<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:pablo@netfilter.org" title="Pablo Neira Ayuso <pablo@netfilter.org>"> <span class="fn">Pablo Neira Ayuso</span></a>
</span> changed
<a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - inet-service vs icmp conflict"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1073">bug 1073</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>NEW
</td>
<td>ASSIGNED
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - inet-service vs icmp conflict"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1073#c3">Comment # 3</a>
on <a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - inet-service vs icmp conflict"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1073">bug 1073</a>
from <span class="vcard"><a class="email" href="mailto:pablo@netfilter.org" title="Pablo Neira Ayuso <pablo@netfilter.org>"> <span class="fn">Pablo Neira Ayuso</span></a>
</span></b>
<pre>The following patch that I'm attaching seems to work here.
However, this generates a bit loose bytecode:
# nft --debug=netlink add rule inet x y icmpv6 type 1
inet x y
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
[ payload load 1b @ transport header + 0 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
Note that meta load l4proto fetches the layer 4 protocol number. Hopefully,
ICMPv6 has its own protocol number different from ICMPv4. But still, this rule
allows IPv4 packets using icmpv6 protocol number going through when the inet
family is used, which is not correct.
In this particular case, payload_add_dependency() I think we should generate a
double dependency. Let me revisit this.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>