On Mon, Nov 15, 2021 at 08:47:10PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 15, 2021 at 11:40:43AM -0600, Matt Zagrabelny wrote:
[...]
> > Is there no vmap for icmp?
>
> instead of:
>
> meta protocol {icmp, icmpv6} vmap {
> icmp: jump icmp_ipv4,
> icmpv6: jump icmp_ipv6,
> }
>
> this should be:
>
> meta protocol vmap {
> icmp: jump icmp_ipv4,
> icmpv6: jump icmp_ipv6,
> }
Wrong selector actually:
# nft describe meta protocol
meta expression, datatype ether_type (Ethernet protocol) (basetype integer), 16 bits
pre-defined symbolic constants (in hexadecimal):
ip 0x0800
arp 0x0806
ip6 0x86dd
8021q 0x8100
8021ad 0x88a8
vlan 0x8100
you should used meta l4proto instead
# nft describe meta l4proto
meta expression, datatype inet_proto (Internet protocol) (basetype integer), 8 bits
ip 0
icmp 1
igmp 2
ggp 3
ipencap 4
st 5
tcp 6
...
Therefore:
meta l4proto vmap {
icmp: jump icmp_ipv4,
icmpv6: jump icmp_ipv6,
}
Careful with this idiom, because it might not do what you want.
If you do not previously classify traffic at layer 3, then depending
on your ruleset, this might allow for packet crafting such as
IPv4/ICMPv6 and IPv6/ICMPv4.
