ICMP type-name supported in nft:
vyos@vyos# sudo nft describe icmp type payload expression, datatype icmp_type (ICMP type) (basetype integer), 8 bits pre-defined symbolic constants (in decimal): echo-reply 0 destination-unreachable 3 source-quench 4 redirect 5 echo-request 8 router-advertisement 9 router-solicitation 10 time-exceeded 11 parameter-problem 12 timestamp-request 13 timestamp-reply 14 info-request 15 info-reply 16 address-mask-request 17 address-mask-reply 18
Options available on VyOS 1.4-rolling-202201100317:
vyos@vyos# set firewall name FOO rule 10 icmp type-name Possible completions: any Any ICMP type/code echo-reply ICMP type/code name pong ICMP type/code name destination-unreachable ICMP type/code name network-unreachable ICMP type/code name host-unreachable ICMP type/code name protocol-unreachable ICMP type/code name port-unreachable ICMP type/code name fragmentation-needed ICMP type/code name source-route-failed ICMP type/code name network-unknown ICMP type/code name host-unknown ICMP type/code name network-prohibited ICMP type/code name host-prohibited ICMP type/code name TOS-network-unreachable ICMP type/code name TOS-host-unreachable ICMP type/code name communication-prohibited ICMP type/code name host-precedence-violation ICMP type/code name precedence-cutoff ICMP type/code name source-quench ICMP type/code name redirect ICMP type/code name network-redirect ICMP type/code name host-redirect ICMP type/code name TOS-network-redirect ICMP type/code name TOS host-redirect ICMP type/code name echo-request ICMP type/code name ping ICMP type/code name router-advertisement ICMP type/code name router-solicitation ICMP type/code name time-exceeded ICMP type/code name ttl-exceeded ICMP type/code name ttl-zero-during-transit ICMP type/code name ttl-zero-during-reassembly ICMP type/code name parameter-problem ICMP type/code name ip-header-bad ICMP type/code name required-option-missing ICMP type/code name timestamp-request ICMP type/code name timestamp-reply ICMP type/code name address-mask-request ICMP type/code name address-mask-reply ICMP type/code name TOS
Then, adding a rule that contains a type-named supported by netfilter, it goes Ok, but when adding options not supported, commit fails:
vyos@vyos# set firewall name FOO rule 10 action accept [edit] vyos@vyos# set firewall name FOO rule 10 protocol icmp [edit] vyos@vyos# set firewall name FOO rule 10 icmp type-name echo-request [edit] vyos@vyos# commit [edit] vyos@vyos# set firewall name FOO rule 30 action accept [edit] vyos@vyos# set firewall name FOO rule 30 protocol icmp [edit] vyos@vyos# set firewall name FOO rule 30 icmp type-name fragmentation-needed [edit] vyos@vyos# commit [ firewall ] Failed to apply firewall [[firewall]] failed Commit failed
This generates this content in /run/nftables.conf
table ip filter { chain FOO { meta l4proto icmp icmp type echo-request counter return comment "FOO-10" meta l4proto icmp icmp type fragmentation-needed counter return comment "FOO-30" return