bugzilla-daemon at bugzilla.netfilter.org
2010-Jan-19 01:09 UTC
[Bug 630] New: Enhancement: Allow rules to specify ICMP type ranges.
http://bugzilla.netfilter.org/show_bug.cgi?id=630 Summary: Enhancement: Allow rules to specify ICMP type ranges. Product: iptables Version: unspecified Platform: All URL: http://www.ietf.org/rfc/rfc4890.txt OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: ip6tables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: kd6lvw at yahoo.com RFC 4890 suggests that for IPv6, certain ICMP types must be permitted while others (especially the undefined ranges) be denied. However, current iptables interfaces (IPv4/IPv6) only allow rules to specify a single ICMP type per rule. Under IPv6 (since that's what the RFC concentrated on, but likewise for IPv4), there are 31 valid ICMP types in two ranges: 1-4 and 128-154, excluding two experimental ranges for local testing. However, without the ability to specify type ranges, if all 31 types are in use at a host, 32 rules are needed to deny the invalid types. With ranges permitted, this can be done in 3 rules. Current specification: --icmpv6-type type/code. Add alternate specification: --icmpv6-type type1:type2. Logic: TRUE if type1 <= x <= type2, Otherwise false. As both type and code are 8-bit values, there is no increase in structure size for the addition. A unioned sub-structure can be used to reinterpret values. The only possible addition to the data structure would be a boolean value to determine how to interpret the union: As two ICMP types or as type and code. This boolean value may be folded into an enumeration of values indicating the match type. Obviously, this enhancement requires two parts: 1) Kernel netfilter support for the alternative interpretation 2) Ruleset interpreter to install the appropriate values and check them. I believe that both of these should be relatively trivial to write. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2013-Feb-14 16:03 UTC
[Bug 630] Enhancement: Allow rules to specify ICMP type ranges.
http://bugzilla.netfilter.org/show_bug.cgi?id=630 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pablo at netfilter.org AssignedTo|netfilter-buglog at lists.netf |pablo at netfilter.org |ilter.org | -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Reasonably Related Threads
- [Bug 630] Enhancement: Allow rules to specify ICMP type ranges.
- [Bug 630] Enhancement: Allow rules to specify ICMP type ranges.
- logistic regression
- [Bug 1412] New: ip6tables-nft not accepting "icmp" as shorthand for "icmpv6"
- [Bug 926] New: icmp: ICMPv6 types are not supported