Bug: "You must specify `--icmpv6-type'"

Bug: "You must specify `--icmpv6-type'"

[Max Kellermann]

Hi,

users of my "ferm" iptables frontend
(http://max.kellermann.name/projects/ferm/) reported a problem with
ip6tables.

 rabbit:~# ip6tables -A INPUT -p icmpv6 -j ACCEPT
 rabbit:~# ip6tables -A INPUT -p icmpv6 -m icmpv6 -j ACCEPT
 ip6tables v1.3.6: icmpv6 match: You must specify `--icmpv6-type'
 Try `ip6tables -h' or 'ip6tables --help' for more information.

According to the ip6tables manpage, the "icmpv6" module is implicitly
loaded whenever you specify "-p icmpv6".  It is however only loaded
when you also specify "--icmpv6-type".  So either the documentation is
wrong, or ip6tables' behaviour is.

Max

Re: Bug: "You must specify `--icmpv6-type'"

[Yasuyuki KOZAKAI]

Hi,

From: Max Kellermann <max@duempel.org>
Date: Fri, 9 Feb 2007 11:28:29 +0100

> Hi,
> 
> users of my "ferm" iptables frontend
> (http://max.kellermann.name/projects/ferm/) reported a problem with
> ip6tables.
> 
>  rabbit:~# ip6tables -A INPUT -p icmpv6 -j ACCEPT
>  rabbit:~# ip6tables -A INPUT -p icmpv6 -m icmpv6 -j ACCEPT
>  ip6tables v1.3.6: icmpv6 match: You must specify `--icmpv6-type'
>  Try `ip6tables -h' or 'ip6tables --help' for more information.
> 
> According to the ip6tables manpage, the "icmpv6" module is implicitly
> loaded whenever you specify "-p icmpv6".  It is however only loaded
> when you also specify "--icmpv6-type".  So either the documentation is
> wrong, or ip6tables' behaviour is.

This behavior is intended. The matches for protocol are not loaded when you
specify only '-p protocol', but loaded when you specify extra options of
them, too. This is to avoid unnecessary loading.

Following explanations are preferable ?

diff --git a/extensions/libip6t_icmp6.man b/extensions/libip6t_icmp6.man
index 2047180..c755fbf 100644
--- a/extensions/libip6t_icmp6.man
+++ b/extensions/libip6t_icmp6.man
@@ -1,4 +1,4 @@
-This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
+This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' is
 specified. It provides the following option:
 .TP
 .BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man
index 75d172e..e94566c 100644
--- a/extensions/libip6t_tcp.man
+++ b/extensions/libip6t_tcp.man
@@ -1,4 +1,4 @@
-These extensions are loaded if `--protocol tcp' is specified. It
+These extensions can be used if `--protocol tcp' is specified. It
 provides the following options:
 .TP
 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
diff --git a/extensions/libip6t_udp.man b/extensions/libip6t_udp.man
index 0408479..1d5e590 100644
--- a/extensions/libip6t_udp.man
+++ b/extensions/libip6t_udp.man
@@ -1,4 +1,4 @@
-These extensions are loaded if `--protocol udp' is specified.  It
+These extensions can be used if `--protocol udp' is specified.  It
 provides the following options:
 .TP
 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
diff --git a/extensions/libipt_icmp.man b/extensions/libipt_icmp.man
index 5b91514..55d24b4 100644
--- a/extensions/libipt_icmp.man
+++ b/extensions/libipt_icmp.man
@@ -1,4 +1,4 @@
-This extension is loaded if `--protocol icmp' is specified.  It
+This extension can be used if `--protocol icmp' is specified.  It
 provides the following option:
 .TP
 .BR "--icmp-type " "[!] \fItypename\fP"
diff --git a/extensions/libipt_tcp.man b/extensions/libipt_tcp.man
index 648c81e..cfafc9e 100644
--- a/extensions/libipt_tcp.man
+++ b/extensions/libipt_tcp.man
@@ -1,4 +1,4 @@
-These extensions are loaded if `--protocol tcp' is specified. It
+These extensions can be used if `--protocol tcp' is specified. It
 provides the following options:
 .TP
 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
diff --git a/extensions/libipt_udp.man b/extensions/libipt_udp.man
index 0408479..1d5e590 100644
--- a/extensions/libipt_udp.man
+++ b/extensions/libipt_udp.man
@@ -1,4 +1,4 @@
-These extensions are loaded if `--protocol udp' is specified.  It
+These extensions can be used if `--protocol udp' is specified.  It
 provides the following options:
 .TP
 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-- 
1.4.4

