diff options
author | Álvaro Neira Ayuso <alvaroneay@gmail.com> | 2014-06-11 18:51:03 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-16 11:53:19 +0200 |
commit | 34040b1e345c8fa31b1c468713ff7c3815e4a8a1 (patch) | |
tree | ba8d928aa811b5de919c94592f3f8f966503662d /src/parser.y | |
parent | 11b2bb2fc0652dce73c78e7b0cee5c32c5af80e8 (diff) |
reject: add ICMP code parameter for indicating the type of error
This patch allows to indicate the ICMP code field in case that we
use to reject. Before, we have always sent network unreachable error
as ICMP code, now we can explicitly indicate the ICMP code that
we want to use. Examples:
nft add rule filter input tcp dport 22 reject with host-unreach
nft add rule filter input udp dport 22 reject with host-unreach
In this case, it will use the host unreachable code to reject traffic.
The default code field still is network unreachable and we can also
use the rules without the with like that:
nft add rule filter input udp dport 22 reject
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser.y')
-rw-r--r-- | src/parser.y | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/src/parser.y b/src/parser.y index 3e08e21e..a4272168 100644 --- a/src/parser.y +++ b/src/parser.y @@ -18,6 +18,7 @@ #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> +#include <linux/icmp.h> #include <libnftnl/common.h> #include <rule.h> @@ -359,6 +360,7 @@ static int monitor_lookup_event(const char *event) %token WEEK "week" %token _REJECT "reject" +%token WITH "with" %token SNAT "snat" %token DNAT "dnat" @@ -419,8 +421,8 @@ static int monitor_lookup_event(const char *event) %type <stmt> limit_stmt %destructor { stmt_free($$); } limit_stmt %type <val> time_unit -%type <stmt> reject_stmt -%destructor { stmt_free($$); } reject_stmt +%type <stmt> reject_stmt reject_stmt_alloc +%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc %type <stmt> nat_stmt nat_stmt_alloc %destructor { stmt_free($$); } nat_stmt nat_stmt_alloc %type <stmt> queue_stmt queue_stmt_alloc queue_range @@ -1396,12 +1398,38 @@ time_unit : SECOND { $$ = 1ULL; } | WEEK { $$ = 1ULL * 60 * 60 * 24 * 7; } ; -reject_stmt : _REJECT + +reject_stmt : reject_stmt_alloc reject_opts + +reject_stmt_alloc : _REJECT { $$ = reject_stmt_alloc(&@$); } ; +reject_opts : /* empty */ + { + $<stmt>0->reject.icmp_code = -1; + } + | WITH STRING + { + if (strcmp($2, "net-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_NET_UNREACH; + else if (strcmp($2, "host-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_HOST_UNREACH; + else if (strcmp($2, "prot-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_PROT_UNREACH; + else if (strcmp($2, "port-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_PORT_UNREACH; + else if (strcmp($2, "net-prohibited") == 0) + $<stmt>0->reject.icmp_code = ICMP_NET_ANO; + else if (strcmp($2, "host-prohibited") == 0) + $<stmt>0->reject.icmp_code = ICMP_HOST_ANO; + else if (strcmp($2, "admin-prohibited") == 0) + $<stmt>0->reject.icmp_code = ICMP_PKT_FILTERED; + } + ; + nat_stmt : nat_stmt_alloc nat_stmt_args ; |