmt, + "transport protocol mapping is only " + "valid after transport protocol match"); + switch (stmt->nat.family) { case NFPROTO_IPV4: addr_type = TYPE_IPADDR; -- cgit v1.2.3