Re: nftables: How to match ICMPv6 subtype in a rule?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 02, 2024 at 07:29:48AM -0000, William N. wrote:
> Is it possible to have proper symbolic naming ('describe') of codes
> depending on type too? (as per RFC 4443)

This is not yet done. Add it to bugzilla as a feature request I'd suggest.

> I also notice there are some types that don't even have a corresponding
> name (e.g. 139, 140).

I believe the existing ICMP types are based on iptables, and it seems
iptables does not include those.

There is icmp6_type_tbl in src/proto.c that can be extended, better to
use definitions available in icmp.h if available.

> ip6tables-translate does not translate codes either.

What iptables version are you using?

$ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type destination-unreachable
nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter'

> Has that been reported/considered?
>
> Speaking of all that:
> 
> I have managed to "translate" the whole Appendix B of RFC 4890. However,
> I am not quite sure how complete the appendix itself is, because:
> 
> - it does not address the recommendations given regarding hop limits
> - I have found one bug (so far) in that same appendix

What bug?

> I wonder if it would be appropriate to contact the email addresses
> given at the end of the RFC itself. What do you think?
> 
> Considering the importance of correct secure handling of ICMPv6, it
> would be great to have an example on wiki.nftables.org showing a proper
> implementation of RFC 4890.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux