Hi Pablo,
On Tue, Jun 9, 2020 at 5:35 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> Hi Laura,
>
> On Mon, Jun 08, 2020 at 09:01:03PM +0200, Laura Garcia Liebana wrote:
> > diff --git a/net/netfilter/nft_reject_netdev.c b/net/netfilter/nft_reject_netdev.c
> > new file mode 100644
> > index 000000000000..64123d80210d
> > --- /dev/null
> > +++ b/net/netfilter/nft_reject_netdev.c
> [...]
> > +static void nft_reject_netdev_eval(const struct nft_expr *expr,
> > + struct nft_regs *regs,
> > + const struct nft_pktinfo *pkt)
> > +{
> > + switch (ntohs(pkt->skb->protocol)) {
> > + case ETH_P_IP:
> > + nft_reject_ipv4_eval(expr, regs, pkt);
> > + break;
> > + case ETH_P_IPV6:
> > + nft_reject_ipv6_eval(expr, regs, pkt);
> > + break;
> > + }
>
> We should reuse nft_reject_br_send_v4_tcp_reset() and
> nft_reject_br_send_v4_unreach() and call dev_queue_xmit() to send the
> reject packet.
>
> No need to inject this from LOCAL_OUT, given this packet is being
> rejects from the ingress path.
>
> The reject action for netdev is more similar to the one that bridge
> supports than what we have for inet actually.
>
> You can probably move the bridge functions to
> net/netfilter/nf_reject.c so this code can be shared between bridge
> reject and netdev.
>
Thank you for your review, I'll apply the changes.
> I like your code refactoring in patch 1 though.
