Re: nftables: How to match ICMPv6 subtype in a rule?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2 Apr 2024 12:06:21 +0200 Pablo Neira Ayuso wrote:

> What iptables version are you using?

# iptables -V
iptables v1.8.9 (nf_tables)

> $ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type
> destination-unreachable nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter'

What you show works for me too, but e.g. this does not:

# ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type ttl-zero-during-transit
nft # -I INPUT -m icmpv6 --icmpv6-type ttl-zero-during-transit

If you replace 'ip6tables' with 'ip6tables-translate' in the RFC
example and run the whole script you will see the rest which don't
translate.

> What bug?

For example, in section "TIME EXCEEDED ERROR MESSAGES", right after the
comment saying:

# Allow incoming time exceeded code 0 messages                          
# only for existing sessions

the actual rules handle 'packet-too-big' (type 2), not 'time-exceeded'
(type 3) with code 0, as recommended in section 4.3.1 and as it claims.
The 'else' condition right after it does not do what it should either.
As a result, type 3 (which is in the "must" section 4.3.1) seems not
handled anywhere.

There is also some meaningless code, e.g. the loop around the
'bad-header'. Etc.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux