Re: nftables: How to match ICMPv6 subtype in a rule?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "William N." <netfilter@riseup.net>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables: How to match ICMPv6 subtype in a rule?
Date: Tue, 2 Apr 2024 12:06:21 +0200	[thread overview]
Message-ID: <ZgvYnXicTY7FQi7E@calendula> (raw)
In-Reply-To: <20240402072948.2193d20c@localhost>

On Tue, Apr 02, 2024 at 07:29:48AM -0000, William N. wrote:
> Is it possible to have proper symbolic naming ('describe') of codes
> depending on type too? (as per RFC 4443)

This is not yet done. Add it to bugzilla as a feature request I'd suggest.

> I also notice there are some types that don't even have a corresponding
> name (e.g. 139, 140).

I believe the existing ICMP types are based on iptables, and it seems
iptables does not include those.

There is icmp6_type_tbl in src/proto.c that can be extended, better to
use definitions available in icmp.h if available.

> ip6tables-translate does not translate codes either.

What iptables version are you using?

$ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type destination-unreachable
nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter'

> Has that been reported/considered?
>
> Speaking of all that:
> 
> I have managed to "translate" the whole Appendix B of RFC 4890. However,
> I am not quite sure how complete the appendix itself is, because:
> 
> - it does not address the recommendations given regarding hop limits
> - I have found one bug (so far) in that same appendix

What bug?

> I wonder if it would be appropriate to contact the email addresses
> given at the end of the RFC itself. What do you think?
> 
> Considering the importance of correct secure handling of ICMPv6, it
> would be great to have an example on wiki.nftables.org showing a proper
> implementation of RFC 4890.

next prev parent reply	other threads:[~2024-04-02 10:06 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-30 19:41 nftables: How to match ICMPv6 subtype in a rule? William N.
2024-03-31  6:33 ` Kerin Millar
2024-03-31 17:02   ` William N.
2024-03-31 18:34     ` Kerin Millar
2024-04-01 17:19       ` William N.
2024-04-01 22:59       ` Pablo Neira Ayuso
2024-04-02  7:29         ` William N.
2024-04-02 10:06           ` Pablo Neira Ayuso [this message]
2024-04-02 13:24             ` William N.

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZgvYnXicTY7FQi7E@calendula \
    --to=pablo@netfilter.org \
    --cc=netfilter@riseup.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.