On Tue, Jan 5, 2016 at 5:00 PM, Arturo Borrero Gonzalez
<arturo.borrero.glez@xxxxxxxxx> wrote:
> On 5 January 2016 at 07:55, Shivani Bhardwaj <shivanib134@xxxxxxxxx> wrote:
>>
>> +static const struct reject_names_xlate reject_table_xlate[] = {
>> + {"no-route", IP6T_ICMP6_NO_ROUTE},
>> + {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
>> +#if 0
>> + {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
>> +#endif
>> + {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
>> + {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
>> + {"tcp reset", IP6T_TCP_RESET},
>> + {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
>> + {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
>> +};
>
> I wonder the reason behind including code which seems is not going to
> be compiled.
> It was in the original extension code, perhaps you can revisit that now.
>
Hi Arturo,
I've removed the if endif block. Thanks for pointing out.
If you're referring to some other thing please let me know.
>> +
>> +static int REJECT_xlate(const struct xt_entry_target *target,
>> + struct xt_buf *buf, int numeric)
>> +{
>> + const struct ip6t_reject_info *reject =
>> + (const struct ip6t_reject_info *)target->data;
>> + unsigned int i;
>> +
>> + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
>> + if (reject_table_xlate[i].with == reject->with)
>> + break;
>> + if (reject->with == IP6T_TCP_RESET)
>> + xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
>> + else
>> + xt_buf_add(buf, "reject with icmpv6 type %s",
>> + reject_table_xlate[i].name);
>> +
>> + return 1;
>> +}
>> +
>
> AFAIK, -j REJECT can be used without further options. However, this
> _xlate() function doesn't seem to support it.
>
> I would print unconditionally the 'reject' keyword and in case some
> option was used, then include the 'with XXX' thing.
>
In the reject module for ip, port unreachable is mentioned as the
default option if the reject target is called.
static const struct reject_names reject_table[] = {
...
{"icmp-port-unreachable", "port-unreach",
IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"}
...
}
Same is happening in case of ipv6. Should I be removing this default
nature of both of them?
Thank you
> i.e:
>
> the rule:
> % [...] -p tcp --dport 22 -j REJECT
> translates to:
> % nft add rule [...] tcp dport 22 reject
>
> and the rule:
> % [...] -p tcp --dport 22 -j REJECT --reject-with no-route
> translates to:
> % nft add rule [...] tcp dport 22 reject with icmpv6 type no-route
>
> --
> Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
