diff options
| author | Alvaro Neira <alvaroneay@gmail.com> | 2014-09-30 17:21:40 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-09 13:53:11 +0200 |
| commit | 5fdd0b6a0600e66f9ff6d9a1d6b749aa68a3ba99 (patch) | |
| tree | 282a5201207e607a0ccc94c17cab9bebb12da723 /include | |
| parent | 67094206871b3dbaabd48894bc171e67010762c4 (diff) | |
nft: complete reject support
This patch allows to use the reject action in rules. For example:
nft add rule filter input udp dport 22 reject
In this rule, we assume that the reason is network unreachable. Also
we can specify the reason with the option "with" and the reason. For example:
nft add rule filter input tcp dport 22 reject with icmp type host-unreachable
In the bridge tables and inet tables, we can use this action too. For example:
nft add rule inet filter input reject with icmp type host-unreachable
In this rule above, this generates a meta nfproto dependency to match
ipv4 traffic because we use a icmpv4 reason to reject.
If the reason is not specified, we infer it from the context.
Moreover, we have the new icmpx datatype. You can use this datatype for
the bridge and the inet tables to simplify your ruleset. For example:
nft add rule inet filter input reject with icmpx type host-unreachable
We have four icmpx reason and the mapping is:
ICMPX reason | ICMPv6 | ICMPv4
| |
admin-prohibited | admin-prohibited | admin-prohibited
port-unreachable | port-unreachable | port-unreachable
no-route | no-route | net-unreachable
host-unreachable | addr-unreachable | host-unreachable
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/datatype.h | 9 | ||||
| -rw-r--r-- | include/linux/netfilter/nf_tables.h | 21 | ||||
| -rw-r--r-- | include/proto.h | 1 | ||||
| -rw-r--r-- | include/statement.h | 3 |
4 files changed, 34 insertions, 0 deletions
diff --git a/include/datatype.h b/include/datatype.h index 51822637..15fea441 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -36,6 +36,9 @@ * @TYPE_ICMP6_TYPE: ICMPv6 type codes (integer subtype) * @TYPE_CT_LABEL: Conntrack Label (bitmask subtype) * @TYPE_PKTTYPE: packet type (integer subtype) + * @TYPE_ICMP_CODE: icmp code (integer subtype) + * @TYPE_ICMPV6_CODE: icmpv6 code (integer subtype) + * @TYPE_ICMPX_CODE: icmpx code (integer subtype) */ enum datatypes { TYPE_INVALID, @@ -70,6 +73,9 @@ enum datatypes { TYPE_ICMP6_TYPE, TYPE_CT_LABEL, TYPE_PKTTYPE, + TYPE_ICMP_CODE, + TYPE_ICMPV6_CODE, + TYPE_ICMPX_CODE, __TYPE_MAX }; #define TYPE_MAX (__TYPE_MAX - 1) @@ -194,6 +200,9 @@ extern const struct datatype arphrd_type; extern const struct datatype inet_protocol_type; extern const struct datatype inet_service_type; extern const struct datatype mark_type; +extern const struct datatype icmp_code_type; +extern const struct datatype icmpv6_code_type; +extern const struct datatype icmpx_code_type; extern const struct datatype time_type; extern const struct datatype *concat_type_alloc(const struct expr *expr); diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index b72ccfea..f04d997a 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -749,13 +749,34 @@ enum nft_queue_attributes { * * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable * @NFT_REJECT_TCP_RST: reject using TCP RST + * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet */ enum nft_reject_types { NFT_REJECT_ICMP_UNREACH, NFT_REJECT_TCP_RST, + NFT_REJECT_ICMPX_UNREACH, }; /** + * enum nft_reject_code - Abstracted reject codes + * + * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable + * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable + * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable + * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited + * + * These codes are mapped to real ICMP and ICMPv6 codes. + */ +enum nft_reject_inet_code { + NFT_REJECT_ICMPX_NO_ROUTE = 0, + NFT_REJECT_ICMPX_PORT_UNREACH, + NFT_REJECT_ICMPX_HOST_UNREACH, + NFT_REJECT_ICMPX_ADMIN_PROHIBITED, + __NFT_REJECT_ICMPX_MAX +}; +#define NFT_REJECT_ICMPX_MAX (__NFT_REJECT_ICMPX_MAX + 1) + +/** * enum nft_reject_attributes - nf_tables reject expression netlink attributes * * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types) diff --git a/include/proto.h b/include/proto.h index cc1f51f0..0e531b24 100644 --- a/include/proto.h +++ b/include/proto.h @@ -252,6 +252,7 @@ enum udp_hdr_fields { enum tcp_hdr_fields { TCPHDR_INVALID, + TCPHDR_UNSPEC = TCPHDR_INVALID, TCPHDR_SPORT, TCPHDR_DPORT, TCPHDR_SEQ, diff --git a/include/statement.h b/include/statement.h index 7a57f7dd..574835cd 100644 --- a/include/statement.h +++ b/include/statement.h @@ -56,7 +56,10 @@ struct limit_stmt { extern struct stmt *limit_stmt_alloc(const struct location *loc); struct reject_stmt { + struct expr *expr; enum nft_reject_types type; + int8_t icmp_code; + unsigned int family; }; extern struct stmt *reject_stmt_alloc(const struct location *loc); |