git.baikalelectronics.ru Git - kernel.git/commit

author	Laura Garcia Liebana <nevola@gmail.com>
	Sun, 31 May 2020 20:26:23 +0000 (22:26 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 30 Jun 2020 16:21:02 +0000 (18:21 +0200)
commit	15298db1a0484d8a61a9ca100373d35eca193f6c
tree	ec4a73ff313b5481ecb726dcad675f41aab7c766	tree \| snapshot
parent	e874a6e7c755c27a8c368f0788b8366e52bf67d8	commit \| diff

netfilter: introduce support for reject at prerouting stage

REJECT statement can be only used in INPUT, FORWARD and OUTPUT
chains. This patch adds support of REJECT, both icmp and tcp
reset, at PREROUTING stage.

The need for this patch comes from the requirement of some
forwarding devices to reject traffic before the natting and
routing decisions.

The main use case is to be able to send a graceful termination
to legitimate clients that, under any circumstances, the NATed
endpoints are not available. This option allows clients to
decide either to perform a reconnection or manage the error in
their side, instead of just dropping the connection and let
them die due to timeout.

It is supported ipv4, ipv6 and inet families for nft
infrastructure.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nf_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_reject_ipv6.c		diff \| blob \| history
net/netfilter/nft_reject.c		diff \| blob \| history