diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-20 14:58:54 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-20 15:00:02 +0200 |
commit | 6b39cecf634ade76ae6b19c632ef5890639481cb (patch) | |
tree | d0341b9d56091aa541b6d0240bcf59283315af3c /src/evaluate.c | |
parent | 34040b1e345c8fa31b1c468713ff7c3815e4a8a1 (diff) |
src: revert broken reject icmp code support
This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter
for indicating the type of error") and 11b2bb2 ("reject: Use protocol
context for indicating the reject type").
These patches are flawed by two things:
1) IPv6 support is broken, only ICMP codes are considered.
2) If you don't specify any transport context, the utility exits without
adding the rule, eg. nft add rule ip filter input reject.
The kernel is also flawed when it comes to the inet table. Let's revert
this until we can provide decent reject reason support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 17 |
1 files changed, 0 insertions, 17 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 216194f1..2330bbb2 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -17,7 +17,6 @@ #include <linux/netfilter.h> #include <linux/netfilter_arp.h> #include <linux/netfilter/nf_tables.h> -#include <linux/icmp.h> #include <expression.h> #include <statement.h> @@ -1133,22 +1132,6 @@ static int stmt_evaluate_meta(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_reject(struct eval_ctx *ctx, struct stmt *stmt) { - struct proto_ctx *pctx = &ctx->pctx; - const struct proto_desc *base; - - base = pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc; - if (base == NULL) - return -1; - - if (strcmp(base->name, "tcp") == 0 && stmt->reject.icmp_code == -1) { - stmt->reject.type = NFT_REJECT_TCP_RST; - stmt->reject.icmp_code = ICMP_NET_UNREACH; - } else { - stmt->reject.type = NFT_REJECT_ICMP_UNREACH; - if (stmt->reject.icmp_code < 0) - stmt->reject.icmp_code = ICMP_NET_UNREACH; - } - stmt->flags |= STMT_F_TERMINAL; return 0; } |