From 6f221d65193cda838e241a18dd07b6da2ae22f78 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Wed, 29 Nov 2023 17:02:07 +0100 Subject: [PATCH 06/22] v2.1.0: feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types Note that ip6tables does not support these ICMPv6 types. Currently, the name of the ICMP types in firewalld must correspond to the names in iptables. As ip6tables doesn't support it, it does not. If ip6tables adds support for "mld-listener-query", but calls it differently, we have a problem. Nothing that can be done about that. `man nft` also lists an alias "mld-listener-reduction" (for "mld-listener-done", type 132). That alias is not supported. Use the name as from RFC 4890. (cherry picked from commit dd88bbf812e0a50766b69c2bf12470ecf9d2466a) --- config/Makefile.am | 4 ++++ config/icmptypes/mld-listener-done.xml | 7 +++++++ config/icmptypes/mld-listener-query.xml | 7 +++++++ config/icmptypes/mld-listener-report.xml | 7 +++++++ config/icmptypes/mld2-listener-report.xml | 7 +++++++ po/POTFILES.in | 4 ++++ src/firewall/core/nftables.py | 4 ++++ 7 files changed, 40 insertions(+) create mode 100644 config/icmptypes/mld-listener-done.xml create mode 100644 config/icmptypes/mld-listener-query.xml create mode 100644 config/icmptypes/mld-listener-report.xml create mode 100644 config/icmptypes/mld2-listener-report.xml diff --git a/config/Makefile.am b/config/Makefile.am index 47f30c1566e0..edae25fd9de0 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -83,6 +83,10 @@ CONFIG_FILES = \ icmptypes/host-unknown.xml \ icmptypes/host-unreachable.xml \ icmptypes/ip-header-bad.xml \ + icmptypes/mld-listener-done.xml \ + icmptypes/mld-listener-query.xml \ + icmptypes/mld-listener-report.xml \ + icmptypes/mld2-listener-report.xml \ icmptypes/neighbour-advertisement.xml \ icmptypes/neighbour-solicitation.xml \ icmptypes/network-prohibited.xml \ diff --git a/config/icmptypes/mld-listener-done.xml b/config/icmptypes/mld-listener-done.xml new file mode 100644 index 000000000000..09b8bbba5b90 --- /dev/null +++ b/config/icmptypes/mld-listener-done.xml @@ -0,0 +1,7 @@ + + + MLD Listener Done + ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Done (type 132) (RFC 4890 section 4.4.1). Also known as mld-listener-reduction to nft. + + + diff --git a/config/icmptypes/mld-listener-query.xml b/config/icmptypes/mld-listener-query.xml new file mode 100644 index 000000000000..418685578d1d --- /dev/null +++ b/config/icmptypes/mld-listener-query.xml @@ -0,0 +1,7 @@ + + + MLD Listener Query + ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Query (type 130) (RFC 4890 section 4.4.1). + + + diff --git a/config/icmptypes/mld-listener-report.xml b/config/icmptypes/mld-listener-report.xml new file mode 100644 index 000000000000..98fb4161b298 --- /dev/null +++ b/config/icmptypes/mld-listener-report.xml @@ -0,0 +1,7 @@ + + + MLD Listener Report + ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Report (type 131) (RFC 4890 section 4.4.1). + + + diff --git a/config/icmptypes/mld2-listener-report.xml b/config/icmptypes/mld2-listener-report.xml new file mode 100644 index 000000000000..faee68c95b20 --- /dev/null +++ b/config/icmptypes/mld2-listener-report.xml @@ -0,0 +1,7 @@ + + + MLDv2 Multicast Listener Report + ICMPv6 Link-Local Multicast Listener Discovery (MDLv2) of type Multicast Listener Report (type 143) (RFC 4890 section 4.4.1). + + + diff --git a/po/POTFILES.in b/po/POTFILES.in index 1c990542ac4d..adeebdee3f55 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -15,6 +15,10 @@ config/icmptypes/host-redirect.xml config/icmptypes/host-unknown.xml config/icmptypes/host-unreachable.xml config/icmptypes/ip-header-bad.xml +config/icmptypes/mld-listener-done.xml +config/icmptypes/mld-listener-query.xml +config/icmptypes/mld-listener-report.xml +config/icmptypes/mld2-listener-report.xml config/icmptypes/neighbour-advertisement.xml config/icmptypes/neighbour-solicitation.xml config/icmptypes/network-prohibited.xml diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 6ad4b9168403..3df3fa3c3742 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -140,6 +140,10 @@ ICMP_TYPES_FRAGMENTS = { "echo-reply": _icmp_types_fragments("icmpv6", "echo-reply"), "echo-request": _icmp_types_fragments("icmpv6", "echo-request"), "failed-policy": _icmp_types_fragments("icmpv6", "destination-unreachable", 5), + "mld-listener-done": _icmp_types_fragments("icmpv6", "mld-listener-done"), + "mld-listener-query": _icmp_types_fragments("icmpv6", "mld-listener-query"), + "mld-listener-report": _icmp_types_fragments("icmpv6", "mld-listener-report"), + "mld2-listener-report": _icmp_types_fragments("icmpv6", "mld2-listener-report"), "neighbour-advertisement": _icmp_types_fragments("icmpv6", "nd-neighbor-advert"), "neighbour-solicitation": _icmp_types_fragments("icmpv6", "nd-neighbor-solicit"), "no-route": _icmp_types_fragments("icmpv6", "destination-unreachable", 0), -- 2.43.5