From fff9779978e0a1aec64cb5b2642272024e12905b Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 27 Jan 2022 13:44:33 +0100 Subject: [PATCH] fw4: fix family selection logic for redirect rules Only assume IPv4 family if the family is unspecified and src, dest or rewrite addresses do not indicate otherwise. Signed-off-by: Jo-Philipp Wich --- root/usr/share/ucode/fw4.uc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index ba34c82..c39bffc 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2282,7 +2282,7 @@ return { name: [ "string", this.section_id(data[".name"]) ], _name: [ "string", null, DEPRECATED ], - family: [ "family", "4" ], + family: [ "family" ], src: [ "zone_ref" ], dest: [ "zone_ref" ], @@ -2610,15 +2610,19 @@ return { /* check if there's no AF specific bits, in this case we can do an AF agnostic rule */ if (!family && !length(sip[0]) && !length(sip[1]) && !length(dip[0]) && !length(dip[1]) && !length(rip[0]) && !length(rip[1])) { - add_rule(0, proto, null, null, null, sport, dport, rport, null, redir); + /* for backwards compatibility, treat unspecified family as IPv4 unless user explicitly requested any (0) */ + if (family == null) + family = 4; + + add_rule(family, proto, null, null, null, sport, dport, rport, null, redir); } /* we need to emit one or two AF specific rules */ else { - if (family == 0 || family == 4) + if ((!family || family == 4) && (length(sip[0]) || length(dip[0]) || length(rip[0]))) add_rule(4, proto, sip[0], dip[0], rip[0], sport, dport, rport, ipset, redir); - if (family == 0 || family == 6) + if ((!family || family == 6) && (length(sip[1]) || length(dip[1]) || length(rip[1]))) add_rule(6, proto, sip[1], dip[1], rip[1], sport, dport, rport, ipset, redir); } } -- 2.30.2