Red Hat Bugzilla – Bug 1401978
icmptypes list is incomplete which could affect ipv6 in icmp-block-inversion mode
Last modified: 2017-08-01 12:22:56 EDT
Description of problem: inverted blocking opens a need for complete set of icmp-types even for those that shouldn't be blocked altogether, namely 'packet-too-big'. Since the add-icmp-block-inversion feature the full list should be part of next release. There are differences for ipv4 and ipv6 icmp types, firewalld should handle proper types for each stack individually based on a shared list as it is now. Version-Release number of selected component (if applicable): firewalld-0.4.3.2-8.el7.noarch How reproducible: always Steps to Reproduce: firewall-cmd --get-icmptypes Actual results: destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-reques Expected results: list from commands: iptables -p icmp -h ip6tables -p icmpv6 -h Additional info:
Here is a list of deprecated ICMP types: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml I think it would be good not to add these.
Running a script to verify the missing ones, I got this list (including the deprecated): address-mask-reply address-mask-request address-unreachable bad-header beyond-scope communication-prohibited failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big port-unreachable precedence-cutoff protocol-unreachable reject-route required-option-missing source-route-failed tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option I already left out "any".
That has been done on a Fedora-25.
I believe the deprecated ICMP type names may be omitted. According to IANA link above the deprecated types were: superseded or they 'were never widely deployed or implemented'. deprecated icmp type names can still be specified manually in direct rules if needed
Fixed upstream: https://github.com/t-woerner/firewalld/commit/2b092eae0e6d2b8acce7c73abeed234bbfb89c17
Here are the fixes to test icmp types before trying to use them: firewall.core.ipXtables: New method supported_icmp_types https://github.com/t-woerner/firewalld/commit/afab04d64144ae9a44dabd576988c0ea187e763e firewall.core.fw: New attributes ip{4,6}tables_supported_icmp_types https://github.com/t-woerner/firewalld/commit/4fcd7aa4d306be8e25b490a2d67401bc25defabe firewall.core.fw_icmptype: Add ICMP type only if the type is supported https://github.com/t-woerner/firewalld/commit/ef8df93df775fb09028ba7a8a63a043042e33591 firewall.server.firewalld: Provide information about the supported icmp types https://github.com/t-woerner/firewalld/commit/44a5a56a14584eac3757cc0c9c7941a17859261b firewall.core.fw: Show icmptypes and ipsets with type errors in permanent env https://github.com/t-woerner/firewalld/commit/f82a8d625a57842185087433f9409512646a86d1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1934