Bug 1401978
| Summary: | icmptypes list is incomplete which could affect ipv6 in icmp-block-inversion mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Dolezal <todoleza> |
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | high | ||
| Version: | 7.3 | CC: | mjahoda, todoleza |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
*firewalld* now supports all ICMP types
Previously, the Internet Control Message Protocol (ICMP) type list was not complete. As a consequence, some ICMP types such as `packet-too-big` could not be blocked or allowed. With this update, support for additional ICMP types has been added, and the *firewalld* service daemon now allows to handle all ICMP types.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 16:22:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1400961 | ||
|
Description
Tomas Dolezal
2016-12-06 13:57:14 UTC
Here is a list of deprecated ICMP types: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml I think it would be good not to add these. Running a script to verify the missing ones, I got this list (including the deprecated): address-mask-reply address-mask-request address-unreachable bad-header beyond-scope communication-prohibited failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big port-unreachable precedence-cutoff protocol-unreachable reject-route required-option-missing source-route-failed tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option I already left out "any". That has been done on a Fedora-25. I believe the deprecated ICMP type names may be omitted. According to IANA link above the deprecated types were: superseded or they 'were never widely deployed or implemented'. deprecated icmp type names can still be specified manually in direct rules if needed Fixed upstream: https://github.com/t-woerner/firewalld/commit/2b092eae0e6d2b8acce7c73abeed234bbfb89c17 Here are the fixes to test icmp types before trying to use them: firewall.core.ipXtables: New method supported_icmp_types https://github.com/t-woerner/firewalld/commit/afab04d64144ae9a44dabd576988c0ea187e763e firewall.core.fw: New attributes ip{4,6}tables_supported_icmp_types https://github.com/t-woerner/firewalld/commit/4fcd7aa4d306be8e25b490a2d67401bc25defabe firewall.core.fw_icmptype: Add ICMP type only if the type is supported https://github.com/t-woerner/firewalld/commit/ef8df93df775fb09028ba7a8a63a043042e33591 firewall.server.firewalld: Provide information about the supported icmp types https://github.com/t-woerner/firewalld/commit/44a5a56a14584eac3757cc0c9c7941a17859261b firewall.core.fw: Show icmptypes and ipsets with type errors in permanent env https://github.com/t-woerner/firewalld/commit/f82a8d625a57842185087433f9409512646a86d1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1934 |