From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 31 Aug 2020 15:38:34 -0400
Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for
 icmp-type w/ mark action

This is a stable only fix. It does not occur on master.

(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808)
---
 src/firewall/core/ipXtables.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index b1d6c202fda7..c4535f2e5818 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -1240,8 +1240,13 @@ class ip4tables(object):
             proto = [ "-p", "ipv6-icmp" ]
             match = [ "-m", "icmp6", "--icmpv6-type", ict.name ]
 
+        if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark):
+            chains = ["PREROUTING"]
+        else:
+            chains = ["INPUT", "FORWARD_IN"]
+
         rules = []
-        for chain in ["INPUT", "FORWARD_IN"]:
+        for chain in chains:
             target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
                                                 zone=zone)
             if self._fw.zone.query_icmp_block_inversion(zone):
-- 
2.28.0