(#10164) Reject and document icmp => "any" #60
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Revised approach for PR #57 and #52.
iptables accepts the string "any" as an ICMP type and stores it behind the
scenes as the fake (IANA reserved) numeric 255. This is functionally
equivalent to not specifying an
--icmp-type
argument.ip6tables didn't carry this "feature" over. Like many other providers, the
matching of any ICMP packet type is only achieved by omitting the
--icmpv6-type
arugment.For the purpose of simpler logic and future provider compatibility we
prevent people from using the value "any" and advise them to omit/undefine
the param instead.
Include a test that somewhat duplicates the prevention of invalid strings
but would preserve this behaviour should icmp_name_to_number() ever change.
It's worth noting that
icmp => 255
will continue to cause the iptables provider to flap state. I don't think this is terribly important though, since it is effectively a hidden feature of iptable's implementation.