Hi Laura,
On Mon, Jun 08, 2020 at 09:01:03PM +0200, Laura Garcia Liebana wrote:
> diff --git a/net/netfilter/nft_reject_netdev.c b/net/netfilter/nft_reject_netdev.c
> new file mode 100644
> index 000000000000..64123d80210d
> --- /dev/null
> +++ b/net/netfilter/nft_reject_netdev.c
[...]
> +static void nft_reject_netdev_eval(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + switch (ntohs(pkt->skb->protocol)) {
> + case ETH_P_IP:
> + nft_reject_ipv4_eval(expr, regs, pkt);
> + break;
> + case ETH_P_IPV6:
> + nft_reject_ipv6_eval(expr, regs, pkt);
> + break;
> + }
We should reuse nft_reject_br_send_v4_tcp_reset() and
nft_reject_br_send_v4_unreach() and call dev_queue_xmit() to send the
reject packet.
No need to inject this from LOCAL_OUT, given this packet is being
rejects from the ingress path.
The reject action for netdev is more similar to the one that bridge
supports than what we have for inet actually.
You can probably move the bridge functions to
net/netfilter/nf_reject.c so this code can be shared between bridge
reject and netdev.
I like your code refactoring in patch 1 though.
