From d572d07324ac143c835ad8eef1b0c2b8eab52fca Mon Sep 17 00:00:00 2001
From: jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Tue, 26 Jul 2011 22:21:39 +0000
Subject: [package] firewall: prevent redundant rules if multiple ports and
 multiple icmp types are given in a rule block for both icmp and other
 protocols

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27792 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 package/firewall/Makefile               |  2 +-
 package/firewall/files/lib/core_rule.sh | 23 ++++++++++++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)

(limited to 'package/firewall')

diff --git a/package/firewall/Makefile b/package/firewall/Makefile
index 394a2075d..cdb8dc622 100644
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=2
-PKG_RELEASE:=32
+PKG_RELEASE:=33
 
 include $(INCLUDE_DIR)/package.mk
 
diff --git a/package/firewall/files/lib/core_rule.sh b/package/firewall/files/lib/core_rule.sh
index 0a25fcd95..de8cd8ea3 100644
--- a/package/firewall/files/lib/core_rule.sh
+++ b/package/firewall/files/lib/core_rule.sh
@@ -67,21 +67,30 @@ fw_load_rule() {
 
 	[ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp"
 	local pr; for pr in $rule_proto; do
+		local sports dports itypes
+		case "$pr" in
+			icmp|icmpv6|1|58)
+				sports=""; dports=""
+				itypes="$rule_icmp_type"
+			;;
+			*)
+				sports="$rule_src_port"
+				dports="$rule_dest_port"
+				itypes=""
+			;;
+		esac
+	
 		fw_get_negation pr '-p' "$pr"
-		local sp; for sp in ${rule_src_port:-""}; do
+		local sp; for sp in ${sports:-""}; do
 			fw_get_port_range sp $sp
 			fw_get_negation sp '--sport' "$sp"
-			local dp; for dp in ${rule_dest_port:-""}; do
+			local dp; for dp in ${dports:-""}; do
 				fw_get_port_range dp $dp
 				fw_get_negation dp '--dport' "$dp"
 				local sm; for sm in ${rule_src_mac:-""}; do
 					fw_get_negation sm '--mac-source' "$sm"
-					local it; for it in ${rule_icmp_type:-""}; do
+					local it; for it in ${itypes:-""}; do
 						fw_get_negation it '--icmp-type' "$it"
-						case "$pr" in
-							*" icmp"|*" icmpv6"|*" 1"|*" 58") sp=""; dp="" ;;
-							*) it="" ;;
-						esac
 						fw add $mode $table $chain $target + \
 							{ $rule_src_ip $rule_dest_ip } { \
 							$src_spec $dest_spec \
-- 
cgit v1.2.3