diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/datatype.h | 9 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 21 | ||||
-rw-r--r-- | include/proto.h | 1 | ||||
-rw-r--r-- | include/statement.h | 3 |
4 files changed, 34 insertions, 0 deletions
diff --git a/include/datatype.h b/include/datatype.h index 51822637..15fea441 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -36,6 +36,9 @@ * @TYPE_ICMP6_TYPE: ICMPv6 type codes (integer subtype) * @TYPE_CT_LABEL: Conntrack Label (bitmask subtype) * @TYPE_PKTTYPE: packet type (integer subtype) + * @TYPE_ICMP_CODE: icmp code (integer subtype) + * @TYPE_ICMPV6_CODE: icmpv6 code (integer subtype) + * @TYPE_ICMPX_CODE: icmpx code (integer subtype) */ enum datatypes { TYPE_INVALID, @@ -70,6 +73,9 @@ enum datatypes { TYPE_ICMP6_TYPE, TYPE_CT_LABEL, TYPE_PKTTYPE, + TYPE_ICMP_CODE, + TYPE_ICMPV6_CODE, + TYPE_ICMPX_CODE, __TYPE_MAX }; #define TYPE_MAX (__TYPE_MAX - 1) @@ -194,6 +200,9 @@ extern const struct datatype arphrd_type; extern const struct datatype inet_protocol_type; extern const struct datatype inet_service_type; extern const struct datatype mark_type; +extern const struct datatype icmp_code_type; +extern const struct datatype icmpv6_code_type; +extern const struct datatype icmpx_code_type; extern const struct datatype time_type; extern const struct datatype *concat_type_alloc(const struct expr *expr); diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index b72ccfea..f04d997a 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -749,13 +749,34 @@ enum nft_queue_attributes { * * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable * @NFT_REJECT_TCP_RST: reject using TCP RST + * @NFT_REJECT_ICMPX_UNREACH: abstracted ICMP unreachable for bridge and inet */ enum nft_reject_types { NFT_REJECT_ICMP_UNREACH, NFT_REJECT_TCP_RST, + NFT_REJECT_ICMPX_UNREACH, }; /** + * enum nft_reject_code - Abstracted reject codes + * + * @NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable + * @NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable + * @NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable + * @NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited + * + * These codes are mapped to real ICMP and ICMPv6 codes. + */ +enum nft_reject_inet_code { + NFT_REJECT_ICMPX_NO_ROUTE = 0, + NFT_REJECT_ICMPX_PORT_UNREACH, + NFT_REJECT_ICMPX_HOST_UNREACH, + NFT_REJECT_ICMPX_ADMIN_PROHIBITED, + __NFT_REJECT_ICMPX_MAX +}; +#define NFT_REJECT_ICMPX_MAX (__NFT_REJECT_ICMPX_MAX + 1) + +/** * enum nft_reject_attributes - nf_tables reject expression netlink attributes * * @NFTA_REJECT_TYPE: packet type to use (NLA_U32: nft_reject_types) diff --git a/include/proto.h b/include/proto.h index cc1f51f0..0e531b24 100644 --- a/include/proto.h +++ b/include/proto.h @@ -252,6 +252,7 @@ enum udp_hdr_fields { enum tcp_hdr_fields { TCPHDR_INVALID, + TCPHDR_UNSPEC = TCPHDR_INVALID, TCPHDR_SPORT, TCPHDR_DPORT, TCPHDR_SEQ, diff --git a/include/statement.h b/include/statement.h index 7a57f7dd..574835cd 100644 --- a/include/statement.h +++ b/include/statement.h @@ -56,7 +56,10 @@ struct limit_stmt { extern struct stmt *limit_stmt_alloc(const struct location *loc); struct reject_stmt { + struct expr *expr; enum nft_reject_types type; + int8_t icmp_code; + unsigned int family; }; extern struct stmt *reject_stmt_alloc(const struct location *loc); |