From 50780456a01a077d778c236c4d4b64a00ed5acac Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 28 Sep 2021 22:34:10 +0200
Subject: evaluate: check for missing transport protocol match in nat map with
 concatenations

Restore this error with NAT maps:

 # nft add rule 'ip ipfoo c dnat to ip daddr map @y'
 Error: transport protocol mapping is only valid after transport protocol match
 add rule ip ipfoo c dnat to ip daddr map @y
                     ~~~~    ^^^^^^^^^^^^^^^

Allow for transport protocol match in the map too, which is implicitly
pulling in a transport protocol dependency.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/py/ip/snat.t.payload | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

(limited to 'tests/py/ip/snat.t.payload')

diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
index 64f47896..48ae46b3 100644
--- a/tests/py/ip/snat.t.payload
+++ b/tests/py/ip/snat.t.payload
@@ -86,11 +86,13 @@ ip
   [ immediate reg 2 0xf003a8c0 ]
   [ nat snat ip addr_min reg 1 addr_max reg 2 ]
 
-# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+# meta l4proto 17 snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
 __map%d test-ip4 b size 1
 __map%d test-ip4 0
 	element 040b8d0a  : 0302a8c0 00005000 0 [end]
-ip 
+ip
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ lookup reg 1 set __map%d dreg 1 ]
   [ nat snat ip addr_min reg 1 proto_min reg 9 ]
@@ -121,3 +123,19 @@ ip
   [ payload load 4b @ network header + 12 => reg 1 ]
   [ lookup reg 1 set __map%d dreg 1 ]
   [ nat snat ip addr_min reg 1 addr_max reg 9 ]
+
+# meta l4proto { 6, 17} snat ip to ip saddr . th dport map { 10.141.11.4 . 20 : 192.168.2.3 . 80}
+__set%d test-ip4 3 size 2
+__set%d test-ip4 0
+        element 00000006  : 0 [end]     element 00000011  : 0 [end]
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+        element 040b8d0a 00001400  : 0302a8c0 00005000 0 [end]
+ip
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ payload load 4b @ network header + 12 => reg 1 ]
+  [ payload load 2b @ transport header + 2 => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat snat ip addr_min reg 1 proto_min reg 9 ]
+
-- 
cgit v1.2.3