git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 31 Oct 2020 10:24:08 +0000 (11:24 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 1 Nov 2020 11:52:17 +0000 (12:52 +0100)
commit	fc95f0495a51493aaa3b8aae66c6a89aab800f03
tree	1b66dfb688a7aa52f5a53615526074515ce1a66b	tree \| snapshot
parent	dcf80c0c74a74ab252d17eac1f4ac27da11f3d89	commit \| diff

netfilter: nft_reject_inet: allow to use reject from inet ingress

Enhance validation to support for reject from inet ingress chains.

Note that, reject from inet ingress and netdev ingress differ.

Reject packets from inet ingress are sent through ip_local_out() since
inet reject emulates the IP layer receive path. So the reject packet
follows to classic IP output and postrouting paths.

The reject action from netdev ingress assumes the packet not yet entered
the IP layer, so the reject packet is sent through dev_queue_xmit().
Therefore, reject packets from netdev ingress do not follow the classic
IP output and postrouting paths.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nf_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_reject_ipv6.c		diff \| blob \| history
net/netfilter/nft_reject_inet.c		diff \| blob \| history