Re: nftables: How to match ICMPv6 subtype in a rule?

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "William N." <netfilter@riseup.net>
To: netfilter@vger.kernel.org
Subject: Re: nftables: How to match ICMPv6 subtype in a rule?
Date: Tue, 2 Apr 2024 13:24:32 -0000	[thread overview]
Message-ID: <20240402132432.0a620091@localhost> (raw)
In-Reply-To: <ZgvYnXicTY7FQi7E@calendula>

On Tue, 2 Apr 2024 12:06:21 +0200 Pablo Neira Ayuso wrote:

> What iptables version are you using?

# iptables -V
iptables v1.8.9 (nf_tables)

> $ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type
> destination-unreachable nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter'

What you show works for me too, but e.g. this does not:

# ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type ttl-zero-during-transit
nft # -I INPUT -m icmpv6 --icmpv6-type ttl-zero-during-transit

If you replace 'ip6tables' with 'ip6tables-translate' in the RFC
example and run the whole script you will see the rest which don't
translate.

> What bug?

For example, in section "TIME EXCEEDED ERROR MESSAGES", right after the
comment saying:

# Allow incoming time exceeded code 0 messages                          
# only for existing sessions

the actual rules handle 'packet-too-big' (type 2), not 'time-exceeded'
(type 3) with code 0, as recommended in section 4.3.1 and as it claims.
The 'else' condition right after it does not do what it should either.
As a result, type 3 (which is in the "must" section 4.3.1) seems not
handled anywhere.

There is also some meaningless code, e.g. the loop around the
'bad-header'. Etc.

     prev parent reply	other threads:[~2024-04-02 13:24 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-30 19:41 nftables: How to match ICMPv6 subtype in a rule? William N.
2024-03-31  6:33 ` Kerin Millar
2024-03-31 17:02   ` William N.
2024-03-31 18:34     ` Kerin Millar
2024-04-01 17:19       ` William N.
2024-04-01 22:59       ` Pablo Neira Ayuso
2024-04-02  7:29         ` William N.
2024-04-02 10:06           ` Pablo Neira Ayuso
2024-04-02 13:24             ` William N. [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240402132432.0a620091@localhost \
    --to=netfilter@riseup.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).