<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - "icmpv6 code" test returns wrong data type."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1276#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - "icmpv6 code" test returns wrong data type."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1276">bug 1276</a>
from <span class="vcard"><a class="email" href="mailto:sabitov@sabitov.su" title="Andrew A. Sabitov <sabitov@sabitov.su>"> <span class="fn">Andrew A. Sabitov</span></a>
</span></b>
<pre>I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code and check
incoming icmpv6 traffic against it.
Something like this:
add set inet fw input_public_icmpv6_types { type icmpv6_type . icmpv6_code
; }
add element inet fw input_public_icmpv6_types { 1 . 0 } # no route to
destination
add element inet fw input_public_icmpv6_types { 1 . 1 } # communication with
destination administratively prohibited
add element inet fw input_public_icmpv6_types { 1 . 2 } # beyond scope of
source address
add element inet fw input_public_icmpv6_types { 1 . 3 } # address unreachable
add element inet fw input_public_icmpv6_types { 1 . 4 } # port unreachable
# ... and so on
add rule inet fw input_icmpv6 \
ip6 daddr {::1, ff00::/8, fe80::/10, ff02::/64, 2000::/3 } \
icmpv6 type . icmpv6 code @input_public_icmpv6_types \
limit rate 15/minute \
accept
"add rule" command returns an error:
In file included from ./nft-inet-pea.nft:56:1-47:
/etc/firewall/nft-inet-pea-input.nft:253:23-33: Error: can not use variable
sized data types (integer) in concat expressions
icmpv6 type . icmpv6 code @input_public_icmpv6_types \
~~~~~~~~~~~~~~^^^^^^^^^^^
As I can see "icmpv6 code" returns "integer" type instead of icmpv6_code.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>