On Tue, Apr 02, 2024 at 07:29:48AM -0000, William N. wrote:
> Is it possible to have proper symbolic naming ('describe') of codes
> depending on type too? (as per RFC 4443)
This is not yet done. Add it to bugzilla as a feature request I'd suggest.
> I also notice there are some types that don't even have a corresponding
> name (e.g. 139, 140).
I believe the existing ICMP types are based on iptables, and it seems
iptables does not include those.
There is icmp6_type_tbl in src/proto.c that can be extended, better to
use definitions available in icmp.h if available.
> ip6tables-translate does not translate codes either.
What iptables version are you using?
$ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type destination-unreachable
nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter'
> Has that been reported/considered?
>
> Speaking of all that:
>
> I have managed to "translate" the whole Appendix B of RFC 4890. However,
> I am not quite sure how complete the appendix itself is, because:
>
> - it does not address the recommendations given regarding hop limits
> - I have found one bug (so far) in that same appendix
What bug?
> I wonder if it would be appropriate to contact the email addresses
> given at the end of the RFC itself. What do you think?
>
> Considering the importance of correct secure handling of ICMPv6, it
> would be great to have an example on wiki.nftables.org showing a proper
> implementation of RFC 4890.
