git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 26 Sep 2014 12:35:14 +0000 (14:35 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 2 Oct 2014 16:29:57 +0000 (18:29 +0200)
commit	10e73cae52ac94ae2e4923649ddc555f056f3f8a
tree	62255f89e7725a5173d4b4e4f002f114ad524dda	tree \| snapshot
parent	48b8fe6c4bde94d978f044cf7a092036920e6330	commit \| diff

netfilter: nft_reject: introduce icmp code abstraction for inet and bridge

This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
an abstraction to the ICMP and ICMPv6 codes that you can use from the
inet and bridge tables, they are:

* NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
* NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
* NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
* NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited

You can still use the specific codes when restricting the rule to match
the corresponding layer 3 protocol.

I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
different semantics depending on the table family and to allow the user
to specify ICMP family specific codes if they restrict it to the
corresponding family.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/ipv4/nf_reject.h		diff \| blob \| history
include/net/netfilter/nft_reject.h		diff \| blob \| history
include/uapi/linux/netfilter/nf_tables.h		diff \| blob \| history
net/bridge/netfilter/nft_reject_bridge.c		diff \| blob \| history
net/ipv4/netfilter/nft_reject_ipv4.c		diff \| blob \| history
net/netfilter/nft_reject.c		diff \| blob \| history
net/netfilter/nft_reject_inet.c		diff \| blob \| history