If you add the rule:
nft add rule inet filter input reject with icmpx type host-unreachable
nft list table inet filter
shows:
table inet filter {
chain input {
reject with icmpx type 2
}
}
We have to attach the icmpx datatype when we list the rules that use it. With
this patch if we list the ruleset, the output is:
table inet filter {
chain input {
reject with icmpx type host-unreachable
}
}
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
---
src/netlink_delinearize.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 4bb4697..3e7aed4 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -928,8 +928,10 @@ static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt)
stmt->reject.expr->dtype = &icmpv6_code_type;
break;
case NFPROTO_INET:
- if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH)
+ if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
+ stmt->reject.expr->dtype = &icmpx_code_type;
break;
+ }
base = rctx.pctx.protocol[PROTO_BASE_LL_HDR].desc;
desc = rctx.pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
protocol = proto_find_num(base, desc);
@@ -944,8 +946,10 @@ static void stmt_reject_postprocess(struct rule_pp_ctx rctx, struct stmt *stmt)
stmt->reject.family = protocol;
break;
case NFPROTO_BRIDGE:
- if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH)
+ if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
+ stmt->reject.expr->dtype = &icmpx_code_type;
break;
+ }
base = rctx.pctx.protocol[PROTO_BASE_LL_HDR].desc;
desc = rctx.pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
protocol = proto_find_num(base, desc);
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
