From 3b3608ad651f73b6e8b473c568ce5ea420d8d358 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 4 Feb 2014 07:16:41 -0800
Subject: [PATCH] Correct ICMP handling in basic filters.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index d5d7240a0..66f948ce3 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2358,14 +2358,16 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 		$rule .= "\\\n   \\(" if @typelist > 1;
 
+		my $types = 0;
+
 		for my $type ( @typelist ) {
 		    my ( $icmptype , $icmpcode ) = split '/', validate_icmp( $type );
 
+		    $rule .= ' or' if $types++;
 		    $rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0xffff eq " . in_hex4( ( $icmptype << 8 ) | ( $icmpcode || 0 ) ) . ' \\)';
-		    $rule .= ' or' if @typelist > 1;
 		}
 
-		$rule .= "\\\n)" if @typelist > 1;
+		$rule .= "\\\n   \\)" if @typelist > 1;
 
 	    } elsif ( $protonumber == IPv6_ICMP ) {
 		fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
@@ -2375,15 +2377,17 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 		$rule .= "\\\n   \\(" if @typelist > 1;
 
+		my $types = 0;
+
 		for my $type ( @typelist ) {
 
 		    my ( $icmptype , $icmpcode ) = split '/', validate_icmp6( $type );
 
+		    $rule .= ' or' if $types++;
 		    $rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0xffff eq " . in_hex4( ( $icmptype << 8 ) | ( $icmpcode || 0 ) ) . ' \\)';
-		    $rule .= ' or' if @typelist > 1;
 		}
 
-		$rule .= "\\\n)" if @typelist > 1;
+		$rule .= "\\\n   \\)" if @typelist > 1;
 	    } else {
 		my @portlist; 
 		my $multiple;