evaluate: bogus missing transport protocol

commit 2c227f00f0df9552b786080a8fd27c6a360e5828 upstream backport.

Users have to specify a transport protocol match such as

	meta l4proto tcp

before the redirect statement, even if the redirect statement already
implicitly refers to the transport protocol, for instance:

test.nft:3:16-53: Error: transport protocol mapping is only valid after transport protocol match
                redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
                ~~~~~~~~     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Evaluate the redirect expression before the mandatory check for the
transport protocol match, so protocol context already provides a
transport protocol.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 5b021151dc55b6ec66caddd46742400c1012e0d7..8aa403fcd8ba4929bde38efa0446a8b65f5ae277 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3392,6 +3392,13 @@ static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
                                  struct expr **expr)
 {
        struct proto_ctx *pctx = &ctx->pctx;
+       int err;
+
+       err = stmt_evaluate_arg(ctx, stmt,
+                               &inet_service_type, 2 * BITS_PER_BYTE,
+                               BYTEORDER_BIG_ENDIAN, expr);
+       if (err < 0)
+               return err;
 
        if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
            !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
@@ -3399,9 +3406,7 @@ static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
                                         "transport protocol mapping is only "
                                         "valid after transport protocol match");
 
-       return stmt_evaluate_arg(ctx, stmt,
-                                &inet_service_type, 2 * BITS_PER_BYTE,
-                                BYTEORDER_BIG_ENDIAN, expr);
+       return 0;
 }
 
 static const char *stmt_name(const struct stmt *stmt)