Map non-keyword ICMP types to their numeric code.

Without this change, policies with types that don't map to keywords aren't valid syntax PiperOrigin-RevId: 573255137
google · Oct 13, 2023 · 776b832 · 776b832
1 parent 9e9812e
commit 776b832
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/capirca/lib/nftables.py b/capirca/lib/nftables.py
@@ -127,7 +127,8 @@ def MapICMPtypes(self, af, term_icmp_types):
 
     If we encounter certain keyword values in policy.Term.ICMP_TYPE keywords,
     we override them with NFTable specific values in order for rendered
-    policy to be semantically correct with what NFT expects.
+    policy to be semantically correct with what NFT expects. If NFT doesn't have
+    a keyword for a type, it uses the raw type code as an integer.
     https://www.netfilter.org/projects/nftables/manpage.html
 
     Function is used inside PortsAndProtocols.
@@ -152,6 +153,17 @@ def MapICMPtypes(self, af, term_icmp_types):
             'inverse-neighbor-discovery-solicitation': 'ind-neighbor-solicit',
             'inverse-neighbor-discovery-advertisement': 'ind-neighbor-advert',
             'version-2-multicast-listener-report': 'mld2-listener-report',
+            'icmp-node-information-query': '139',
+            'icmp-node-information-response': '140',
+            'home-agent-address-discovery-request': '144',
+            'home-agent-address-discovery-reply': '145',
+            'mobile-prefix-solicitation': '146',
+            'mobile-prefix-advertisement': '147',
+            'certification-path-solicitation': '148',
+            'certification-path-advertisement': '149',
+            'multicast-router-advertisement': '151',
+            'multicast-router-solicitation': '152',
+            'multicast-router-termination': '153',
         },
         4: {
             # IPv4 exceptions below
@@ -160,7 +172,10 @@ def MapICMPtypes(self, af, term_icmp_types):
             'information-reply': 'info-reply',
             'mask-request': 'address-mask-request',
             'mask-reply': 'address-mask-reply',
-        }
+            'alternate-address': '6',
+            'conversion-error': '31',
+            'mobile-redirect': '32',
+        },
     }
 
     for item in term_icmp_types:

diff --git a/policies/pol/sample_nftables-mixed-icmp.pol b/policies/pol/sample_nftables-mixed-icmp.pol
@@ -43,7 +43,7 @@ term test-icmp-type-ip4 {
 
 term test-icmp-type-ip6 {
   comment:: "IPv6 icmp-type test"
-  icmp-type:: multicast-listener-done router-solicit router-advertisement
+  icmp-type:: multicast-listener-done router-solicit router-advertisement multicast-router-solicitation multicast-router-advertisement
   protocol:: icmpv6
   action:: accept
 }

diff --git a/tests/lib/nftables_test.py b/tests/lib/nftables_test.py
@@ -265,7 +265,7 @@ def __init__(self, in_dict: dict):
 ICMPV6_MULTI_TERM = """
 term good-icmpv6-type {
   comment:: "IPv6 ICMP accept many types"
-  icmp-type:: router-solicit router-advertisement neighbor-advertisement neighbor-solicit
+  icmp-type:: router-solicit router-advertisement neighbor-advertisement neighbor-solicit multicast-router-solicitation multicast-router-advertisement
   protocol:: icmpv6
   action:: accept
 }
@@ -626,7 +626,7 @@ def testICMPv6type(self):
     self.assertIn(
         (
             'icmpv6 type { nd-router-solicit, nd-router-advert,'
-            ' nd-neighbor-advert, nd-neighbor-solicit } accept'
+            ' nd-neighbor-advert, nd-neighbor-solicit, 152, 151 } accept'
         ),
         nft,
     )