[Bug 1276] "icmpv6 code" test returns wrong data type.
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Sep 4 06:45:02 CEST 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1276
--- Comment #1 from Andrew A. Sabitov <sabitov at sabitov.su> ---
I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code and check
incoming icmpv6 traffic against it.
Something like this:
add set inet fw input_public_icmpv6_types { type icmpv6_type . icmpv6_code
; }
add element inet fw input_public_icmpv6_types { 1 . 0 } # no route to
destination
add element inet fw input_public_icmpv6_types { 1 . 1 } # communication with
destination administratively prohibited
add element inet fw input_public_icmpv6_types { 1 . 2 } # beyond scope of
source address
add element inet fw input_public_icmpv6_types { 1 . 3 } # address unreachable
add element inet fw input_public_icmpv6_types { 1 . 4 } # port unreachable
# ... and so on
add rule inet fw input_icmpv6 \
ip6 daddr {::1, ff00::/8, fe80::/10, ff02::/64, 2000::/3 } \
icmpv6 type . icmpv6 code @input_public_icmpv6_types \
limit rate 15/minute \
accept
"add rule" command returns an error:
In file included from ./nft-inet-pea.nft:56:1-47:
/etc/firewall/nft-inet-pea-input.nft:253:23-33: Error: can not use variable
sized data types (integer) in concat expressions
icmpv6 type . icmpv6 code @input_public_icmpv6_types \
~~~~~~~~~~~~~~^^^^^^^^^^^
As I can see "icmpv6 code" returns "integer" type instead of icmpv6_code.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180904/8f908cd2/attachment.html>
More information about the netfilter-buglog
mailing list