This patch series comprises changes in kernel space and user space to enable the reject verdict for the netdev family. In addition, some code refactor has been made to the nft_reject infrastructure in kernel, adding two new functions to create the icmp or tcp reset skbuffs to avoid using ip_local_out. Also, reject init and dump functions has been unified into nft_reject.c This follows previous work from Laura García. nf-next ------- Jose M. Guisado Gomez (3): net: netfilter: add reject skbuff creation helpers net: netfilter: unify reject init and dump into nft_reject net: netfilter: add reject verdict support for netdev include/net/netfilter/ipv4/nf_reject.h | 10 + include/net/netfilter/ipv6/nf_reject.h | 9 + net/bridge/netfilter/Kconfig | 2 +- net/bridge/netfilter/nft_reject_bridge.c | 255 +---------------------- net/ipv4/netfilter/nf_reject_ipv4.c | 122 +++++++++++ net/ipv6/netfilter/nf_reject_ipv6.c | 134 ++++++++++++ net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nft_reject.c | 12 +- net/netfilter/nft_reject_inet.c | 60 +----- net/netfilter/nft_reject_netdev.c | 189 +++++++++++++++++ 11 files changed, 495 insertions(+), 309 deletions(-) create mode 100644 net/netfilter/nft_reject_netdev.c nftables -------- Jose M. Guisado Gomez (2): evaluate: add netdev support for reject default tests: py: add netdev folder and reject.t icmp cases src/evaluate.c | 1 + tests/py/netdev/reject.t | 20 +++++++++++ tests/py/netdev/reject.t.payload | 60 ++++++++++++++++++++++++++++++++ tests/py/nft-test.py | 2 +- 4 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 tests/py/netdev/reject.t create mode 100644 tests/py/netdev/reject.t.payload -- 2.28.0
