IPFW Filtering ICMP with ipfw Q: icmptype AND code?

[astounding]

I know I can have ipfw rules matching the ICMP protocol and specify one or more icmptypes. But how do I also match on the ICMP type's code (those that have such)? For example I can easily match ICMP type 3 (destination unreachable) messages:

ipfw add 1000 count log icmp from me to 192.168.1.200 out icmptypes 3

BUT I really need to NOT match ALL destination unreachable ICMP messages, just ICMP type 3's code 3 (port unreachable) only. How do I do that? Is it possible? I had a vague memory of it being possible, but I cannot find any documentation matching my vague impression.

Wishfully, I'd love something like this (this does NOT exist):

ipfw add 1000 count log icmp from me to 192.168.1.200 out icmptypes 3 icmpcode 3

Any chance I've missed something simple that lets me accomplish a match ONLY for ICMP port unreachable messages?

Thanks,
--Aaron

 

[Alain De Vos]

man page contains:

unreach code
             Discard packets that match this rule, and try to send an ICMP
             unreachable notice with code code, where code is a number from 0
             to 255, or one of these aliases: net, host, protocol, port,
             needfrag, srcfail, net-unknown, host-unknown, isolated,
             net-prohib, host-prohib, tosnet, toshost, filter-prohib,
             host-precedence or precedence-cutoff.  The search terminates.

 

[astounding]

man page contains:

unreach code
             Discard packets that match this rule, and try to send an ICMP
             unreachable notice with code code, where code is a number from 0
             to 255, or one of these aliases: net, host, protocol, port,
             needfrag, srcfail, net-unknown, host-unknown, isolated,
             net-prohib, host-prohib, tosnet, toshost, filter-prohib,
             host-precedence or precedence-cutoff.  The search terminates.

That's not what I'm trying to do. I am not sending a response. I want to match ICMP packets, NOT reject with an ICMP code.

Thanks.

 

[rootbert]

interesting, seems like it is not possible with ipfw - but pf supports that

 

[Alain De Vos]

indeed, man pf.conf,
icmp-type ⟨type⟩ code ⟨code⟩

 

[astounding]

Sadly the hosts I need to use this on are tightly bound to existing ipfw rulesets. *sigh*

 

[covacat]

depending on the effort you want to put in you can
patch ipfw userland / kernel
write a divert socket program that further analyzes the packet and does whatever
run a minimal jail / vm with pf and forward icmp type 3 to them