Rick van Rein <rick@xxxxxxxxxxxxxxx> wrote: [ dropped patrick from cc ] > A sketch of code is below; I am unsure about the [THDR_?PORT] but I > think the "sport" and "dport" should be interpreted in reverse for ICMP, > as it travels upstream. That would match "l4proto sport" match ICMP > along with the TCP, UDP, SCTP and DCCP to which it relates. It also > seems fair that ICMP with a "dport" targets the port at the ICMP target, > so the originator of the initial message. > > > If you want me to continue on this, I need to find a way into > git.kernel.org and how to offer code. Just point me to howto's. I also > could write a Wiki about Stateful Filter WHENTO-and-HOWTO. I think instead of this specific use case it would be preferrable to tackle this in a more general way, via more generic "ip - in foo" matching. See https://people.netfilter.org/2019/wiki/index.php/General_Agenda#match_packets_inside_tunnels for a summary of inner header matching. I suspect that for this case we would want something like filter forward inner ip in icmp tcp dport 42 It would require lots of kernel changes, for example a new displaycement register and changes to existing payload expression to use it, so it would access the embedded tcp header.
