diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-26 08:35:14 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-02 12:29:57 -0400 |
| commit | 51b0a5d8c21a91801bbef9bcc8639dc0b206c6cd (patch) | |
| tree | 62255f89e7725a5173d4b4e4f002f114ad524dda /include/uapi/linux | |
| parent | 2c804d0f8fc7799981d9fdd8c88653541b28c1a7 (diff) | |
netfilter: nft_reject: introduce icmp code abstraction for inet and bridge
This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
an abstraction to the ICMP and ICMPv6 codes that you can use from the
inet and bridge tables, they are:
* NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
* NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
* NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
* NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited
You can still use the specific codes when restricting the rule to match
the corresponding layer 3 protocol.
I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
different semantics depending on the table family and to allow the user
to specify ICMP family specific codes if they restrict it to the
corresponding family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index b72ccfeaf865..c26df6787fb0 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -749,13 +749,34 @@ enum nft_queue_attributes { | |||
| 749 | * | 749 | * |
| 750 | * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable | 750 | * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable |
| 751 | * @NFT_REJECT_TCP_RST: reject using TCP RST | 751 | * @NFT_REJECT_TCP_RST: reject using TCP RST |
| 752 | * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet | ||
| 752 | */ | 753 | */ |
| 753 | enum nft_reject_types { | 754 | enum nft_reject_types { |
| 754 | NFT_REJECT_ICMP_UNREACH, | 755 | NFT_REJECT_ICMP_UNREACH, |
| 755 | NFT_REJECT_TCP_RST, | 756 | NFT_REJECT_TCP_RST, |
| 757 | NFT_REJECT_ICMPX_UNREACH, | ||
| 756 | }; | 758 | }; |
| 757 | 759 | ||
| 758 | /** | 760 | /** |
| 761 | * enum nft_reject_code - Generic reject codes for IPv4/IPv6 | ||
| 762 | * | ||
| 763 | * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host / network unreachable | ||
| 764 | * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable | ||
| 765 | * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable | ||
| 766 | * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratively prohibited | ||
| 767 | * | ||
| 768 | * These codes are mapped to real ICMP and ICMPv6 codes. | ||
| 769 | */ | ||
| 770 | enum nft_reject_inet_code { | ||
| 771 | NFT_REJECT_ICMPX_NO_ROUTE = 0, | ||
| 772 | NFT_REJECT_ICMPX_PORT_UNREACH, | ||
| 773 | NFT_REJECT_ICMPX_HOST_UNREACH, | ||
| 774 | NFT_REJECT_ICMPX_ADMIN_PROHIBITED, | ||
| 775 | __NFT_REJECT_ICMPX_MAX | ||
| 776 | }; | ||
| 777 | #define NFT_REJECT_ICMPX_MAX (__NFT_REJECT_ICMPX_MAX + 1) | ||
| 778 | |||
| 779 | /** | ||
| 759 | * enum nft_reject_attributes - nf_tables reject expression netlink attributes | 780 | * enum nft_reject_attributes - nf_tables reject expression netlink attributes |
| 760 | * | 781 | * |
| 761 | * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types) | 782 | * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types) |