From 93c2de1c663566438a15cfeae0c03028201b8690 Mon Sep 17 00:00:00 2001
From: Alexander Marx <amarx@ipfire.org>
Date: Thu, 25 Jul 2013 10:36:36 +0200
Subject: [PATCH] Forward Firewall: Bugfix: ICMP rules where applied double

---
 config/forwardfw/rules.pl | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index 9f23c54e0..07f3abd1e 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -297,7 +297,9 @@ sub buildrules
 									if ($$hash{$key}[17] eq 'ON'){
 											print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
 									}
-									print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+									if ($PROT ne '-p ICMP'){
+										print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+									}
 								}				
 							}
 						}
@@ -314,6 +316,7 @@ sub buildrules
 							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
 								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
 									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+									#Process ICMP RULE
 									if(substr($DPORT, 2, 4) eq 'icmp'){
 										my @icmprule= split(",",substr($DPORT, 12,));
 										foreach (@icmprule){
@@ -322,6 +325,7 @@ sub buildrules
 											}
 											system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
 										}
+									#PROCESS DNAT RULE (Portforward)
 									}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
 										$natchain='NAT_DESTINATION';
 										if ($$hash{$key}[17] eq 'ON'){
@@ -342,6 +346,7 @@ sub buildrules
 										}
 										system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
 										next;
+									#PROCESS SNAT RULE
 									}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
 										$natchain='NAT_SOURCE';
 										system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
@@ -349,7 +354,10 @@ sub buildrules
 									if ($$hash{$key}[17] eq 'ON'){
 										system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
 									}
-									system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+									#PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
+									if ($PROT ne '-p ICMP'){
+										system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+									}
 								}				
 							}
 						}
-- 
2.39.2