Pascal Hambourg wrote:
> Konstantin Ushakov a écrit :
> >>What about the REJECT target ?
> >
> > Correct me if I'm mistaken, but REJECT target is only valid in filter
> > table.
>
> Correct.
>
> > But the packet does not reach filter table because of reasons
> > described by Patric (as we DROP it after mangle).
>
> Im meant to use the REJECT target /instead of/ an "unreachable" routing
> rule.
>
> Remove
> ip rule add from all fwmark 0xb lookup 99 unreachable prio 40000
>
> And add
> iptables -t filter -A OUTPUT -m mark --mark 0xb \
> -j REJECT --rejected-with icmp-net-unreachable
Or make it really simple, and use REJECT in mangle with something like this:
--- ipt_REJECT.bak.c 2007-10-12 08:25:17.000000000 +0300
+++ ipt_REJECT.c 2007-10-12 08:31:44.000000000 +0300
@@ -165,6 +165,7 @@ static void send_reset(struct sk_buff *o
static inline void send_unreach(struct sk_buff *skb_in, int code)
{
+ if (!skb_in->dst) ip_route_me_harder(&skb_in, RTN_UNSPEC);
icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
}
@@ -245,9 +246,6 @@ static struct xt_target ipt_reject_reg =
.family = AF_INET,
.target = reject,
.targetsize = sizeof(struct ipt_reject_info),
- .table = "filter",
- .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
- (1 << NF_IP_LOCAL_OUT),
.checkentry = check,
.me = THIS_MODULE,
};
Thanks!
--
Al
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
