diff options
-rw-r--r-- | src/evaluate.c | 44 | ||||
-rw-r--r-- | tests/regression/bridge/reject.t | 3 | ||||
-rw-r--r-- | tests/regression/inet/reject.t | 3 |
3 files changed, 48 insertions, 2 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 63ba82e3..2dd49fa6 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1357,6 +1357,9 @@ static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt, static int stmt_evaluate_reject_default(struct eval_ctx *ctx, struct stmt *stmt) { + int protocol; + const struct proto_desc *desc, *base; + switch (ctx->pctx.family) { case NFPROTO_IPV4: case NFPROTO_IPV6: @@ -1368,9 +1371,46 @@ static int stmt_evaluate_reject_default(struct eval_ctx *ctx, stmt->reject.icmp_code = ICMP6_DST_UNREACH_NOPORT; break; case NFPROTO_INET: + desc = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + if (desc == NULL) { + stmt->reject.type = NFT_REJECT_ICMPX_UNREACH; + stmt->reject.icmp_code = NFT_REJECT_ICMPX_PORT_UNREACH; + break; + } + stmt->reject.type = NFT_REJECT_ICMP_UNREACH; + base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; + protocol = proto_find_num(base, desc); + switch (protocol) { + case NFPROTO_IPV4: + stmt->reject.family = NFPROTO_IPV4; + stmt->reject.icmp_code = ICMP_PORT_UNREACH; + break; + case NFPROTO_IPV6: + stmt->reject.family = NFPROTO_IPV6; + stmt->reject.icmp_code = ICMP6_DST_UNREACH_NOPORT; + break; + } + break; case NFPROTO_BRIDGE: - stmt->reject.type = NFT_REJECT_ICMPX_UNREACH; - stmt->reject.icmp_code = NFT_REJECT_ICMPX_PORT_UNREACH; + desc = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + if (desc == NULL) { + stmt->reject.type = NFT_REJECT_ICMPX_UNREACH; + stmt->reject.icmp_code = NFT_REJECT_ICMPX_PORT_UNREACH; + break; + } + stmt->reject.type = NFT_REJECT_ICMP_UNREACH; + base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; + protocol = proto_find_num(base, desc); + switch (protocol) { + case __constant_htons(ETH_P_IP): + stmt->reject.family = NFPROTO_IPV4; + stmt->reject.icmp_code = ICMP_PORT_UNREACH; + break; + case __constant_htons(ETH_P_IPV6): + stmt->reject.family = NFPROTO_IPV6; + stmt->reject.icmp_code = ICMP6_DST_UNREACH_NOPORT; + break; + } break; } return 0; diff --git a/tests/regression/bridge/reject.t b/tests/regression/bridge/reject.t index 11a0f1c5..43e54611 100644 --- a/tests/regression/bridge/reject.t +++ b/tests/regression/bridge/reject.t @@ -18,6 +18,9 @@ reject with icmpv6 type port-unreachable;ok;ether type ip6 reject ip protocol tcp reject with tcp reset;ok;ip protocol 6 reject with tcp reset reject;ok +ether type ip reject;ok +ether type ip6 reject;ok + reject with icmpx type host-unreachable;ok reject with icmpx type no-route;ok reject with icmpx type admin-prohibited;ok diff --git a/tests/regression/inet/reject.t b/tests/regression/inet/reject.t index 2f5aef3a..52e7b28b 100644 --- a/tests/regression/inet/reject.t +++ b/tests/regression/inet/reject.t @@ -18,6 +18,9 @@ reject with icmpv6 type port-unreachable;ok;meta nfproto ipv6 reject reject with tcp reset;ok;meta l4proto 6 reject with tcp reset reject;ok +meta nfproto ipv4 reject;ok +meta nfproto ipv6 reject;ok + reject with icmpx type host-unreachable;ok reject with icmpx type no-route;ok reject with icmpx type admin-prohibited;ok |