diff options
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 685924df..a3a78744 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2487,12 +2487,16 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt) { + const struct proto_desc *nproto; const struct datatype *dtype; int err, len; switch (ctx->pctx.family) { case NFPROTO_IPV4: - case NFPROTO_IPV6: + case NFPROTO_IPV6: /* fallthrough */ + if (stmt->tproxy.family == NFPROTO_UNSPEC) + stmt->tproxy.family = ctx->pctx.family; + break; case NFPROTO_INET: break; default: @@ -2507,22 +2511,14 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt) if (!stmt->tproxy.addr && !stmt->tproxy.port) return stmt_error(ctx, stmt, "Either address or port must be specified!"); - if (ctx->pctx.family != NFPROTO_INET) { - if (stmt->tproxy.family != NFPROTO_UNSPEC) - return stmt_error(ctx, stmt, "Family can only be specified in inet tables."); - stmt->tproxy.family = ctx->pctx.family; - } - else { - const struct proto_desc *nproto = - ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; - if ((nproto == &proto_ip && stmt->tproxy.family == NFPROTO_IPV6) || - (nproto == &proto_ip6 && stmt->tproxy.family == NFPROTO_IPV4)) - /* this prevents us from rules like - * ip protocol tcp tproxy ip6 to [dead::beef] - */ - return stmt_error(ctx, stmt, - "Conflicting network layer protocols."); - } + nproto = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + if ((nproto == &proto_ip && stmt->tproxy.family != NFPROTO_IPV4) || + (nproto == &proto_ip6 && stmt->tproxy.family != NFPROTO_IPV6)) + /* this prevents us from rules like + * ip protocol tcp tproxy ip6 to [dead::beef] + */ + return stmt_error(ctx, stmt, + "Conflicting network layer protocols."); if (stmt->tproxy.addr != NULL) { if (stmt->tproxy.addr->ops->type == EXPR_RANGE) |