diff options
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index c15cd55f..216194f1 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -17,6 +17,7 @@ #include <linux/netfilter.h> #include <linux/netfilter_arp.h> #include <linux/netfilter/nf_tables.h> +#include <linux/icmp.h> #include <expression.h> #include <statement.h> @@ -1139,10 +1140,14 @@ static int stmt_evaluate_reject(struct eval_ctx *ctx, struct stmt *stmt) if (base == NULL) return -1; - if (strcmp(base->name, "tcp") == 0) + if (strcmp(base->name, "tcp") == 0 && stmt->reject.icmp_code == -1) { stmt->reject.type = NFT_REJECT_TCP_RST; - else + stmt->reject.icmp_code = ICMP_NET_UNREACH; + } else { stmt->reject.type = NFT_REJECT_ICMP_UNREACH; + if (stmt->reject.icmp_code < 0) + stmt->reject.icmp_code = ICMP_NET_UNREACH; + } stmt->flags |= STMT_F_TERMINAL; return 0; |