On Sun, 31 Mar 2024 17:02:59 -0000 "William N." <netfilter@xxxxxxxxxx> wrote: > Thanks for clarifying. > > I actually found the magic word "code" after posting here but I still > wanted to wait for a reply. Yours explained it perfectly. I suppose I > have been confused by reading too much from different sources :) > > On Sun, 31 Mar 2024 07:33:42 +0100 Kerin Millar wrote: > > > However, there are some errors in the manual. [...] > > Have those been reported anywhere? I'll open a bug. > > > icmpv6 code <icmpv6_code> # where <icmpv6_code> is any valid ICMPV6 > > CODE value > > Having such possibility is interesting, as the integer code has > different meaning depending on the type, i.e. it has no meaning per se > and it looks strange to filter based on it only. I thought they must go > "hand in hand" but obviously not. I wonder what purpose such filtering > may serve. > > In that sense, the output of: > > > # nft describe icmpv6_code > > is somewhat confusing (e.g. compare type 1 and type 3 or 4 in RFC 4443). Yes, indeed. It seems that the symbolic names were selected under the presumption that they would be most convenient for the common case - probably with the reject keyword in mind. Come to think of it, that's probably why the manual does not reference the icmpv6_code type in the ICMPV6 HEADER EXPRESSION section. Fortunately, there is always the option to specify an arbitrary integer value. -- Kerin Millar
