Hide Forgot
The keyword that nft actually accepts is "icmpv6". e.g. # nft add table inet firewalld [root@dev-rhel7 firewalld]# nft add chain inet firewalld blah { type filter hook input priority 0 \; } [root@dev-rhel7 firewalld]# nft add rule inet firewalld blah meta nfproto ipv6 reject with icmp6 type admin-prohibited Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx add rule inet firewalld blah meta nfproto ipv6 reject with icmp6 type admin-prohibited ^^^^^ [root@dev-rhel7 firewalld]# nft add rule inet firewalld blah meta nfproto ipv6 reject with icmpv6 type admin-prohibited $ man nft ... REJECT STATEMENT reject [ with {icmp | icmp6 | icmpx} type {icmp_type | icmp6_type | icmpx_type} ] reject [ with {tcp} {reset} ]
Fix submitted upstream: https://marc.info/?l=netfilter-devel&m=152827540006707&w=2
Upstream accepted: commit 9b3036bb9f00d6e244ed92e0e782c5617ae40b84 (origin/master, origin/HEAD) Author: Phil Sutter <phil@nwl.cc> Date: Wed Jun 6 10:56:26 2018 +0200 nft.8: Fix reject statement documentation First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In addition to that, parameter 'type' expects an icmp*_code type, not icmp*_type. The respective table column was already correct, but in synopsis it was wrong. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3154