From d923bba613d573e23b577f1ae49c409ea62f00e9 Mon Sep 17 00:00:00 2001 From: laforge Date: Sat, 24 May 2003 11:44:18 +0000 Subject: finally commit the overly delayed RFC1812 admin prohibited option --- INCOMPATIBILITIES | 6 ++++++ extensions/libipt_REJECT.c | 16 +++++++++++++++- iptables.8 | 7 +++++-- 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 INCOMPATIBILITIES diff --git a/INCOMPATIBILITIES b/INCOMPATIBILITIES new file mode 100644 index 0000000..fd695e1 --- /dev/null +++ b/INCOMPATIBILITIES @@ -0,0 +1,6 @@ +INCOMPATIBILITIES: + +- The REJECT target has an '--reject-with admin-prohib' option which used + with kernels that do not support it, will result in a plain DROP instead + of REJECT. Use with caution. + Kernels that do support it: diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c index ba63a0a..8170edd 100644 --- a/extensions/libipt_REJECT.c +++ b/extensions/libipt_REJECT.c @@ -9,6 +9,16 @@ #include #include #include +#include + +/* If we are compiling against a kernel that does not support + * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it. + * The result will be a plain DROP of the packet instead of + * reject. -- Maciej Soltysiak + */ +#ifndef IPT_ICMP_ADMIN_PROHIBITED +#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1 +#endif struct reject_names { const char *name; @@ -35,7 +45,9 @@ static const struct reject_names reject_table[] = { {"icmp-host-prohibited", "host-prohib", IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"}, {"tcp-reset", "tcp-reset", - IPT_TCP_RESET, "TCP RST packet"} + IPT_TCP_RESET, "TCP RST packet"}, + {"icmp-admin-prohibited", "admin-prohib", + IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"} }; static void @@ -64,6 +76,8 @@ help(void) " a reply packet according to type:\n"); print_reject_types(); + + printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n"); } static struct option opts[] = { diff --git a/iptables.8 b/iptables.8 index bd58e09..f73ff46 100644 --- a/iptables.8 +++ b/iptables.8 @@ -864,8 +864,9 @@ The type given can be .BR icmp-host-unreachable , .BR icmp-port-unreachable , .BR icmp-proto-unreachable , -.BR "icmp-net-prohibited or" -.BR icmp-host-prohibited , +.BR icmp-net-prohibited , +.BR "icmp-host-prohibited or" +.BR "icmp-admin-prohibited (*)" which return the appropriate ICMP error message (\fBport-unreachable\fP is the default). The option .B tcp-reset @@ -874,6 +875,8 @@ TCP RST packet to be sent back. This is mainly useful for blocking .I ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). +.TP +(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT .SS SNAT This target is only valid in the .B nat -- cgit v1.2.3