reject: add ICMP code parameter for indicating the type of error

This patch allows to indicate the ICMP code field in case that we
use to reject. Before, we have always sent network unreachable error
as ICMP code, now we can explicitly indicate the ICMP code that
we want to use. Examples:

nft add rule filter input tcp dport 22 reject with host-unreach
nft add rule filter input udp dport 22 reject with host-unreach

In this case, it will use the host unreachable code to reject traffic.

The default code field still is network unreachable and we can also
use the rules without the with like that:

nft add rule filter input udp dport 22 reject

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 7 insertions, 2 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index c15cd55f..216194f1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -17,6 +17,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_arp.h>
 #include <linux/netfilter/nf_tables.h>
+#include <linux/icmp.h>
 
 #include <expression.h>
 #include <statement.h>
@@ -1139,10 +1140,14 @@ static int stmt_evaluate_reject(struct eval_ctx *ctx, struct stmt *stmt)
 	if (base == NULL)
 		return -1;
 
-	if (strcmp(base->name, "tcp") == 0)
+	if (strcmp(base->name, "tcp") == 0 && stmt->reject.icmp_code == -1) {
 		stmt->reject.type = NFT_REJECT_TCP_RST;
-	else
+		stmt->reject.icmp_code = ICMP_NET_UNREACH;
+	} else {
 		stmt->reject.type = NFT_REJECT_ICMP_UNREACH;
+		if (stmt->reject.icmp_code < 0)
+			stmt->reject.icmp_code = ICMP_NET_UNREACH;
+	}
 
 	stmt->flags |= STMT_F_TERMINAL;
 	return 0;