Bug 1401978 - icmptypes list is incomplete which could affect ipv6 in icmp-block-inversion mode
Summary: icmptypes list is incomplete which could affect ipv6 in icmp-block-inversion ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: Tomas Dolezal
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1400961
TreeView+ depends on / blocked
 
Reported: 2016-12-06 13:57 UTC by Tomas Dolezal
Modified: 2017-08-01 16:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
*firewalld* now supports all ICMP types Previously, the Internet Control Message Protocol (ICMP) type list was not complete. As a consequence, some ICMP types such as `packet-too-big` could not be blocked or allowed. With this update, support for additional ICMP types has been added, and the *firewalld* service daemon now allows to handle all ICMP types.
Clone Of:
Environment:
Last Closed: 2017-08-01 16:22:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1934 normal SHIPPED_LIVE firewalld bug fix and enhancement update 2017-08-01 17:55:15 UTC

Description Tomas Dolezal 2016-12-06 13:57:14 UTC
Description of problem:
inverted blocking opens a need for complete set of icmp-types even for those that shouldn't be blocked altogether, namely 'packet-too-big'. Since the add-icmp-block-inversion feature the full list should be part of next release.

There are differences for ipv4 and ipv6 icmp types, firewalld should handle proper types for each stack individually based on a shared list as it is now.

Version-Release number of selected component (if applicable):
firewalld-0.4.3.2-8.el7.noarch

How reproducible:
always

Steps to Reproduce:
firewall-cmd --get-icmptypes

Actual results:
destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-reques

Expected results:
list from commands:
iptables -p icmp -h
ip6tables -p icmpv6 -h

Additional info:

Comment 1 Thomas Woerner 2017-01-16 16:34:43 UTC
Here is a list of deprecated ICMP types: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

I think it would be good not to add these.

Comment 2 Thomas Woerner 2017-01-16 16:37:19 UTC
Running a script to verify the missing ones, I got this list (including the deprecated):

address-mask-reply
address-mask-request
address-unreachable
bad-header
beyond-scope
communication-prohibited
failed-policy
fragmentation-needed
host-precedence-violation
host-prohibited
host-redirect
host-unknown
host-unreachable
ip-header-bad
neighbour-advertisement
neighbour-solicitation
network-prohibited
network-redirect
network-unknown
network-unreachable
no-route
packet-too-big
port-unreachable
precedence-cutoff
protocol-unreachable
reject-route
required-option-missing
source-route-failed
tos-host-redirect
tos-host-unreachable
tos-network-redirect
tos-network-unreachable
ttl-zero-during-reassembly
ttl-zero-during-transit
unknown-header-type
unknown-option

I already left out "any".

Comment 3 Thomas Woerner 2017-01-16 16:38:20 UTC
That has been done on a Fedora-25.

Comment 4 Tomas Dolezal 2017-01-16 16:51:04 UTC
I believe the deprecated ICMP type names may be omitted.
According to IANA link above the deprecated types were: superseded or they 'were never widely deployed or implemented'.

deprecated icmp type names can still be specified manually in direct rules if needed

Comment 12 Thomas Woerner 2017-03-27 14:38:48 UTC
Here are the fixes to test icmp types before trying to use them:

firewall.core.ipXtables: New method supported_icmp_types
https://github.com/t-woerner/firewalld/commit/afab04d64144ae9a44dabd576988c0ea187e763e

firewall.core.fw: New attributes ip{4,6}tables_supported_icmp_types
https://github.com/t-woerner/firewalld/commit/4fcd7aa4d306be8e25b490a2d67401bc25defabe

firewall.core.fw_icmptype: Add ICMP type only if the type is supported
https://github.com/t-woerner/firewalld/commit/ef8df93df775fb09028ba7a8a63a043042e33591

firewall.server.firewalld: Provide information about the supported icmp types
https://github.com/t-woerner/firewalld/commit/44a5a56a14584eac3757cc0c9c7941a17859261b

firewall.core.fw: Show icmptypes and ipsets with type errors in permanent env
https://github.com/t-woerner/firewalld/commit/f82a8d625a57842185087433f9409512646a86d1

Comment 14 errata-xmlrpc 2017-08-01 16:22:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934


Note You need to log in before you can comment on or make changes to this bug.