ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well

Fixes: #9765
Ref: https://github.com/openwrt/openwrt/issues/9765
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/firewall4/templates/rule.uc b/root/usr/share/firewall4/templates/rule.uc
index 417bef7d2d995fd9ac124f2d29525448bbfcd015..d90595d647b60d96c2801214ce52184751c60145 100644 (file)
--- a/root/usr/share/firewall4/templates/rule.uc
+++ b/root/usr/share/firewall4/templates/rule.uc
@@ -1,9 +1,7 @@
 {%+ if (rule.family && !rule.has_addrs): -%}
        meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
 {%+ if (!rule.proto.any && !rule.has_ports && !rule.icmp_types && !rule.icmp_codes): -%}
-       meta l4proto {{
-               (rule.proto.name == 'icmp' && rule.family == 6) ? 'ipv6-icmp' : rule.proto.name
-       }} {%+ endif -%}
+       meta l4proto {{ fw4.l4proto(rule.family, rule.proto) }} {%+ endif -%}
 {%+ if (rule.iifnames): -%}
        iifname {{ fw4.set(rule.iifnames) }} {%+ endif -%}
 {%+ if (rule.oifnames): -%}

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index b725459c77d22d0a4f8ba924661a07c2239ca124..28865cd926fbad36fbec14e161dbd51ae87b01a8 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1616,6 +1616,22 @@ return {
                }
        },
 
+       l4proto: function(family, proto) {
+               switch (proto.name) {
+               case 'icmp':
+                       switch (family ?? 0) {
+                       case 0:
+                               return this.set(['icmp', 'ipv6-icmp']);
+
+                       case 6:
+                               return 'ipv6-icmp';
+                       }
+
+               default:
+                       return proto.name;
+               }
+       },
+
        datetime: function(stamp) {
                return sprintf('"%04d-%02d-%02d %02d:%02d:%02d"',
                               stamp.year, stamp.month, stamp.day,

diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index d3c97dbf15eb1fdbe01b0dfc2728a2590d908f8f..a4e1346417b4a1a2e97231277cb0cc55dd2d055f 100644 (file)
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -21,7 +21,7 @@ Testing handling of ICMP related options.
 {
        "rule": [
                {
-                       ".description": "Proto 'icmp' maps to IPv4 and IPv6 rules",
+                       ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
                        "proto": "icmp",
                        "name": "ICMP rule #1"
                },
@@ -97,7 +97,7 @@ table inet fw4 {
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
-               meta l4proto icmp counter comment "!fw4: ICMP rule #1"
+               meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
                meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
                meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
                meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"