Where is the ICMP *type* information in nft 0.9.8 trace output?

Where is the ICMP *type* information in nft 0.9.8 trace output?

[Martin Gignac]

Hi,

I'm doing some tracing with nft 0.9.8 and I am seeing something which
I'm not sure is a bug or just me doing something wrong.

I've got this chain in my ruleset:

  chain trace_chain {
    type filter hook prerouting priority -301;
    ip daddr 24.153.88.9 ip protocol icmp meta nftrace set 1
  }

When I run 'nft monitor trace' and do a ping to 24.153.88.9 I get this:

  trace id d89e0527 inet filter trace_chain packet: iif "ens2f4" ether
saddr 3c:fd:fe:d0:21:31 ether daddr 00:07:43:3e:b5:40 ip saddr
192.168.1.4 ip daddr 24.153.88.9 ip dscp cs0 ip ecn not-ect ip ttl 64
ip id 48512 ip protocol icmp ip length 84 icmp code net-unreachable
icmp id 7698 icmp sequence 1 @th,64,96 70826276232191064865536871936

I didn't understand why I was getting 'icmp code net-unreachable' when
I should be getting something like 'icmp code echo-request', so I
re-ran the trace with 'nft -nn monitor trace':

  trace id f3014662 inet filter trace_chain packet: iif "ens2f4" ether
saddr 3c:fd:fe:d0:21:31 ether daddr 00:07:43:3e:b5:40 ip saddr
192.168.1.4 ip daddr 24.153.88.9 ip dscp 0x00 ip ecn 0x0 ip ttl 64 ip
id 56274 ip protocol 1 ip length 84 icmp code 0 icmp id 7700 icmp
sequence 1 @th,64,96 75468551379511240899085402624

I then realized that 'icmp code net-unreachable' is correct *if* the
icmp *type* is 1 or 2, but not if the type is 8, which is the case for
an echo request. I then also realized that the ICMP *type* information
was missing from the trace.

So my question is this: am I misunderstanding the trace output or is
there some sort of bug?

Bonus question: if instead of calling the chain "trace_chain", I call
it "chain", like so:

  chain trace {
    type filter hook prerouting priority -301;
    ip daddr 24.153.88.9 ip protocol icmp meta nftrace set 1
  }

When I try loading the ruleset I get this error:

  /etc/firewall/rules.nft:40:9-13: Error: syntax error, unexpected
trace, expecting string
  chain trace {
        ^^^^^
Is 'trace' some sort of reserved keyword? I thought chains could be
called anything. Can they not?

Thanks,
-Martin

[PATCH nft] trace: do not remove icmp type from packet dump

[Florian Westphal]

As of 0.9.8 the icmp type is marked as a protocol field, so its
elided in 'nft monitor trace' output:

   icmp code 0 icmp id 44380 ..

Restore it.  Unlike tcp, where 'tcp sport' et. al in the dump
will make the 'ip protocol tcp' redundant this case isn't obvious
in the icmp case:

  icmp type 8 code 0 id ...

Reported-by: Martin Gignac <martin.gignac@gmail.com>
Fixes: 98b871512c4677 ("src: add auto-dependencies for ipv4 icmp")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/netlink.c b/src/netlink.c
index ec2dad29ace1..c3887d5b6662 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1859,7 +1859,9 @@ next:
 		    pctx->pbase == PROTO_BASE_INVALID) {
 			payload_dependency_store(pctx, stmt, base - stacked);
 		} else {
-			payload_dependency_kill(pctx, lhs, ctx->family);
+			/* Don't strip 'icmp type' from payload dump. */
+			if (pctx->icmp_type == 0)
+				payload_dependency_kill(pctx, lhs, ctx->family);
 			if (lhs->flags & EXPR_F_PROTOCOL)
 				payload_dependency_store(pctx, stmt, base - stacked);
 		}
-- 
2.26.2