[Ferm] [PATCH] Map ICMP to ICMP6 in REJECT's reject-with

Faidon Liambotis paravoid at debian.org
Mon Jul 11 15:46:37 CEST 2011 

Ferm currently allows the use of "icmp-type" in ip6 domains and
automatically maps it to icmp6-type.

That's not the case for REJECT's target --reject-with, which would be
especially useful for constructs like:

    domain (ip ip6) chain INPUT {
        proto tcp dport 22 REJECT reject-with icmp-admin-prohibited;
    }

Implement the above and try to also be (too?) smart and map all the
possible iptables arguments to their respective ip6tables, which is not
always a 1:1 mapping.
---
 src/ferm              |   14 ++++++++++++++
 test/ipv6/icmp.ferm   |    1 +
 test/ipv6/icmp.result |    1 +
 3 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/src/ferm b/src/ferm
index 5fab46d..60d69e8 100755
--- a/src/ferm
+++ b/src/ferm
@@ -1449,9 +1449,23 @@ sub shell_format_option($$) {
 
 sub format_option($$$) {
     my ($domain, $name, $value) = @_;
+
     $value = 'icmpv6' if $domain eq 'ip6' and $name eq 'protocol'
       and $value eq 'icmp';
     $name = 'icmpv6-type' if $domain eq 'ip6' and $name eq 'icmp-type';
+
+    if ($domain eq 'ip6' and $name eq 'reject-with') {
+        my %icmp_map = (
+            'icmp-net-unreachable'  => 'icmp6-no-route',
+            'icmp-host-unreachable' => 'icmp6-addr-unreachable',
+            'icmp-port-unreachable' => 'icmp6-port-unreachable',
+            'icmp-net-prohibited'   => 'icmp6-adm-prohibited',
+            'icmp-host-prohibited'  => 'icmp6-adm-prohibited',
+            'icmp-admin-prohibited' => 'icmp6-adm-prohibited',
+        );
+        $value = $icmp_map{$value} if exists $icmp_map{$value};
+    }
+
     return shell_format_option($name, $value);
 }
 
diff --git a/test/ipv6/icmp.ferm b/test/ipv6/icmp.ferm
index 969e94c..e092720 100644
--- a/test/ipv6/icmp.ferm
+++ b/test/ipv6/icmp.ferm
@@ -2,4 +2,5 @@
 domain ip6 chain INPUT {
     proto icmp ACCEPT;
     proto icmp icmp-type redirect DROP;
+    proto tcp dport 22 REJECT reject-with icmp-admin-prohibited;
 }
diff --git a/test/ipv6/icmp.result b/test/ipv6/icmp.result
index f6773de..ee3a48a 100644
--- a/test/ipv6/icmp.result
+++ b/test/ipv6/icmp.result
@@ -1,2 +1,3 @@
 ip6tables -t filter -A INPUT -p icmpv6 -j ACCEPT
 ip6tables -t filter -A INPUT -p icmpv6 --icmpv6-type redirect -j DROP
+ip6tables -t filter -A INPUT -p tcp --dport 22 -j REJECT --reject-with icmp6-adm-prohibited
-- 
1.7.2.5

More information about the Ferm mailing list