evaluate: postpone transport protocol match check after nat expression evaluation

Fix bogus error report when using transport protocol as map key.

Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index 609e171d..6a8c396f 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3170,12 +3170,6 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
 	const struct datatype *dtype;
 	int addr_type, err;
 
-	if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
-	    !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
-		return stmt_binary_error(ctx, stmt->nat.addr, stmt,
-					 "transport protocol mapping is only "
-					 "valid after transport protocol match");
-
 	switch (stmt->nat.family) {
 	case NFPROTO_IPV4:
 		addr_type = TYPE_IPADDR;
@@ -3192,6 +3186,13 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
 	if (expr_evaluate(ctx, &stmt->nat.addr))
 		return -1;
 
+	if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
+	    !nat_evaluate_addr_has_th_expr(stmt->nat.addr)) {
+		return stmt_binary_error(ctx, stmt->nat.addr, stmt,
+					 "transport protocol mapping is only "
+					 "valid after transport protocol match");
+	}
+
 	if (stmt->nat.addr->etype != EXPR_MAP)
 		return 0;