ICMP type-name supported in nft:
vyos@vyos# sudo nft describe icmp type payload expression, datatype icmp_type (ICMP type) (basetype integer), 8 bits pre-defined symbolic constants (in decimal): echo-reply 0 destination-unreachable 3 source-quench 4 redirect 5 echo-request 8 router-advertisement 9 router-solicitation 10 time-exceeded 11 parameter-problem 12 timestamp-request 13 timestamp-reply 14 info-request 15 info-reply 16 address-mask-request 17 address-mask-reply 18
Options available on VyOS 1.4-rolling-202201100317:
vyos@vyos# set firewall name FOO rule 10 icmp type-name
Possible completions:
any Any ICMP type/code
echo-reply ICMP type/code name
pong ICMP type/code name
destination-unreachable
ICMP type/code name
network-unreachable
ICMP type/code name
host-unreachable
ICMP type/code name
protocol-unreachable
ICMP type/code name
port-unreachable
ICMP type/code name
fragmentation-needed
ICMP type/code name
source-route-failed
ICMP type/code name
network-unknown
ICMP type/code name
host-unknown ICMP type/code name
network-prohibited
ICMP type/code name
host-prohibited
ICMP type/code name
TOS-network-unreachable
ICMP type/code name
TOS-host-unreachable
ICMP type/code name
communication-prohibited
ICMP type/code name
host-precedence-violation
ICMP type/code name
precedence-cutoff
ICMP type/code name
source-quench
ICMP type/code name
redirect ICMP type/code name
network-redirect
ICMP type/code name
host-redirect
ICMP type/code name
TOS-network-redirect
ICMP type/code name
TOS host-redirect
ICMP type/code name
echo-request ICMP type/code name
ping ICMP type/code name
router-advertisement
ICMP type/code name
router-solicitation
ICMP type/code name
time-exceeded
ICMP type/code name
ttl-exceeded ICMP type/code name
ttl-zero-during-transit
ICMP type/code name
ttl-zero-during-reassembly
ICMP type/code name
parameter-problem
ICMP type/code name
ip-header-bad
ICMP type/code name
required-option-missing
ICMP type/code name
timestamp-request
ICMP type/code name
timestamp-reply
ICMP type/code name
address-mask-request
ICMP type/code name
address-mask-reply
ICMP type/code name
TOSThen, adding a rule that contains a type-named supported by netfilter, it goes Ok, but when adding options not supported, commit fails:
vyos@vyos# set firewall name FOO rule 10 action accept [edit] vyos@vyos# set firewall name FOO rule 10 protocol icmp [edit] vyos@vyos# set firewall name FOO rule 10 icmp type-name echo-request [edit] vyos@vyos# commit [edit] vyos@vyos# set firewall name FOO rule 30 action accept [edit] vyos@vyos# set firewall name FOO rule 30 protocol icmp [edit] vyos@vyos# set firewall name FOO rule 30 icmp type-name fragmentation-needed [edit] vyos@vyos# commit [ firewall ] Failed to apply firewall [[firewall]] failed Commit failed
This generates this content in /run/nftables.conf
table ip filter {
chain FOO {
meta l4proto icmp icmp type echo-request counter return comment "FOO-10"
meta l4proto icmp icmp type fragmentation-needed counter return comment "FOO-30"
return