On Mon, Sep 22, 2014 at 06:23:18PM +0200, Álvaro Neira Ayuso wrote: > El 22/09/14 10:20, Patrick McHardy escribió: > >I actually think we should add full support for this by adding an > >inet-specific ICMP type table which is the intersection of the ICMP > >and ICMPv6 types for inet and map those to the corresponding real > >types: > > > >nft inet filter input reject with host-unreachable > > > > I have seen the ICMP and ICMPv6 types and I have done this map: > > CODE | ICMPv6 | ICMPv4 > admin-prohibited | admin-prohibited | admin-prohibited > port-unreach | port-unreach | port-unreach > no-route | no-route | net-unreach > host-unreach | addr-unreach | host-unreach > > What do you think? Looks reasonable. We need to do mapping to the real codes at runtime in nft_reject_inet. I'd suggest to use the same numeric values as in IPv4 and only map those for IPv6, so we can avoid the translation in at least one case. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
