NFTables.Expr.ICMP (NFTables v0.8.2)

View Source

ICMP and ICMPv6 matching functions for firewall rules.

This module provides functions to match ICMP (Internet Control Message Protocol) packets for both IPv4 (ICMP) and IPv6 (ICMPv6). ICMP is used for diagnostic and control messages like ping, traceroute, and network error reporting.

Common Use Cases

  • Allow ping (echo request/reply)
  • Block specific ICMP types for security
  • Allow ICMPv6 neighbor discovery (essential for IPv6)
  • Log ICMP unreachable messages

Import

import NFTables.Expr.ICMP

For more information, see the nftables ICMP wiki.

Summary

Functions

icmp(builder \\ Expr.expr())

Match ICMP protocol.

icmp_code(builder \\ Expr.expr(), code)

Match ICMP code (IPv4).

icmp_type(builder \\ Expr.expr(), type)

Match ICMP type (IPv4).

icmpv6_code(builder \\ Expr.expr(), code)

Match ICMPv6 code (IPv6).

icmpv6_type(builder \\ Expr.expr(), type)

Match ICMPv6 type (IPv6).

Functions

icmp(builder \\ Expr.expr())

@spec icmp(NFTables.Expr.t()) :: NFTables.Expr.t()

Match ICMP protocol.

Convenience function for matching the ICMP protocol. This sets the protocol context to ICMP, which is useful for combining with ICMP type/code matchers.

Supports dual-arity: can start a new expression or continue an existing one.

Examples

# Match all ICMP traffic
icmp() |> accept()

# ICMP with type matching
icmp() |> icmp_type(:echo_request) |> accept()

# Block all ICMP
icmp() |> drop()

Protocol Context

After calling this function, the expression's protocol context is set to :icmp.

icmp_code(builder \\ Expr.expr(), code)

@spec icmp_code(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()

Match ICMP code (IPv4).

Must be used in conjunction with icmp_type.

Example

# Match destination unreachable, port unreachable
icmp_type(:dest_unreachable)
|> icmp_code(3)
|> accept()

icmp_type(builder \\ Expr.expr(), type)

@spec icmp_type(NFTables.Expr.t(), atom() | non_neg_integer()) :: NFTables.Expr.t()

Match ICMP type (IPv4).

Common ICMP Types

  • 0 or :echo_reply - Echo Reply (ping response)
  • 3 or :dest_unreachable - Destination Unreachable
  • 8 or :echo_request - Echo Request (ping)
  • 11 or :time_exceeded - Time Exceeded (traceroute)
  • 13 or :timestamp_request - Timestamp Request
  • 14 or :timestamp_reply - Timestamp Reply

Example

# Allow ping requests
icmp_type(:echo_request) |> accept()

# Block all ICMP except ping
icmp_type(:echo_request) |> accept()
protocol(:icmp) |> drop()

icmpv6_code(builder \\ Expr.expr(), code)

@spec icmpv6_code(NFTables.Expr.t(), non_neg_integer()) :: NFTables.Expr.t()

Match ICMPv6 code (IPv6).

Must be used in conjunction with icmpv6_type.

Example

icmpv6_type(:dest_unreachable)
|> icmpv6_code(4)
|> drop()

icmpv6_type(builder \\ Expr.expr(), type)

@spec icmpv6_type(NFTables.Expr.t(), atom() | non_neg_integer()) :: NFTables.Expr.t()

Match ICMPv6 type (IPv6).

Common ICMPv6 Types

  • 1 or :dest_unreachable - Destination Unreachable
  • 128 or :echo_request - Echo Request (ping)
  • 129 or :echo_reply - Echo Reply
  • 133 or :router_solicit - Router Solicitation
  • 134 or :router_advert - Router Advertisement
  • 135 or :neighbour_solicit - Neighbor Solicitation
  • 136 or :neighbour_advert - Neighbor Advertisement

Example

# Allow ICMPv6 ping
icmpv6_type(:echo_request) |> accept()

# Allow neighbor discovery (essential for IPv6)
icmpv6_type(:neighbour_solicit) |> accept()
icmpv6_type(:neighbour_advert) |> accept()