[Bug 1073] inet-service vs icmp conflict

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jun 9 18:20:06 CEST 2016


Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
             Status|NEW                         |ASSIGNED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
The following patch that I'm attaching seems to work here.

However, this generates a bit loose bytecode:

# nft --debug=netlink add rule inet x y icmpv6 type 1
inet x y 
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x0000003a ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]

Note that meta load l4proto fetches the layer 4 protocol number. Hopefully,
ICMPv6 has its own protocol number different from ICMPv4. But still, this rule
allows IPv4 packets using icmpv6 protocol number going through when the inet
family is used, which is not correct.

In this particular case, payload_add_dependency() I think we should generate a
double dependency. Let me revisit this.

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160609/bd9a9c66/attachment.html>

More information about the netfilter-buglog mailing list