Restore this error with NAT maps:
# nft add rule 'ip ipfoo c dnat to ip daddr map @y'
Error: transport protocol mapping is only valid after transport protocol match
add rule ip ipfoo c dnat to ip daddr map @y
~~~~ ^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/evaluate.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 1737ca0854cd..161372397bcc 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3159,10 +3159,17 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
{
+ struct proto_ctx *pctx = &ctx->pctx;
struct expr *one, *two, *data, *tmp;
const struct datatype *dtype;
int addr_type, err;
+ if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
+ !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
+ return stmt_binary_error(ctx, stmt->nat.addr, stmt,
+ "transport protocol mapping is only "
+ "valid after transport protocol match");
+
switch (stmt->nat.family) {
case NFPROTO_IPV4:
addr_type = TYPE_IPADDR;
--
2.30.2
