From e31493c32d0e95ef14c627d0bf181efbb81ef062 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 21 Jan 2022 18:15:50 +0100
Subject: firewall: T2199: Verify correct ICMP protocol for ipv4/ipv6

---
 src/conf_mode/firewall.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/conf_mode')

diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 82223d60b..358b938e3 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -184,6 +184,12 @@ def verify_rule(firewall, rule_conf, ipv6):
             if duplicates:
                 raise ConfigError(f'Cannot match a tcp flag as set and not set')
 
+    if 'protocol' in rule_conf:
+        if rule_conf['protocol'] == 'icmp' and ipv6:
+            raise ConfigError(f'Cannot match IPv4 ICMP protocol on IPv6, use ipv6-icmp')
+        if rule_conf['protocol'] == 'ipv6-icmp' and not ipv6:
+            raise ConfigError(f'Cannot match IPv6 ICMP protocol on IPv4, use icmp')
+
     for side in ['destination', 'source']:
         if side in rule_conf:
             side_conf = rule_conf[side]
-- 
cgit v1.2.3