Bug 1571938
| Summary: | nftables: man page gives wrong keyword for "reject with icmp6" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Eric Garver <egarver> |
| Component: | nftables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Peska <jpeska> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.6 | CC: | jpeska, todoleza |
| Target Milestone: | rc | Keywords: | ManPageChange |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nftables-0.8-9.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:38:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fix submitted upstream: https://marc.info/?l=netfilter-devel&m=152827540006707&w=2 Upstream accepted:
commit 9b3036bb9f00d6e244ed92e0e782c5617ae40b84 (origin/master, origin/HEAD)
Author: Phil Sutter <phil>
Date: Wed Jun 6 10:56:26 2018 +0200
nft.8: Fix reject statement documentation
First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In
addition to that, parameter 'type' expects an icmp*_code type, not
icmp*_type. The respective table column was already correct, but in
synopsis it was wrong.
Signed-off-by: Phil Sutter <phil>
Signed-off-by: Florian Westphal <fw>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3154 |
The keyword that nft actually accepts is "icmpv6". e.g. # nft add table inet firewalld [root@dev-rhel7 firewalld]# nft add chain inet firewalld blah { type filter hook input priority 0 \; } [root@dev-rhel7 firewalld]# nft add rule inet firewalld blah meta nfproto ipv6 reject with icmp6 type admin-prohibited Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx add rule inet firewalld blah meta nfproto ipv6 reject with icmp6 type admin-prohibited ^^^^^ [root@dev-rhel7 firewalld]# nft add rule inet firewalld blah meta nfproto ipv6 reject with icmpv6 type admin-prohibited $ man nft ... REJECT STATEMENT reject [ with {icmp | icmp6 | icmpx} type {icmp_type | icmp6_type | icmpx_type} ] reject [ with {tcp} {reset} ]