Merge pull request #1184 from sarthurdev/firewall_icmp

firewall: T4130: T4186: ICMP/v6 updates, ipv6 state policy check fix

2 files changed, 7 insertions, 1 deletions

diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py
index b0df9dff4..a7442ecbd 100755
--- a/src/conf_mode/firewall-interface.py
+++ b/src/conf_mode/firewall-interface.py
@@ -150,7 +150,7 @@ def apply(if_firewall):
                 rule_action = 'insert'
                 rule_prefix = ''
 
-                handle = state_policy_handle('ip filter', chain)
+                handle = state_policy_handle('ip6 filter', ipv6_chain)
                 if handle:
                     rule_action = 'add'
                     rule_prefix = f'position {handle}'
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 82223d60b..358b938e3 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -184,6 +184,12 @@ def verify_rule(firewall, rule_conf, ipv6):
             if duplicates:
                 raise ConfigError(f'Cannot match a tcp flag as set and not set')
 
+    if 'protocol' in rule_conf:
+        if rule_conf['protocol'] == 'icmp' and ipv6:
+            raise ConfigError(f'Cannot match IPv4 ICMP protocol on IPv6, use ipv6-icmp')
+        if rule_conf['protocol'] == 'ipv6-icmp' and not ipv6:
+            raise ConfigError(f'Cannot match IPv6 ICMP protocol on IPv4, use icmp')
+
     for side in ['destination', 'source']:
         if side in rule_conf:
             side_conf = rule_conf[side]