evaluate: bogus missing transport protocol

Users have to specify a transport protocol match such as

	meta l4proto tcp

before the redirect statement, even if the redirect statement already
implicitly refers to the transport protocol, for instance:

test.nft:3:16-53: Error: transport protocol mapping is only valid after transport protocol match
                redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
                ~~~~~~~~     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Evaluate the redirect expression before the mandatory check for the
transport protocol match, so protocol context already provides a
transport protocol.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index c4ddb007ef4412bb7b7a55a338e0de84f1dff4fd..fe15d7ace5ddea7af94e61618ed100dd0f3a94eb 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3569,6 +3569,13 @@ static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
                                  struct expr **expr)
 {
        struct proto_ctx *pctx = eval_proto_ctx(ctx);
+       int err;
+
+       err = stmt_evaluate_arg(ctx, stmt,
+                               &inet_service_type, 2 * BITS_PER_BYTE,
+                               BYTEORDER_BIG_ENDIAN, expr);
+       if (err < 0)
+               return err;
 
        if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
            !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
@@ -3576,9 +3583,7 @@ static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
                                         "transport protocol mapping is only "
                                         "valid after transport protocol match");
 
-       return stmt_evaluate_arg(ctx, stmt,
-                                &inet_service_type, 2 * BITS_PER_BYTE,
-                                BYTEORDER_BIG_ENDIAN, expr);
+       return 0;
 }
 
 static const char *stmt_name(const struct stmt *stmt)