evaluate: fix inet nat with no layer 3 info

nft currently reports:

 Error: Could not process rule: Protocol error
 add rule inet x y meta l4proto tcp dnat to :80
                                    ^^^^

default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
trying to load the conntrack helper.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 0ea57b0cd8fb4d9352a357aa8da790621685ee0f..98309ea83ac05ef9e0ba0a10299c40e30f679d31 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2997,9 +2997,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
                        stmt->nat.family = ctx->pctx.family;
                return 0;
        case NFPROTO_INET:
-               if (!stmt->nat.addr)
+               if (!stmt->nat.addr) {
+                       stmt->nat.family = NFPROTO_INET;
                        return 0;
-
+               }
                if (stmt->nat.family != NFPROTO_UNSPEC)
                        return 0;