[firewall] coalesced syntax for multiple ICMP IPv6 codes?

anon45274024 · November 21, 2019, 5:33pm

4.19.84 kernel (Master branch)
firewall 2019-09-23-daed0cf9-1.2

@jow trying to fine grain the ICMP IPv6 portion of the firewall

list icmp_type '4/0' works for instance but various attetmps with multiple ICMP type codes:

list icmp_type '4/0,1,2,3'
list icmp_type '4/0, 1, 2, 3'
list icmp_type '4/0;1;2;3'
list icmp_type '4/0:1:2:3'
list icmp_type '4/0-1-2-3'

throwing an error.

icmp_type has invalid value

Lastly tried

list icmp_type '4/0123'

which does not throw an error but exhibits in LuCI as

ipv6-icmptype 4 code 123

which does not seem correct since code 0 is missing, that either being a LuCI issue or the codes being incorrect.

The available documentation unfortunately has nothing on the subject. And having looked into the source code of icmp_codes.h I failed to understand what the correct syntax would be.

shm0 · November 21, 2019, 6:17pm

maybe like this?

list icmp_type '4/0'
list icmp_type '4/1'
list icmp_type '4/2'
list icmp_type '4/3'

anon45274024 · November 21, 2019, 6:43pm

That works for each line

I was looking for coalesced syntax though, similar to what is exhibited in the source code ^[1]

^[1] https://git.openwrt.org/?p=project/firewall3.git;a=blob;f=icmp_codes.h;h=063f829c9c188c634e14e294c1a4db14394451c7;hb=HEAD

lleachii · November 21, 2019, 6:46pm

I personally have (generated from LuCI):

	option proto 'icmp'
	option family 'ipv6'
	list icmp_type 'parameter-problem'

Good to know that syntax works too.

(BTW, you're missing 4/4.)

anon45274024 · November 21, 2019, 6:53pm

That does not permit fine graining the ICMP codes since it just sets predefined values.

With just list icmp_type '<type>' it applies all codes pertinent to that type.

lleachii · November 21, 2019, 7:14pm

Corrected, the OP had 4 our of 5 anyways.

Huh, no clue what you're talking about. You listed 4 out of 5 parameter-problem codes (i.e. 4/0, 4/1, 4/1 and 4/3), so I noted you missed 4/4 too. Are you trying to add more types of ICMPv6 types other than parameter-problem?

See for all ICMPv6 Types: https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml

anon45274024 · November 21, 2019, 7:18pm

I just took type 4 as a sample for getting feedback on a coalesced syntax since I thought that might be better than working with abstracts, but not really to debate the merits of particular type/code settings in the fw.

lleachii · November 21, 2019, 7:20pm

OK, then yes, fine grained would be:

list icmp_type '<type>/<code>'

That was correct then.

anon45274024 · November 21, 2019, 7:30pm

Which however is curious with

since there is no code 123. That is I am wondering whether such coalesced syntax is correct and the issue is in LuCI not exhibiting the code 0 or whether the syntax is just sort of bogus - but then I would have expected fw to throw an error which is does not however.

anon45274024 · November 21, 2019, 7:52pm

It is not LuCI for sure because from cli ip6tables -L -n -v it prints the same

ipv6-icmptype 4 code 123

lleachii · November 21, 2019, 8:01pm

OK, first - I don't see exactly what you see:

Screenshot%20from%202019-11-21%2014-48-33

Although, this does appear in the firewall as 123. I'm certain a multi-digit code beginning with a 0 is not standard (looking at the IANA site) - so 0123 is interpreted as 123. Also typing 0123 doesn't (by syntax) specify codes 0 thru 3.

Additionally, you noted, there's no code 0123, but (from experience) I'm not surprised that undefined types are applying instead of throwing errors. Otherwise all routers and firewalls must be immediately upgraded if new ICMP types are formally defined, even temporary ones for reserved and testing. See the IANA page where many ICMP types have ranges of undefined codes.

I'm not sure why you're trying to put all code-types in one line. Is that your specific request or do you have a reason to believe this one-line syntax should work?
Is there an issue making a line for each type in the same rule?

Otherwise, I advice you create ICMPv6 rules as @shm0 noted:

anon45274024 · November 21, 2019, 8:06pm

Having looked into ^[2] it would appear that a coalesced syntax is not catered for and it requires single syntax lines for each <type>/<code> instead

^[2] https://git.netfilter.org/iptables/tree/extensions/libip6t_icmp6.man?id=bf97128c7262f17a02fec41cdae75b472ba77f88

I just like to keep code neat and tidy and to the minimum and prefer coalescing when possible.

Not in general, just more typing/bytes.

jow · November 22, 2019, 9:54am

Use option icmp_type '4/0 4/1 4/2 4/3'. The uci firewall usually accepts space separated instead of list notation for all list values.

The uci list keyword always specifies a single list value.

anon45274024 · November 22, 2019, 10:12am

That works indeed but has the drawback that other list icmp_type in the same ruleset are dropped, as intended by design. Thus a bit of a chicken vs. egg variety but not an issue to dwell on.

system · December 2, 2019, 10:12am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.