extensions: libipt_icmp: Fix confusion between 255/255 and any

Per definition, ICMP type "any" is type 255 and the full range of codes
(0-255). Save callback though ignored the actual code values, printing
"any" for every type 255 match. This at least confuses users as they
can't find their rule added as '--icmp-type 255/255' anymore.

It is not entirely clear what the fixed commit was trying to establish,
but the save output is certainly not correct (especially since print
callback gets things right).

Reported-by: Amelia Downs <adowns@vmware.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1600
Fixes: fc9237da4e845 ("Fix '-p icmp -m icmp' issue (Closes: #37)")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index b0318aebc2c5745866c75f52c32795f699c13a7f..171b3b3949e5445d6ccdd2ac6791ade321cd4f0c 100644 (file)
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -108,7 +108,8 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
                printf(" !");
 
        /* special hack for 'any' case */
-       if (icmp->type == 0xFF) {
+       if (icmp->type == 0xFF &&
+           icmp->code[0] == 0 && icmp->code[1] == 0xFF) {
                printf(" --icmp-type any");
        } else {
                printf(" --icmp-type %u", icmp->type);

diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t
index f4ba65c27f032f9a3900646434a9e457fecd955b..ce4a33f9633b5bb13ad7bb0a101b8473e96fc6f2 100644 (file)
--- a/extensions/libipt_icmp.t
+++ b/extensions/libipt_icmp.t
@@ -13,3 +13,5 @@
 # we accept "iptables -I INPUT -p tcp -m tcp", why not this below?
 # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp
 # -p icmp -m icmp;=;OK
+-p icmp -m icmp --icmp-type 255/255;=;OK
+-p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK