From: "Kerin Millar" <kfm@plushkava.net>
To: "William N." <netfilter@riseup.net>, netfilter@vger.kernel.org
Subject: Re: nftables: How to match ICMPv6 subtype in a rule?
Date: Sun, 31 Mar 2024 07:33:42 +0100 [thread overview]
Message-ID: <f1e198cf-949e-4dbe-becb-25d2ee4c2950@app.fastmail.com> (raw)
In-Reply-To: <20240330194139.561b5a24@localhost>
On Sat, 30 Mar 2024, at 7:41 PM, William N. wrote:
> Hello,
>
> I have been reading RFC 4890 and 4443, as well as nftables wiki and man
> page.
>
> It is obvious how to match ICMPv6 types using 'icmpv6 type'. However,
> as RFC 4890 recommends, there are situations where only a specific
> SUBtype must be accepted, e.g. section 4.3.1:
As far as the ICMPv6 header is concerned, there are only types and codes.
>
> o Time Exceeded (Type 3) - Code 0 only
> o Parameter Problem (Type 4) - Codes 1 and 2 only
>
Those are types and codes.
> I have been searching for days and I can't find any info about matching
> ICMPv6 subtypes. ip6tables can do that (as shown in the example in the
> RFC) but no info about nftables. ip6tables-translate cannot translate
> subtype rules (it converts them to a comment).
>
> So, what is the nftables syntax to accept only a specific subtype of an
> ICMPv6 type?
These are the relevant sections of the manual:
LESS=+/'ICMPV6 HEADER EXPRESSION' man nft
LESS=+'/ICMPV6 TYPE TYPE' man nft
LESS=+'/ICMPV6 CODE TYPE' man nft
However, there are some errors in the manual. One is that the ICMPV6 HEADER EXPRESSION section does not make it clear that the type/keyword for the ICMPv6 Code is "icmpv6_code", instead generically describing it as "integer (8 bit)". Another is that it erroneously documents the keyword for the ICMPv6 Type as being "icmpx_code" in the ICMPV6 CODE TYPE section.
Anyway, the syntax is:
icmpv6 type <icmpv6_type> # where <icmpv6_type> is any valid ICMPV6 TYPE value
icmpv6 code <icmpv6_code> # where <icmpv6_code> is any valid ICMPV6 CODE value
Both of this header expressions may be combined within a single rule. All of the possible values are documented by the aforementioned sections of the manual. Alternatively, you may ask for nft(8) to print out the supported values for you.
# nft describe icmpv6_type
# nft describe icmpv6_code
--
Kerin Millar
next prev parent reply other threads:[~2024-03-31 6:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-30 19:41 nftables: How to match ICMPv6 subtype in a rule? William N.
2024-03-31 6:33 ` Kerin Millar [this message]
2024-03-31 17:02 ` William N.
2024-03-31 18:34 ` Kerin Millar
2024-04-01 17:19 ` William N.
2024-04-01 22:59 ` Pablo Neira Ayuso
2024-04-02 7:29 ` William N.
2024-04-02 10:06 ` Pablo Neira Ayuso
2024-04-02 13:24 ` William N.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1e198cf-949e-4dbe-becb-25d2ee4c2950@app.fastmail.com \
--to=kfm@plushkava.net \
--cc=netfilter@riseup.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).