diff options
| author | Laura Garcia Liebana <nevola@gmail.com> | 2016-03-16 23:24:00 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-17 16:45:41 +0100 |
| commit | 66dffc87f02a5ca468dd8d8b0a5bee27ff67bb63 (patch) | |
| tree | e6c3a96981e94cb04c1b86d82b87cf676cb03fc2 | |
| parent | aa158ca0fda65ae6e62ca76d0744def3a03160bb (diff) | |
extensions: libipt_REJECT: Avoid to print the default reject with value in the translation
Avoid to print the reject with value in the translation when the value is the default.
Before this patch:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable
After this patch:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libipt_REJECT.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c index 41487762..c211da91 100644 --- a/extensions/libipt_REJECT.c +++ b/extensions/libipt_REJECT.c @@ -171,7 +171,9 @@ static int REJECT_xlate(const void *ip, const struct xt_entry_target *target, break; } - if (reject->with == IPT_TCP_RESET) + if (reject->with == IPT_ICMP_PORT_UNREACHABLE) + xt_xlate_add(xl, "reject"); + else if (reject->with == IPT_TCP_RESET) xt_xlate_add(xl, "reject with %s", reject_table_xlate[i].name); else |