51b0a5d8c2
This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides an abstraction to the ICMP and ICMPv6 codes that you can use from the inet and bridge tables, they are: * NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable * NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable * NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable * NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited You can still use the specific codes when restricting the rule to match the corresponding layer 3 protocol. I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have different semantics depending on the table family and to allow the user to specify ICMP family specific codes if they restrict it to the corresponding family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
21 lines
448 B
C
21 lines
448 B
C
#ifndef _NFT_REJECT_H_
|
|
#define _NFT_REJECT_H_
|
|
|
|
struct nft_reject {
|
|
enum nft_reject_types type:8;
|
|
u8 icmp_code;
|
|
};
|
|
|
|
extern const struct nla_policy nft_reject_policy[];
|
|
|
|
int nft_reject_init(const struct nft_ctx *ctx,
|
|
const struct nft_expr *expr,
|
|
const struct nlattr * const tb[]);
|
|
|
|
int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr);
|
|
|
|
int nft_reject_icmp_code(u8 code);
|
|
int nft_reject_icmpv6_code(u8 code);
|
|
|
|
#endif
|