diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/parser_bison.y | 20 | ||||
-rw-r--r-- | src/statement.c | 6 |
2 files changed, 23 insertions, 3 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index 79b5aef2..b83ac9a2 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3319,6 +3319,13 @@ reject_opts : /* empty */ $<stmt>0->reject.expr = $4; datatype_set($<stmt>0->reject.expr, &icmp_code_type); } + | WITH ICMP reject_with_expr + { + $<stmt>0->reject.family = NFPROTO_IPV4; + $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH; + $<stmt>0->reject.expr = $3; + datatype_set($<stmt>0->reject.expr, &icmp_code_type); + } | WITH ICMP6 TYPE reject_with_expr { $<stmt>0->reject.family = NFPROTO_IPV6; @@ -3326,12 +3333,25 @@ reject_opts : /* empty */ $<stmt>0->reject.expr = $4; datatype_set($<stmt>0->reject.expr, &icmpv6_code_type); } + | WITH ICMP6 reject_with_expr + { + $<stmt>0->reject.family = NFPROTO_IPV6; + $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH; + $<stmt>0->reject.expr = $3; + datatype_set($<stmt>0->reject.expr, &icmpv6_code_type); + } | WITH ICMPX TYPE reject_with_expr { $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH; $<stmt>0->reject.expr = $4; datatype_set($<stmt>0->reject.expr, &icmpx_code_type); } + | WITH ICMPX reject_with_expr + { + $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH; + $<stmt>0->reject.expr = $3; + datatype_set($<stmt>0->reject.expr, &icmpx_code_type); + } | WITH TCP RESET { $<stmt>0->reject.type = NFT_REJECT_TCP_RST; diff --git a/src/statement.c b/src/statement.c index 06742c04..97b163e8 100644 --- a/src/statement.c +++ b/src/statement.c @@ -585,7 +585,7 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx) case NFT_REJECT_ICMPX_UNREACH: if (stmt->reject.icmp_code == NFT_REJECT_ICMPX_PORT_UNREACH) break; - nft_print(octx, " with icmpx type "); + nft_print(octx, " with icmpx "); expr_print(stmt->reject.expr, octx); break; case NFT_REJECT_ICMP_UNREACH: @@ -594,14 +594,14 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx) if (!stmt->reject.verbose_print && stmt->reject.icmp_code == ICMP_PORT_UNREACH) break; - nft_print(octx, " with icmp type "); + nft_print(octx, " with icmp "); expr_print(stmt->reject.expr, octx); break; case NFPROTO_IPV6: if (!stmt->reject.verbose_print && stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT) break; - nft_print(octx, " with icmpv6 type "); + nft_print(octx, " with icmpv6 "); expr_print(stmt->reject.expr, octx); break; } |