Re: Bug: "You must specify `--icmpv6-type'"

[Yasuyuki KOZAKAI]

Hi, again,

From: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Date: Tue, 13 Feb 2007 12:01:04 +0900 (JST)

> From: Max Kellermann <max@duempel.org>
> Date: Fri, 9 Feb 2007 11:28:29 +0100


> > According to the ip6tables manpage, the "icmpv6" module is implicitly
> > loaded whenever you specify "-p icmpv6".  It is however only loaded
> > when you also specify "--icmpv6-type".  So either the documentation is
> > wrong, or ip6tables' behaviour is.
> 
> This behavior is intended. The matches for protocol are not loaded when you
> specify only '-p protocol', but loaded when you specify extra options of
> them, too. This is to avoid unnecessary loading.

I noticed libipt_icmp doesn't check no specified type, then applied
following.

Thanks for chance to find out that.

-- Yasuyuki Kozakai

Error if no ICMP type is specified even though user intended
to use icmp match.

---
 extensions/libipt_icmp.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index 8f22d05..ce46837 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -284,6 +284,9 @@ static void save(const struct ipt_ip *ip
 /* Final check; we don't care. */
 static void final_check(unsigned int flags)
 {
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			   "icmp match: You must specify `--icmp-type'");
 }
 
 static struct iptables_match icmp = { 
-- 
1.4.4

Re: Bug: "You must specify `--icmpv6-type'"

[Max Kellermann]

On 2007/02/13 04:17, Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> wrote:
> I noticed libipt_icmp doesn't check no specified type, then applied
> following.

Makes sense, to get the parameter checks in sync.  However your
previous patch should also be applied, since it increases the
manpage's correctness.

Is there any disadvantage in loading protocol modules when none of
their checks is enabled?  Except maybe the CPU time spent in the
module callback.

Max

Re: Bug: "You must specify `--icmpv6-type'"

[Jan Engelhardt]

Hi,

On Feb 13 2007 12:01, Yasuyuki KOZAKAI wrote:
>> 
>> According to the ip6tables manpage, the "icmpv6" module is implicitly
>> loaded whenever you specify "-p icmpv6".  It is however only loaded
>> when you also specify "--icmpv6-type".  So either the documentation is
>> wrong, or ip6tables' behaviour is.
>
>This behavior is intended. The matches for protocol are not loaded when you
>specify only '-p protocol', but loaded when you specify extra options of
>them, too. This is to avoid unnecessary loading.

But ip(4)tables always implies -m prot for -p prot. 


Jan
-- 
ft: http://freshmeat.net/p/chaostables/

Re: Bug: "You must specify `--icmpv6-type'"

[Yasuyuki KOZAKAI]

Hi,

From: Max Kellermann <max@duempel.org>
Date: Tue, 13 Feb 2007 08:59:53 +0100

> On 2007/02/13 04:17, Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> wrote:
> > I noticed libipt_icmp doesn't check no specified type, then applied
> > following.
> 
> Makes sense, to get the parameter checks in sync.  However your
> previous patch should also be applied, since it increases the
> manpage's correctness.
> 
> Is there any disadvantage in loading protocol modules when none of
> their checks is enabled?  Except maybe the CPU time spent in the
> module callback.

Good question. Unlike libip6t_icmp6, libipt_icmp has the option which matches
all ICMP type. iptables passes it to kernel if user specify no option of
icmp match. Then that check is unneccesary. I forgot that.

I've reverted the previous commit and added comment. Thanks for notice.

-- Yasuyuki Kozakai