fw4: fix family selection logic for redirect rules

Only assume IPv4 family if the family is unspecified and src, dest or
rewrite addresses do not indicate otherwise.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 8 insertions, 4 deletions

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index ba34c82..c39bffc 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2282,7 +2282,7 @@ return {
 
 			name: [ "string", this.section_id(data[".name"]) ],
 			_name: [ "string", null, DEPRECATED ],
-			family: [ "family", "4" ],
+			family: [ "family" ],
 
 			src: [ "zone_ref" ],
 			dest: [ "zone_ref" ],
@@ -2610,15 +2610,19 @@ return {
 
 			/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
 			if (!family && !length(sip[0]) && !length(sip[1]) && !length(dip[0]) && !length(dip[1]) && !length(rip[0]) && !length(rip[1])) {
-				add_rule(0, proto, null, null, null, sport, dport, rport, null, redir);
+				/* for backwards compatibility, treat unspecified family as IPv4 unless user explicitly requested any (0) */
+				if (family == null)
+					family = 4;
+
+				add_rule(family, proto, null, null, null, sport, dport, rport, null, redir);
 			}
 
 			/* we need to emit one or two AF specific rules */
 			else {
-				if (family == 0 || family == 4)
+				if ((!family || family == 4) && (length(sip[0]) || length(dip[0]) || length(rip[0])))
 					add_rule(4, proto, sip[0], dip[0], rip[0], sport, dport, rport, ipset, redir);
 
-				if (family == 0 || family == 6)
+				if ((!family || family == 6) && (length(sip[1]) || length(dip[1]) || length(rip[1])))
 					add_rule(6, proto, sip[1], dip[1], rip[1], sport, dport, rport, ipset, redir);
 			}
 		}