[Ferm] ferm @if condition

Joel Johnson mrjoel at lixil.net
Mon Jan 6 23:44:14 CET 2014 

On 2014-01-06 13:12, Kiss Gabor (Bitman) wrote:
>> > proto icmp @subchain "icmp" {
>> >     ACCEPT icmp-type $ICMP_COMMON;
>> >     @if @eq($DOMAIN, ip) {
>> >         ACCEPT icmp-type $ICMP_V4;
>> >     }
>> >     @if @eq($DOMAIN, ip6) {
>> >         ACCEPT icmp-type $ICMP_V6;
>> >     }
>> > }
> 
>> Thanks, that doesn't get what I'm after though. It tries to apply 
>> protocol
>> icmp to the ip6 domain which is invalid, it must be ipv6-icmp (or 
>> icmpv6 as a
> 
> "tries"? :-o
> It works for me.
> What version do you have?
> My Ferm 2.1 simply accept "icmp" in domain ip6 too.
> 
> g

It works as in ip6tables applies the rules yes, but it doesn't work as 
in actual network functionality expected. It is accepted (presumably) as 
valid syntax only for technical completeness in some oddball/arcane 
usages (perhaps you want to tunnel/bridge only your IPv4 icmp over 
native IPv6 between two endpoints?).

Since IPv4 and IPv6 share the same protocol number list, icmp is 
technically valid in an IPv6 Next header field, but it is pretty 
nonsensical in normal cases. If using IPv6, one should normally (always 
unless you know for sure you shouldn't) expect to use the ipv6-icmp 
protocol, which differs from regular icmp due to additions of 
neighbor/link/router discovery, multicast management and the like.

To demonstrate, run the following to ensure that the first run matched 
drops all icmp (old IPv4 version).

     ip6tables -I INPUT 1 -p icmp -j DROP;

Now, run $(ping6 hostname) and note that request/replies are still 
passed since they're using echo-request and echo-reply inside the 
ipv6-icmp protocol (id 58) instead of the icmp protocol (id 1).

Then, run the following, which replaces icmp with ipv6-icmp and then the 
ping6 will fail.

     ip6tables -I INPUT 1 -p ipv6-icmp -j DROP;

Don't leave echo request/response disabled, but it highlights the 
difference between the protocols, and hopefully also why I (and 
everyone) should need to be able to provide a separate icmp and 
ipv6-icmp protocol section.

:)

Joel

More information about the Ferm mailing list