From eda29da09e7ea013cc9a8e6790b12e95550c9f4a Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Wed, 17 Nov 2010 08:51:52 +0100
Subject: [PATCH] icmp: translate "icmp-type" to "icmpv6-type" in domain "ip6"

Add some magic to allow "proto icmp icmp-type redirect" in the domain
"ip6".
---
 NEWS                  | 1 +
 src/ferm              | 8 ++++----
 test/ipv6/icmp.ferm   | 1 +
 test/ipv6/icmp.result | 1 +
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 172cd26..ae01be2 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@
 v2.0.9 - not yet released
   - updated netfilter modules:
     * state: support negation
+    * icmp: translate "icmp-type" to "icmpv6-type" in domain "ip6"
 
 
 v2.0.8 - 4 Nov 2010
diff --git a/src/ferm b/src/ferm
index 1cc352d..4a2736b 100755
--- a/src/ferm
+++ b/src/ferm
@@ -209,8 +209,7 @@ sub add_target_def(@) {
 
 add_proto_def 'dccp', qw(dccp-types!=c dccp-option!);
 add_proto_def 'mh', qw(mh-type!);
-add_proto_def 'icmp', qw(icmp-type!);
-add_proto_def 'icmpv6', qw(icmpv6-type! icmp-type:=icmpv6-type);
+add_proto_def 'icmp', qw(icmp-type! icmpv6-type:=icmp-type);
 add_proto_def 'sctp', qw(chunk-types!=sc);
 add_proto_def 'tcp', qw(tcp-flags!=cc !syn*0 tcp-option! mss);
 add_proto_def 'udp', qw();
@@ -1242,8 +1241,8 @@ sub is_netfilter_builtin_chain($$) {
 
 sub netfilter_canonical_protocol($) {
     my $proto = shift;
-    return 'icmpv6'
-      if $proto eq 'ipv6-icmp';
+    return 'icmp'
+      if $proto eq 'ipv6-icmp' or $proto eq 'icmpv6';
     return 'mh'
       if $proto eq 'ipv6-mh';
     return $proto;
@@ -1319,6 +1318,7 @@ sub format_option($$$) {
     my ($domain, $name, $value) = @_;
     $value = 'icmpv6' if $domain eq 'ip6' and $name eq 'protocol'
       and $value eq 'icmp';
+    $name = 'icmpv6-type' if $domain eq 'ip6' and $name eq 'icmp-type';
     return shell_format_option($name, $value);
 }
 
diff --git a/test/ipv6/icmp.ferm b/test/ipv6/icmp.ferm
index 56d9aa4..969e94c 100644
--- a/test/ipv6/icmp.ferm
+++ b/test/ipv6/icmp.ferm
@@ -1,4 +1,5 @@
 # ferm tries to allow you to use ipv4 keywords for the ipv6 domain.
 domain ip6 chain INPUT {
     proto icmp ACCEPT;
+    proto icmp icmp-type redirect DROP;
 }
diff --git a/test/ipv6/icmp.result b/test/ipv6/icmp.result
index 1a03619..f6773de 100644
--- a/test/ipv6/icmp.result
+++ b/test/ipv6/icmp.result
@@ -1 +1,2 @@
 ip6tables -t filter -A INPUT -p icmpv6 -j ACCEPT
+ip6tables -t filter -A INPUT -p icmpv6 --icmpv6-type redirect -j DROP
-- 
2.11.4.GIT