diff options
Diffstat (limited to 'src/parser.y')
-rw-r--r-- | src/parser.y | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/src/parser.y b/src/parser.y index 3e08e21e..a4272168 100644 --- a/src/parser.y +++ b/src/parser.y @@ -18,6 +18,7 @@ #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> +#include <linux/icmp.h> #include <libnftnl/common.h> #include <rule.h> @@ -359,6 +360,7 @@ static int monitor_lookup_event(const char *event) %token WEEK "week" %token _REJECT "reject" +%token WITH "with" %token SNAT "snat" %token DNAT "dnat" @@ -419,8 +421,8 @@ static int monitor_lookup_event(const char *event) %type <stmt> limit_stmt %destructor { stmt_free($$); } limit_stmt %type <val> time_unit -%type <stmt> reject_stmt -%destructor { stmt_free($$); } reject_stmt +%type <stmt> reject_stmt reject_stmt_alloc +%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc %type <stmt> nat_stmt nat_stmt_alloc %destructor { stmt_free($$); } nat_stmt nat_stmt_alloc %type <stmt> queue_stmt queue_stmt_alloc queue_range @@ -1396,12 +1398,38 @@ time_unit : SECOND { $$ = 1ULL; } | WEEK { $$ = 1ULL * 60 * 60 * 24 * 7; } ; -reject_stmt : _REJECT + +reject_stmt : reject_stmt_alloc reject_opts + +reject_stmt_alloc : _REJECT { $$ = reject_stmt_alloc(&@$); } ; +reject_opts : /* empty */ + { + $<stmt>0->reject.icmp_code = -1; + } + | WITH STRING + { + if (strcmp($2, "net-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_NET_UNREACH; + else if (strcmp($2, "host-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_HOST_UNREACH; + else if (strcmp($2, "prot-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_PROT_UNREACH; + else if (strcmp($2, "port-unreach") == 0) + $<stmt>0->reject.icmp_code = ICMP_PORT_UNREACH; + else if (strcmp($2, "net-prohibited") == 0) + $<stmt>0->reject.icmp_code = ICMP_NET_ANO; + else if (strcmp($2, "host-prohibited") == 0) + $<stmt>0->reject.icmp_code = ICMP_HOST_ANO; + else if (strcmp($2, "admin-prohibited") == 0) + $<stmt>0->reject.icmp_code = ICMP_PKT_FILTERED; + } + ; + nat_stmt : nat_stmt_alloc nat_stmt_args ; |