On Wed, Oct 22, 2014 at 03:25:53PM +0200, Alvaro Neira Ayuso wrote: > In Inet tables, we have to check the network context in rules that we use > icmp or icmpv6 reason in reject. To be sure that the context is the correct. > However, for icmpx and tcp reject, we don't need to check it. > > In Bridge tables, ee have vlan and arp traffic and they are not supported. > For this things, we have to check the network context. For example: > > nft add rule bridge test-bridge input \ > ether type arp reject with icmp type host-unreachable > or > nft add rule bridge test-bridge input \ > ether type vlan reject with tcp reset > > In that cases, we have to throw an error. Moreover, we have to accept rules > that the network context is Ipv4 and Ipv6. For example: > > nft add rule -nnn bridge test-bridge input \ > ip protocol tcp reject with tcp reset > > Moreover, this patch refactor the code for check the family for bridge and inet > tables. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
