diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-26 17:22:32 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-26 17:50:19 +0200 |
| commit | 08d2f049367153d2c3b03c95b2ca7256cdf3521d (patch) | |
| tree | 35b291e94c051a50d1473d21932f6a27ff8498b5 /src | |
| parent | 1ab1fcbc19a82e03d229586b8fd5b16396a9fab7 (diff) | |
src: promote 'reject with icmp CODE' syntax
The kernel already assumes that that ICMP type to reject a packet is
destination-unreachable, hence the user specifies the *ICMP code*.
Simplify the syntax to:
... reject with icmp port-unreachable
this removes the 'type' keyword before the ICMP code to reject the
packet with.
IIRC, the original intention is to leave room for future extensions that
allow to specify both the ICMP type and the ICMP code, this is however
not possible with the current inconsistent syntax.
Update manpages which also refer to ICMP type.
Adjust tests/py to the new syntax.
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/parser_bison.y | 20 | ||||
| -rw-r--r-- | src/statement.c | 6 |
2 files changed, 23 insertions, 3 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index 79b5aef2..b83ac9a2 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3319,6 +3319,13 @@ reject_opts : /* empty */ $<stmt>0->reject.expr = $4; datatype_set($<stmt>0->reject.expr, &icmp_code_type); } + | WITH ICMP reject_with_expr + { + $<stmt>0->reject.family = NFPROTO_IPV4; + $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH; + $<stmt>0->reject.expr = $3; + datatype_set($<stmt>0->reject.expr, &icmp_code_type); + } | WITH ICMP6 TYPE reject_with_expr { $<stmt>0->reject.family = NFPROTO_IPV6; @@ -3326,12 +3333,25 @@ reject_opts : /* empty */ $<stmt>0->reject.expr = $4; datatype_set($<stmt>0->reject.expr, &icmpv6_code_type); } + | WITH ICMP6 reject_with_expr + { + $<stmt>0->reject.family = NFPROTO_IPV6; + $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH; + $<stmt>0->reject.expr = $3; + datatype_set($<stmt>0->reject.expr, &icmpv6_code_type); + } | WITH ICMPX TYPE reject_with_expr { $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH; $<stmt>0->reject.expr = $4; datatype_set($<stmt>0->reject.expr, &icmpx_code_type); } + | WITH ICMPX reject_with_expr + { + $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH; + $<stmt>0->reject.expr = $3; + datatype_set($<stmt>0->reject.expr, &icmpx_code_type); + } | WITH TCP RESET { $<stmt>0->reject.type = NFT_REJECT_TCP_RST; diff --git a/src/statement.c b/src/statement.c index 06742c04..97b163e8 100644 --- a/src/statement.c +++ b/src/statement.c @@ -585,7 +585,7 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx) case NFT_REJECT_ICMPX_UNREACH: if (stmt->reject.icmp_code == NFT_REJECT_ICMPX_PORT_UNREACH) break; - nft_print(octx, " with icmpx type "); + nft_print(octx, " with icmpx "); expr_print(stmt->reject.expr, octx); break; case NFT_REJECT_ICMP_UNREACH: @@ -594,14 +594,14 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx) if (!stmt->reject.verbose_print && stmt->reject.icmp_code == ICMP_PORT_UNREACH) break; - nft_print(octx, " with icmp type "); + nft_print(octx, " with icmp "); expr_print(stmt->reject.expr, octx); break; case NFPROTO_IPV6: if (!stmt->reject.verbose_print && stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT) break; - nft_print(octx, " with icmpv6 type "); + nft_print(octx, " with icmpv6 "); expr_print(stmt->reject.expr, octx); break; } |