Hi,
Netfilter Bugzilla #949[1] complains about broken output when trying to
match icmpv6 message fields. This is a problem in how payload match is
implemented in nft: The given match (e.g. 'icmp6 id 2') is broken down
to a simple match of header data at a specific offset. Sadly this does
not work with ICMP(v6) since header structure depends on the packet's
ICMP type and on return path there is no information about which type of
message the user wanted to match against.
My idea was to build something like the protocol dependencies we have
for e.g. TCP header fields but with ICMP, a given header field might be
present in multiple message types (e.g. icmp6_id is present in echo
request as well as reply).
I already considered inserting a match for icmp6 type against an
anonymous set (like 'icmp6 type { echo-request, echo-reply }'), but
having this as an implicit dependency and resolving with previous
matches, etc. becomes pretty complex.
Do you think I should try following a different approach (via userdata
e.g.)?
Thanks, Phil
[1] https://bugzilla.netfilter.org/show_bug.cgi?id=949
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
