nft icmp type all?

nft icmp type all?

[Robert Sander]

[-- Attachment #1.1: Type: text/plain, Size: 630 bytes --]

Hi,

how do I specify a rule to match all ICMP packages?

nft add rule ip filter input icmp accept

does not work.

nft add rule ip filter input icmp type all accept

also does not work. any instead of all also no success.

Is it really necessary to have all possible ICMP types in a set with a
rule like this?

Regards
-- 
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: nft icmp type all?

[kfm]

On 24/01/2020 21:16, Robert Sander wrote:
> Hi,
> 
> how do I specify a rule to match all ICMP packages?
> 
> nft add rule ip filter input icmp accept
> 
> does not work.

nft add rule ip filter input meta l4proto icmp accept

-- 
Kerin Millar

Re: nft icmp type all?

[Daniel Lakeland]

On 1/24/20 1:29 PM, kfm@plushkava.net wrote:
> On 24/01/2020 21:16, Robert Sander wrote:
>> Hi,
>>
>> how do I specify a rule to match all ICMP packages?
>>
>> nft add rule ip filter input icmp accept
>>
>> does not work.
>
> nft add rule ip filter input meta l4proto icmp accept
>
I think this also works:

nft add rule ip filter input ip protocol icmp accept

Re: nft icmp type all?

[Robert Sander]

[-- Attachment #1.1: Type: text/plain, Size: 759 bytes --]

Am 24.01.20 um 22:29 schrieb kfm@plushkava.net:
> On 24/01/2020 21:16, Robert Sander wrote:
>> Hi,
>>
>> how do I specify a rule to match all ICMP packages?
>>
>> nft add rule ip filter input icmp accept
>>
>> does not work.
> 
> nft add rule ip filter input meta l4proto icmp accept
> 

So it's basically like

iptables -p icmp -m icmp --icmp-type xyz

         ^       ^
         |       +- icmp type xyz
         +- meta l4proto icmp

Thanks.
-- 
Robert Sander
Heinlein Support GmbH
Linux: Akademie - Support - Hosting
http://www.heinlein-support.de

Tel: 030-405051-43
Fax: 030-405051-19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein  -- Sitz: Berlin


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: nft icmp type all?

[Robert Sander]

[-- Attachment #1.1: Type: text/plain, Size: 650 bytes --]

Am 26.01.20 um 03:24 schrieb Daniel Lakeland:

> I think this also works:
> 
> nft add rule ip filter input ip protocol icmp accept

Ah thanks. I overread the "protocol" keyword on the wiki page.

So you have to add protocol before "icmp" if you do not want to specify
an icmp type (or tcp/udp port).

Is there any motivation for that?

Regards
-- 
Robert Sander
Heinlein Support GmbH
Linux: Akademie - Support - Hosting
http://www.heinlein-support.de

Tel: 030-405051-43
Fax: 030-405051-19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein  -- Sitz: Berlin


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: nft icmp type all?

[Florian Westphal]

Robert Sander <r.sander@heinlein-support.de> wrote:
> Ah thanks. I overread the "protocol" keyword on the wiki page.
> 
> So you have to add protocol before "icmp" if you do not want to specify
> an icmp type (or tcp/udp port).
> 
> Is there any motivation for that?

Different things.

"ip protocol icmp" is short for
"ip protocol = icmp".

"icmp type x" is short for "icmp type = x".

So, "icmp type" is short for "icmp type =", i.e., the compare lacks
right-hand-side.