On Sat, 30 Mar 2024, at 7:41 PM, William N. wrote: > Hello, > > I have been reading RFC 4890 and 4443, as well as nftables wiki and man > page. > > It is obvious how to match ICMPv6 types using 'icmpv6 type'. However, > as RFC 4890 recommends, there are situations where only a specific > SUBtype must be accepted, e.g. section 4.3.1: As far as the ICMPv6 header is concerned, there are only types and codes. > > o Time Exceeded (Type 3) - Code 0 only > o Parameter Problem (Type 4) - Codes 1 and 2 only > Those are types and codes. > I have been searching for days and I can't find any info about matching > ICMPv6 subtypes. ip6tables can do that (as shown in the example in the > RFC) but no info about nftables. ip6tables-translate cannot translate > subtype rules (it converts them to a comment). > > So, what is the nftables syntax to accept only a specific subtype of an > ICMPv6 type? These are the relevant sections of the manual: LESS=+/'ICMPV6 HEADER EXPRESSION' man nft LESS=+'/ICMPV6 TYPE TYPE' man nft LESS=+'/ICMPV6 CODE TYPE' man nft However, there are some errors in the manual. One is that the ICMPV6 HEADER EXPRESSION section does not make it clear that the type/keyword for the ICMPv6 Code is "icmpv6_code", instead generically describing it as "integer (8 bit)". Another is that it erroneously documents the keyword for the ICMPv6 Type as being "icmpx_code" in the ICMPV6 CODE TYPE section. Anyway, the syntax is: icmpv6 type <icmpv6_type> # where <icmpv6_type> is any valid ICMPV6 TYPE value icmpv6 code <icmpv6_code> # where <icmpv6_code> is any valid ICMPV6 CODE value Both of this header expressions may be combined within a single rule. All of the possible values are documented by the aforementioned sections of the manual. Alternatively, you may ask for nft(8) to print out the supported values for you. # nft describe icmpv6_type # nft describe icmpv6_code -- Kerin Millar
