(#10164) Reject and document icmp => "any" #60
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables accepts the string "any" as an ICMP type and stores it behind the scenes as the fake (IANA reserved) numeric 255. This is functionally equivalent to not specifying an `--icmp-type` argument. ip6tables didn't carry this "feature" over. Like many other providers, the matching of any ICMP packet type is only achieved by omitting the `--icmpv6-type` arugment. For the purpose of simpler logic and future provider compatibility we prevent people from using the value "any" and advise them to omit/undefine the param instead. Include a test that somewhat duplicates the prevention of invalid strings but would preserve this behaviour should icmp_name_to_number() ever change.
kbarber
added a commit
that referenced
this pull request
Jun 9, 2012
(#10164) Reject and document icmp => "any"
cegeka-jenkins
pushed a commit
to cegeka/puppet-firewall
that referenced
this pull request
Oct 23, 2017
(#10164) Reject and document icmp => "any"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Revised approach for PR #57 and #52.
iptables accepts the string "any" as an ICMP type and stores it behind the
scenes as the fake (IANA reserved) numeric 255. This is functionally
equivalent to not specifying an
--icmp-typeargument.ip6tables didn't carry this "feature" over. Like many other providers, the
matching of any ICMP packet type is only achieved by omitting the
--icmpv6-typearugment.For the purpose of simpler logic and future provider compatibility we
prevent people from using the value "any" and advise them to omit/undefine
the param instead.
Include a test that somewhat duplicates the prevention of invalid strings
but would preserve this behaviour should icmp_name_to_number() ever change.
It's worth noting that
icmp => 255will continue to cause the iptables provider to flap state. I don't think this is terribly important though, since it is effectively a hidden feature of iptable's implementation.