diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-26 17:22:32 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-26 17:50:19 +0200 |
commit | 08d2f049367153d2c3b03c95b2ca7256cdf3521d (patch) | |
tree | 35b291e94c051a50d1473d21932f6a27ff8498b5 /doc | |
parent | 1ab1fcbc19a82e03d229586b8fd5b16396a9fab7 (diff) |
src: promote 'reject with icmp CODE' syntax
The kernel already assumes that that ICMP type to reject a packet is
destination-unreachable, hence the user specifies the *ICMP code*.
Simplify the syntax to:
... reject with icmp port-unreachable
this removes the 'type' keyword before the ICMP code to reject the
packet with.
IIRC, the original intention is to leave room for future extensions that
allow to specify both the ICMP type and the ICMP code, this is however
not possible with the current inconsistent syntax.
Update manpages which also refer to ICMP type.
Adjust tests/py to the new syntax.
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/libnftables-json.adoc | 2 | ||||
-rw-r--r-- | doc/statements.txt | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index fba4cb08..c152dc05 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -904,7 +904,7 @@ Reject the packet and send the given error reply. *type*:: Type of reject, either *"tcp reset"*, *"icmpx"*, *"icmp"* or *"icmpv6"*. *expr*:: - ICMP type to reject with. + ICMP code to reject with. All properties are optional. diff --git a/doc/statements.txt b/doc/statements.txt index 097cf2e0..af98e42c 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -163,9 +163,9 @@ REJECT STATEMENT ____ *reject* [ *with* 'REJECT_WITH' ] -'REJECT_WITH' := *icmp type* 'icmp_code' | - *icmpv6 type* 'icmpv6_code' | - *icmpx type* 'icmpx_code' | +'REJECT_WITH' := *icmp* 'icmp_code' | + *icmpv6* 'icmpv6_code' | + *icmpx* 'icmpx_code' | *tcp reset* ____ |