git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 6 Apr 2021 16:34:19 +0000 (18:34 +0200)
committer	Florian Westphal <fw@strlen.de>
	Thu, 29 Apr 2021 15:20:57 +0000 (17:20 +0200)
commit	7f7d5b999ed3f44ee8aec6b4d48051f048f326ab
tree	57a2fd7fc4daba8471ae7ccf2cfb52b72b77acff	tree
parent	5f6f20913c862f6a844a8f7143ed074284423897	commit \| diff

evaluate: check if nat statement map specifies a transport header expr

Importing the systemd nat table fails:

table ip io.systemd.nat {
map map_port_ipport {
   type inet_proto . inet_service : ipv4_addr . inet_service
   elements = { tcp . 8088 : 192.168.162.117 . 80 }
}
chain prerouting {
   type nat hook prerouting priority dstnat + 1; policy accept;
    fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
}
}
ruleset:9:48-59: Error: transport protocol mapping is only valid after transport protocol match

To resolve this (no transport header base specified), check if the
map itself contains a network base protocol expression.

This allows nft to import the ruleset.
Import still fails with same error if 'inet_service' is removed
from the map, as it should.

Reported-by: Henning Reich <henning.reich@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>