1. 02 Oct, 2014 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: move nf_send_resetX() code to nf_reject_ipvX modules · c8d7b98b
      Pablo Neira Ayuso authored
      Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
      nf_reject_ipv6 respectively. This code is shared by x_tables and
      nf_tables.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c8d7b98b
    • Pablo Neira Ayuso's avatar
      netfilter: nft_reject: introduce icmp code abstraction for inet and bridge · 51b0a5d8
      Pablo Neira Ayuso authored
      This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
      an abstraction to the ICMP and ICMPv6 codes that you can use from the
      inet and bridge tables, they are:
      
      * NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
      * NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
      * NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
      * NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited
      
      You can still use the specific codes when restricting the rule to match
      the corresponding layer 3 protocol.
      
      I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
      different semantics depending on the table family and to allow the user
      to specify ICMP family specific codes if they restrict it to the
      corresponding family.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      51b0a5d8
  2. 01 Oct, 2014 3 commits
  3. 30 Sep, 2014 35 commits