Hi,
I made an early design mistake by adding support for bridge reject that
relies on the IP stack, that was not a good idea. So this patchset
amends the situation by:
1) Refactoring common code that can be reused to forge the reject packets
now available at nf_reject_ipv4 and nf_reject_ipv6 from the bridge stack.
2) Forge the reject packets (TCP and ICMP dest unreach) that are injected
into the bridge stack using br_deliver() to the bridge port origin.
So the idea is to avoid any interaction with the IP stack, that has been
causing us problems specifically in the br_netfilter code. This also
aims to provide a native replacement to the use of iptables ... -j REJECT
from br_netfilter.
Note that I have restricted the reject expression to bridge prerouting and
input. Otherwise, I think we may send several reject reject packets when
there is no destination yet in the bridge fdb.
Comments welcome. Thanks.
Pablo Neira Ayuso (5):
netfilter: nf_tables_bridge: update hook_mask to allow {pre,post}routing
netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions
netfilter: nf_reject_ipv6: split nf_send_reset6() in smaller functions
netfilter: nft_reject_bridge: don't use IP stack to reject traffic
netfilter: nft_reject_bridge: restrict reject to prerouting and input
include/net/netfilter/ipv4/nf_reject.h | 10 +
include/net/netfilter/ipv6/nf_reject.h | 10 +
net/bridge/br_forward.c | 1 +
net/bridge/netfilter/nf_tables_bridge.c | 6 +-
net/bridge/netfilter/nft_reject_bridge.c | 296 ++++++++++++++++++++++++++++--
net/ipv4/netfilter/nf_reject_ipv4.c | 88 ++++++---
net/ipv6/netfilter/nf_reject_ipv6.c | 174 +++++++++++-------
7 files changed, 480 insertions(+), 105 deletions(-)
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
