iptables-translate-restore will generate an unexpected rule if "-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT" is specified

Solution In Progress - Updated -

Issue

  • When translating iptables rules to nftables, I came across what seems to be a bug and causes an allow all rule.
cat test_ruleset.txt
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 

Results in:
# iptables-restore-translate -f test_ruleset.txt
# Translated by iptables-restore-translate v1.8.4 on Fri Oct 23 14:13:25 2020
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip filter INPUT  counter accept <----

Environment

  • Red Hat Enterprise Linux 8
    • nftables

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content