On Tue, Apr 02, 2024 at 07:29:48AM -0000, William N. wrote: > Is it possible to have proper symbolic naming ('describe') of codes > depending on type too? (as per RFC 4443) This is not yet done. Add it to bugzilla as a feature request I'd suggest. > I also notice there are some types that don't even have a corresponding > name (e.g. 139, 140). I believe the existing ICMP types are based on iptables, and it seems iptables does not include those. There is icmp6_type_tbl in src/proto.c that can be extended, better to use definitions available in icmp.h if available. > ip6tables-translate does not translate codes either. What iptables version are you using? $ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type destination-unreachable nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter' > Has that been reported/considered? > > Speaking of all that: > > I have managed to "translate" the whole Appendix B of RFC 4890. However, > I am not quite sure how complete the appendix itself is, because: > > - it does not address the recommendations given regarding hop limits > - I have found one bug (so far) in that same appendix What bug? > I wonder if it would be appropriate to contact the email addresses > given at the end of the RFC itself. What do you think? > > Considering the importance of correct secure handling of ICMPv6, it > would be great to have an example on wiki.nftables.org showing a proper > implementation of RFC 4890.