iptables-translate-restore will generate an unexpected rule if "-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT" is specified
Issue
- When translating iptables rules to nftables, I came across what seems to be a bug and causes an allow all rule.
cat test_ruleset.txt
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
Results in:
# iptables-restore-translate -f test_ruleset.txt
# Translated by iptables-restore-translate v1.8.4 on Fri Oct 23 14:13:25 2020
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip filter INPUT counter accept <----
Environment
- Red Hat Enterprise Linux 8
- nftables
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.