From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 11:44:33 -0400
Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families
 don't conflict

Fixes: rhbz 1855140
(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8)
(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7)
---
 src/firewall/core/fw_zone.py |  6 ++++++
 src/firewall/core/io/zone.py | 17 ++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index bd026222dce5..129306b6f969 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1703,6 +1703,12 @@ class FirewallZone(object):
                  type(rule.element) == Rich_IcmpType:
                 ict = self._fw.config.get_icmptype(rule.element.name)
 
+                if rule.family and ict.destination and \
+                   rule.family not in ict.destination:
+                    raise FirewallError(errors.INVALID_ICMPTYPE,
+                                        "rich rule family '%s' conflicts with icmp type '%s'" % \
+                                        (rule.family, rule.element.name))
+
                 if type(rule.element) == Rich_IcmpBlock and \
                    rule.action and type(rule.action) == Rich_Accept:
                     # icmp block might have reject or drop action, but not accept
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index 68b2a7c9567c..529b92c25b62 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -232,7 +232,22 @@ class Zone(IO_Object):
                     raise FirewallError(errors.INVALID_ADDR, source)
         elif item == "rules_str":
             for rule in config:
-                rich.Rich_Rule(rule_str=rule)
+                obj_rich = rich.Rich_Rule(rule_str=rule)
+                if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or
+                                                           isinstance(obj_rich.element, rich.Rich_IcmpType)):
+                    existing_icmptypes = self.fw_config.get_icmptypes()
+                    if obj_rich.element.name not in existing_icmptypes:
+                        raise FirewallError(errors.INVALID_ICMPTYPE,
+                                            "'%s' not among existing icmp types" % \
+                                            obj_rich.element.name)
+
+                    elif obj_rich.family:
+                        ict = self.fw_config.get_icmptype(obj_rich.element.name)
+                        if ict.destination and obj_rich.family not in ict.destination:
+                            raise FirewallError(errors.INVALID_ICMPTYPE,
+                                                "rich rule family '%s' conflicts with icmp type '%s'" % \
+                                                (obj_rich.family, obj_rich.element.name))
+
 
     def check_name(self, name):
         super(Zone, self).check_name(name)
-- 
2.28.0