From 893f2a4af91b6e962015a43110c6f2eafbcd10f7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 13 Mar 2020 17:55:13 +0100
Subject: [PATCH] Firewall: prevent gateway protocol mismatch from breaking the
 ruleset.

---
 .../mvc/app/library/OPNsense/Firewall/FilterRule.php       | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
index 90bcab8ee..15dabf36c 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -174,6 +174,13 @@ class FilterRule extends Rule
                 $rule['disabled'] = true;
                 $this->log("Gateway down");
             }
+            if (!empty($rule['gateway']) &&
+                  !empty($this->gatewayMapping[$rule['gateway']]) &&
+                  !empty($rule['ipprotocol']) &&
+                  $this->gatewayMapping[$rule['gateway']]['proto'] != $rule['ipprotocol']) {
+                $rule['disabled'] = true;
+                $this->log("Gateway protocol mismatch");
+            }
             if (!isset($rule['quick'])) {
                 // all rules are quick by default except floating
                 $rule['quick'] = !isset($rule['floating']) ? true : false;