From fcc68a4277e7befa744663eac71b17270a983bbd Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 9 Apr 2014 14:06:32 +0200
Subject: [PATCH] firewall: Fix rule generation for protocols without ports.

---
 config/firewall/rules.pl | 56 +++++++++++++++++++++-------------------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index dae2d5269..92f1c0a30 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -535,43 +535,45 @@ sub get_protocol_options {
 		push(@options, ("-p", $protocol));
 	}
 
-	# Process source ports.
-	my $use_src_ports = ($$hash{$key}[7] eq "ON");
-	my $src_ports     = $$hash{$key}[10];
+	if ($protocol ~~ @PROTOCOLS_WITH_PORTS) {
+		# Process source ports.
+		my $use_src_ports = ($$hash{$key}[7] eq "ON");
+		my $src_ports     = $$hash{$key}[10];
 
-	if ($use_src_ports && $src_ports) {
-		push(@options, &format_ports($src_ports, "src"));
-	}
+		if ($use_src_ports && $src_ports) {
+			push(@options, &format_ports($src_ports, "src"));
+		}
 
-	# Process destination ports.
-	my $use_dst_ports  = ($$hash{$key}[11] eq "ON");
-	my $use_dnat       = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat"));
+		# Process destination ports.
+		my $use_dst_ports  = ($$hash{$key}[11] eq "ON");
+		my $use_dnat       = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat"));
 
-	if ($use_dst_ports) {
-		my $dst_ports_mode = $$hash{$key}[14];
-		my $dst_ports      = $$hash{$key}[15];
+		if ($use_dst_ports) {
+			my $dst_ports_mode = $$hash{$key}[14];
+			my $dst_ports      = $$hash{$key}[15];
 
-		if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) {
-			if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) {
-				$dst_ports = $$hash{$key}[30];
-			}
-			push(@options, &format_ports($dst_ports, "dst"));
-
-		} elsif ($dst_ports_mode eq "cust_srv") {
-			if ($protocol eq "ICMP") {
-				push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP")));
-			} else {
-				$dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol));
+			if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) {
+				if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) {
+					$dst_ports = $$hash{$key}[30];
+				}
 				push(@options, &format_ports($dst_ports, "dst"));
-			}
 
-		} elsif ($dst_ports_mode eq "cust_srvgrp") {
-			push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol)));
+			} elsif ($dst_ports_mode eq "cust_srv") {
+				if ($protocol eq "ICMP") {
+					push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP")));
+				} else {
+					$dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol));
+					push(@options, &format_ports($dst_ports, "dst"));
+				}
+
+			} elsif ($dst_ports_mode eq "cust_srvgrp") {
+				push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol)));
+			}
 		}
 	}
 
 	# Check if a single ICMP type is selected.
-	if (!$use_src_ports && !$use_dst_ports && $protocol eq "icmp") {
+	if ($protocol eq "icmp") {
 		my $icmp_type = $$hash{$key}[9];
 
 		if (($icmp_type ne "All ICMP-Types") && $icmp_type) {
-- 
2.39.2