[Bug 630] New: Enhancement: Allow rules to specify ICMP type ranges.

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Jan 19 02:09:30 CET 2010


           Summary: Enhancement:  Allow rules to specify ICMP type ranges.
           Product: iptables
           Version: unspecified
          Platform: All
               URL: http://www.ietf.org/rfc/rfc4890.txt
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ip6tables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: kd6lvw at yahoo.com

RFC 4890 suggests that for IPv6, certain ICMP types must be permitted while
others (especially the undefined ranges) be denied.  However, current iptables
interfaces (IPv4/IPv6) only allow rules to specify a single ICMP type per rule.

Under IPv6 (since that's what the RFC concentrated on, but likewise for IPv4),
there are 31 valid ICMP types in two ranges:  1-4 and 128-154, excluding two
experimental ranges for local testing.  However, without the ability to specify
type ranges, if all 31 types are in use at a host, 32 rules are needed to deny
the invalid types.  With ranges permitted, this can be done in 3 rules.

Current specification:
  --icmpv6-type  type/code.

Add alternate specification:
  --icmpv6-type  type1:type2.

Logic:  TRUE if  type1 <= x <= type2,  Otherwise false.

As both type and code are 8-bit values, there is no increase in structure size
for the addition.  A unioned sub-structure can be used to reinterpret values. 
The only possible addition to the data structure would be a boolean value to
determine how to interpret the union:  As two ICMP types or as type and code. 
This boolean value may be folded into an enumeration of values indicating the
match type.

Obviously, this enhancement requires two parts:
1)  Kernel netfilter support for the alternative interpretation
2)  Ruleset interpreter to install the appropriate values and check them.
I believe that both of these should be relatively trivial to write.

Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list