netfilter buglog - Sep 2018 - [Bug 1276] New: "icmpv6 code" test returns wrong data type.

https://bugzilla.netfilter.org/show_bug.cgi?id=1276

            Bug ID: 1276
           Summary: "icmpv6 code" test returns wrong data type.
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: sabitov at sabitov.su

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180904/ed5c5d4a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1276

--- Comment #1 from Andrew A. Sabitov <sabitov at sabitov.su> ---
I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code and
check
incoming icmpv6 traffic against it.

Something like this:

add set     inet fw input_public_icmpv6_types { type icmpv6_type . icmpv6_code
; }
add element inet fw input_public_icmpv6_types { 1 . 0 } # no route to
destination
add element inet fw input_public_icmpv6_types { 1 . 1 } # communication with
destination administratively prohibited
add element inet fw input_public_icmpv6_types { 1 . 2 } # beyond scope of
source address
add element inet fw input_public_icmpv6_types { 1 . 3 } # address unreachable
add element inet fw input_public_icmpv6_types { 1 . 4 } # port unreachable
# ... and so on


add rule  inet fw input_icmpv6 \
        ip6 daddr {::1, ff00::/8, fe80::/10, ff02::/64, 2000::/3 } \
        icmpv6 type . icmpv6 code  @input_public_icmpv6_types \
                limit rate 15/minute \
                accept


"add rule" command returns an error:
In file included from ./nft-inet-pea.nft:56:1-47:
/etc/firewall/nft-inet-pea-input.nft:253:23-33: Error: can not use variable
sized data types (integer) in concat expressions
        icmpv6 type . icmpv6 code  @input_public_icmpv6_types \
               ~~~~~~~~~~~~~~^^^^^^^^^^^

As I can see "icmpv6 code" returns "integer" type instead of
icmpv6_code.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180904/8f908cd2/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1276

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |fw at strlen.de
           Assignee|pablo at netfilter.org         |fw at strlen.de

--- Comment #2 from Florian Westphal <fw at strlen.de> ---
Created attachment 548
  --> https://bugzilla.netfilter.org/attachment.cgi?id=548&action=edit
fix code icmpv6 code type

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180904/8e700a10/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1276

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pablo at netfilter.org

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Do we need similar change for ICMPv4?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180904/e0df257b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1276

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Florian fixed this upstream:

http://git.netfilter.org/nftables/commit/?id=0f44d4f62753535d39d95d83778348bee4e88053

closing.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180904/cb9b0519/attachment.html>