On 5 January 2016 at 07:55, Shivani Bhardwaj <shivanib134@xxxxxxxxx> wrote:
>
> +static const struct reject_names_xlate reject_table_xlate[] = {
> + {"no-route", IP6T_ICMP6_NO_ROUTE},
> + {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
> +#if 0
> + {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
> +#endif
> + {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
> + {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
> + {"tcp reset", IP6T_TCP_RESET},
> + {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
> + {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
> +};
I wonder the reason behind including code which seems is not going to
be compiled.
It was in the original extension code, perhaps you can revisit that now.
> +
> +static int REJECT_xlate(const struct xt_entry_target *target,
> + struct xt_buf *buf, int numeric)
> +{
> + const struct ip6t_reject_info *reject =
> + (const struct ip6t_reject_info *)target->data;
> + unsigned int i;
> +
> + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
> + if (reject_table_xlate[i].with == reject->with)
> + break;
> + if (reject->with == IP6T_TCP_RESET)
> + xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
> + else
> + xt_buf_add(buf, "reject with icmpv6 type %s",
> + reject_table_xlate[i].name);
> +
> + return 1;
> +}
> +
AFAIK, -j REJECT can be used without further options. However, this
_xlate() function doesn't seem to support it.
I would print unconditionally the 'reject' keyword and in case some
option was used, then include the 'with XXX' thing.
i.e:
the rule:
% [...] -p tcp --dport 22 -j REJECT
translates to:
% nft add rule [...] tcp dport 22 reject
and the rule:
% [...] -p tcp --dport 22 -j REJECT --reject-with no-route
translates to:
% nft add rule [...] tcp dport 22 reject with icmpv6 type no-route
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
