Re: Extensions for ICMP[6] with sport, dport

[Florian Westphal <fw@strlen.de>]

Rick van Rein <rick@openfortress.nl> wrote:

[ dropped patrick from cc ]

> A sketch of code is below; I am unsure about the [THDR_?PORT] but I
> think the "sport" and "dport" should be interpreted in reverse for ICMP,
> as it travels upstream.  That would match "l4proto sport" match ICMP
> along with the TCP, UDP, SCTP and DCCP to which it relates.  It also
> seems fair that ICMP with a "dport" targets the port at the ICMP target,
> so the originator of the initial message.
> 
> 
> If you want me to continue on this, I need to find a way into
> git.kernel.org and how to offer code.  Just point me to howto's.  I also
> could write a Wiki about Stateful Filter WHENTO-and-HOWTO.

I think instead of this specific use case it would be preferrable to
tackle this in a more general way, via more generic "ip - in foo"
matching.

See
https://people.netfilter.org/2019/wiki/index.php/General_Agenda#match_packets_inside_tunnels

for a summary of inner header matching.

I suspect that for this case we would want something like

filter forward inner ip in icmp tcp dport 42

It would require lots of kernel changes, for example a new displaycement
register and changes to existing payload expression to use it, so it
would access the embedded tcp header.