diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-20 14:58:54 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-20 15:00:02 +0200 |
| commit | 6b39cecf634ade76ae6b19c632ef5890639481cb (patch) | |
| tree | d0341b9d56091aa541b6d0240bcf59283315af3c /src/parser.y | |
| parent | 34040b1e345c8fa31b1c468713ff7c3815e4a8a1 (diff) | |
src: revert broken reject icmp code support
This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter
for indicating the type of error") and 11b2bb2 ("reject: Use protocol
context for indicating the reject type").
These patches are flawed by two things:
1) IPv6 support is broken, only ICMP codes are considered.
2) If you don't specify any transport context, the utility exits without
adding the rule, eg. nft add rule ip filter input reject.
The kernel is also flawed when it comes to the inet table. Let's revert
this until we can provide decent reject reason support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser.y')
| -rw-r--r-- | src/parser.y | 34 |
1 files changed, 3 insertions, 31 deletions
diff --git a/src/parser.y b/src/parser.y index a4272168..3e08e21e 100644 --- a/src/parser.y +++ b/src/parser.y @@ -18,7 +18,6 @@ #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> -#include <linux/icmp.h> #include <libnftnl/common.h> #include <rule.h> @@ -360,7 +359,6 @@ static int monitor_lookup_event(const char *event) %token WEEK "week" %token _REJECT "reject" -%token WITH "with" %token SNAT "snat" %token DNAT "dnat" @@ -421,8 +419,8 @@ static int monitor_lookup_event(const char *event) %type <stmt> limit_stmt %destructor { stmt_free($$); } limit_stmt %type <val> time_unit -%type <stmt> reject_stmt reject_stmt_alloc -%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc +%type <stmt> reject_stmt +%destructor { stmt_free($$); } reject_stmt %type <stmt> nat_stmt nat_stmt_alloc %destructor { stmt_free($$); } nat_stmt nat_stmt_alloc %type <stmt> queue_stmt queue_stmt_alloc queue_range @@ -1398,38 +1396,12 @@ time_unit : SECOND { $$ = 1ULL; } | WEEK { $$ = 1ULL * 60 * 60 * 24 * 7; } ; - -reject_stmt : reject_stmt_alloc reject_opts - -reject_stmt_alloc : _REJECT +reject_stmt : _REJECT { $$ = reject_stmt_alloc(&@$); } ; -reject_opts : /* empty */ - { - $<stmt>0->reject.icmp_code = -1; - } - | WITH STRING - { - if (strcmp($2, "net-unreach") == 0) - $<stmt>0->reject.icmp_code = ICMP_NET_UNREACH; - else if (strcmp($2, "host-unreach") == 0) - $<stmt>0->reject.icmp_code = ICMP_HOST_UNREACH; - else if (strcmp($2, "prot-unreach") == 0) - $<stmt>0->reject.icmp_code = ICMP_PROT_UNREACH; - else if (strcmp($2, "port-unreach") == 0) - $<stmt>0->reject.icmp_code = ICMP_PORT_UNREACH; - else if (strcmp($2, "net-prohibited") == 0) - $<stmt>0->reject.icmp_code = ICMP_NET_ANO; - else if (strcmp($2, "host-prohibited") == 0) - $<stmt>0->reject.icmp_code = ICMP_HOST_ANO; - else if (strcmp($2, "admin-prohibited") == 0) - $<stmt>0->reject.icmp_code = ICMP_PKT_FILTERED; - } - ; - nat_stmt : nat_stmt_alloc nat_stmt_args ; |