search

azet / capirca

Fork: Multi-platform ACL generation system
https://code.google.com/p/capirca
Apache License 2.0
0 stars 0 forks source link

icmp-type usage for iptables has no effect #7

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Define an iptables policy and include the snippet below.

term allow-safe-icmp {
  protocol:: icmp
  icmp-type:: echo-request
  action:: accept
}

2. Run aclgen
3. Verify that icmp-type is seemingly ignored.  The generated rule allows
all inbound ICMP, which is incorrect.

-N allow-safe-icmp
-A allow-safe-icmp -p icmp -j ACCEPT
-A INPUT -j allow-safe-icmp

What is the expected output? What do you see instead?

I would expect to see the following as possible output instead.

-N allow-safe-icmp
-A allow-safe-icmp -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -j allow-safe-icmp

Please use labels and text to provide additional information.

bug, iptables, icmp, echo-request

Original issue reported on code.google.com by kristian...@gmail.com on 26 Apr 2010 at 6:31

GoogleCodeExporter commented 9 years ago 
same here...

netboot:~# iptables -S allow-safe-icmp
-N allow-safe-icmp
-A allow-safe-icmp -m comment --comment "Allows simple pings from the world" 
-A allow-safe-icmp -p icmp -j ACCEPT

netboot:~# iptables --line-numbers -L allow-safe-icmp
Chain allow-safe-icmp (1 references)
num  target     prot opt source               destination         
1               all  --  anywhere             anywhere            /* Allows 
simple pings from the world */ 
2    ACCEPT     icmp --  anywhere             anywhere

netboot:~# apt-cache policy iptables capirca linux-image-amd64
iptables:
  Installed: 1.4.2-6
  Candidate: 1.4.2-6
  Version table:
 *** 1.4.2-6 0
        500 http://example.com lenny/main Packages
        100 /var/lib/dpkg/status
capirca:
  Installed: 1.0.r98-1+kfx.1
  Candidate: 1.0.r98-1+kfx.1
  Version table:
 *** 1.0.r98-1+kfx.1 0
       1005 http://example.com lenny/main Packages
        100 /var/lib/dpkg/status

netboot:~# uname -a
Linux netboot.example.com 2.6.32-trunk-amd64 #1 SMP Sun Jan 10 22:40:40 UTC 
2010 x86_64 GNU/Linux

I guess I should write a patch ...

Original comment by j...@kidfixit.com on 12 Jun 2010 at 2:44

GoogleCodeExporter commented 9 years ago 
I've made a major change recently to standardize icmp-types across the various 
generators.  All the generators should now properly validate and generate 
correct icmp types in their output.

For more details, see 
http://code.google.com/p/capirca/wiki/PolicyFormat#ICMP_TYPES

Original comment by watson@google.com on 12 Jul 2011 at 7:05