From 6b39cecf634ade76ae6b19c632ef5890639481cb Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 20 Jun 2014 14:58:54 +0200 Subject: src: revert broken reject icmp code support This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter for indicating the type of error") and 11b2bb2 ("reject: Use protocol context for indicating the reject type"). These patches are flawed by two things: 1) IPv6 support is broken, only ICMP codes are considered. 2) If you don't specify any transport context, the utility exits without adding the rule, eg. nft add rule ip filter input reject. The kernel is also flawed when it comes to the inet table. Let's revert this until we can provide decent reject reason support. Signed-off-by: Pablo Neira Ayuso --- src/statement.c | 31 ------------------------------- 1 file changed, 31 deletions(-) (limited to 'src/statement.c') diff --git a/src/statement.c b/src/statement.c index c566fb85..2dd3f187 100644 --- a/src/statement.c +++ b/src/statement.c @@ -18,7 +18,6 @@ #include #include #include -#include struct stmt *stmt_alloc(const struct location *loc, const struct stmt_ops *ops) @@ -199,37 +198,7 @@ struct stmt *queue_stmt_alloc(const struct location *loc) static void reject_stmt_print(const struct stmt *stmt) { - const char *icmp_code_name = NULL; - printf("reject"); - if (stmt->reject.type != NFT_REJECT_TCP_RST) { - switch (stmt->reject.icmp_code) { - case ICMP_NET_UNREACH: - icmp_code_name = "net-unreach"; - break; - case ICMP_HOST_UNREACH: - icmp_code_name = "host-unreach"; - break; - case ICMP_PROT_UNREACH: - icmp_code_name = "prot-unreach"; - break; - case ICMP_PORT_UNREACH: - icmp_code_name = "port-unreach"; - break; - case ICMP_NET_ANO: - icmp_code_name = "net-prohibited"; - break; - case ICMP_HOST_ANO: - icmp_code_name = "host-prohibited"; - break; - case ICMP_PKT_FILTERED: - icmp_code_name = "admin-prohibited"; - break; - default: - icmp_code_name = "Unknown icmp code"; - } - printf(" with %s", icmp_code_name); - } } static const struct stmt_ops reject_stmt_ops = { -- cgit v1.2.3