diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-11-02 11:31:40 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-11-03 12:48:19 +0100 |
commit | 8f3048954d40da8240cf5ff07b84d5c2e66f9066 (patch) | |
tree | b2d6974ae9575575e2ea4450847b7c0abd03acb6 /src | |
parent | dd0e717827d8dff3b762a8ebbf15bf57aa4012cb (diff) |
evaluate: postpone transport protocol match check after nat expression evaluation
Fix bogus error report when using transport protocol as map key.
Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 609e171d..6a8c396f 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3170,12 +3170,6 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt) const struct datatype *dtype; int addr_type, err; - if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL && - !nat_evaluate_addr_has_th_expr(stmt->nat.addr)) - return stmt_binary_error(ctx, stmt->nat.addr, stmt, - "transport protocol mapping is only " - "valid after transport protocol match"); - switch (stmt->nat.family) { case NFPROTO_IPV4: addr_type = TYPE_IPADDR; @@ -3192,6 +3186,13 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt) if (expr_evaluate(ctx, &stmt->nat.addr)) return -1; + if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL && + !nat_evaluate_addr_has_th_expr(stmt->nat.addr)) { + return stmt_binary_error(ctx, stmt->nat.addr, stmt, + "transport protocol mapping is only " + "valid after transport protocol match"); + } + if (stmt->nat.addr->etype != EXPR_MAP) return 0; |