On 5 January 2016 at 13:48, Shivani Bhardwaj <shivanib134@xxxxxxxxx> wrote:
> On Tue, Jan 5, 2016 at 5:00 PM, Arturo Borrero Gonzalez
> <arturo.borrero.glez@xxxxxxxxx> wrote:
>> On 5 January 2016 at 07:55, Shivani Bhardwaj <shivanib134@xxxxxxxxx> wrote:
>>>
>>> +static const struct reject_names_xlate reject_table_xlate[] = {
>>> + {"no-route", IP6T_ICMP6_NO_ROUTE},
>>> + {"admin-prohibited", IP6T_ICMP6_ADM_PROHIBITED},
>>> +#if 0
>>> + {"not-neighbour", IP6T_ICMP6_NOT_NEIGHBOR},
>>> +#endif
>>> + {"addr-unreachable", IP6T_ICMP6_ADDR_UNREACH},
>>> + {"port-unreachable", IP6T_ICMP6_PORT_UNREACH},
>>> + {"tcp reset", IP6T_TCP_RESET},
>>> + {"policy-fail", IP6T_ICMP6_POLICY_FAIL},
>>> + {"reject-route", IP6T_ICMP6_REJECT_ROUTE}
>>> +};
>>
>> I wonder the reason behind including code which seems is not going to
>> be compiled.
>> It was in the original extension code, perhaps you can revisit that now.
>>
> Hi Arturo,
>
> I've removed the if endif block. Thanks for pointing out.
> If you're referring to some other thing please let me know.
>
>>> +
>>> +static int REJECT_xlate(const struct xt_entry_target *target,
>>> + struct xt_buf *buf, int numeric)
>>> +{
>>> + const struct ip6t_reject_info *reject =
>>> + (const struct ip6t_reject_info *)target->data;
>>> + unsigned int i;
>>> +
>>> + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
>>> + if (reject_table_xlate[i].with == reject->with)
>>> + break;
>>> + if (reject->with == IP6T_TCP_RESET)
>>> + xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
>>> + else
>>> + xt_buf_add(buf, "reject with icmpv6 type %s",
>>> + reject_table_xlate[i].name);
>>> +
>>> + return 1;
>>> +}
>>> +
>>
>> AFAIK, -j REJECT can be used without further options. However, this
>> _xlate() function doesn't seem to support it.
>>
>> I would print unconditionally the 'reject' keyword and in case some
>> option was used, then include the 'with XXX' thing.
>>
>
> In the reject module for ip, port unreachable is mentioned as the
> default option if the reject target is called.
>
> static const struct reject_names reject_table[] = {
> ...
> {"icmp-port-unreachable", "port-unreach",
> IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"}
> ...
> }
>
> Same is happening in case of ipv6. Should I be removing this default
> nature of both of them?
>
Ok,
reading now the code in depth, I see there is no way the _xlate() can
get a REJECT target without the 'with' option.
So your patch looks good.
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
