From 8b043938e77b1f421beccff595117d6e4ff8eecc Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 15 Jan 2021 18:40:11 +0100
Subject: evaluate: disallow ct original {s,d}ddr from maps

test.nft:6:55-71: Error: specify either ip or ip6 for address matching
add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
                                                      ^^^^^^^^^^^^^^^^^

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/evaluate.c')

diff --git a/src/evaluate.c b/src/evaluate.c
index 38dbc33d..c830dcdb 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1472,6 +1472,12 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 	const struct datatype *dtype;
 	struct expr *key, *data;
 
+	if (map->map->etype == EXPR_CT &&
+	    (map->map->ct.key == NFT_CT_SRC ||
+	     map->map->ct.key == NFT_CT_DST))
+		return expr_error(ctx->msgs, map->map,
+				  "specify either ip or ip6 for address matching");
+
 	expr_set_context(&ctx->ectx, NULL, 0);
 	if (expr_evaluate(ctx, &map->map) < 0)
 		return -1;
-- 
cgit v1.2.3