# ip6tables -p icmpv6 -h
my $icmpv6_type_names = {
- 'any' => 1,
'destination-unreachable' => 1,
'no-route' => 1,
'communication-prohibited' => 1,
+ 'beyond-scope' => 1,
'address-unreachable' => 1,
'port-unreachable' => 1,
+ 'failed-policy' => 1,
+ 'reject-route' => 1,
'packet-too-big' => 1,
'time-exceeded' => 1,
'ttl-zero-during-transit' => 1,
'redirect' => 1,
};
+my $is_valid_icmp_type = sub {
+ my ($type, $valid_types) = @_;
+
+ if ($type =~ m/^\d+$/) {
+ # values for icmp-type range between 0 and 255 (8 bit field)
+ die "invalid icmp-type '$type'\n" if $type > 255;
+ } else {
+ die "unknown icmp-type '$type'\n" if !defined($valid_types->{$type});
+ }
+};
+
sub init_firewall_macros {
$pve_fw_parsed_macros = {};
}
}
- die "ICPM ports not allowed in port range\n" if $icmp_port && $count > 0;
+ die "ICMP ports not allowed in port range\n" if $icmp_port && $count > 0;
# I really don't like to use the word number here, but it's the only thing
# that makes sense in a literal way. The range 1:100 counts as 2, not as
my $multisport = defined($rule->{sport}) && parse_port_name_number_or_range($rule->{sport}, 0);
my $add_dport = sub {
- return if !$rule->{dport};
+ return if !defined($rule->{dport});
+ # NOTE: we re-use dport to store --icmp-type for icmp* protocol
if ($proto eq 'icmp') {
- # Note: we use dport to store --icmp-type
- die "unknown icmp-type '$rule->{dport}'\n"
- if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
+ $is_valid_icmp_type->($rule->{dport}, $icmp_type_names);
push @match, "-m icmp --icmp-type $rule->{dport}";
} elsif ($proto eq 'icmpv6') {
- # Note: we use dport to store --icmpv6-type
- die "unknown icmpv6-type '$rule->{dport}'\n"
- if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
+ $is_valid_icmp_type->($rule->{dport}, $icmpv6_type_names);
push @match, "-m icmpv6 --icmpv6-type $rule->{dport}";
} elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
die "protocol $proto does not have ports\n";
} elsif ($multidport) {
push @match, "--match multiport", "--dports $rule->{dport}";
} else {
+ return if !$rule->{dport};
push @match, "--dport $rule->{dport}";
}
};