/*
* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Eric Leblond <eric@regit.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/icmp.h>
+#include <net/netfilter/ipv4/nf_reject.h>
+
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+#include <net/netfilter/ipv6/nf_reject.h>
+#endif
struct nft_reject {
enum nft_reject_types type:8;
u8 icmp_code;
+ u8 family;
};
static void nft_reject_eval(const struct nft_expr *expr,
const struct nft_pktinfo *pkt)
{
struct nft_reject *priv = nft_expr_priv(expr);
+ struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
- icmp_send(pkt->skb, ICMP_DEST_UNREACH, priv->icmp_code, 0);
+ if (priv->family == NFPROTO_IPV4)
+ nf_send_unreach(pkt->skb, priv->icmp_code);
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+ else if (priv->family == NFPROTO_IPV6)
+ nf_send_unreach6(net, pkt->skb, priv->icmp_code,
+ pkt->hooknum);
+#endif
break;
case NFT_REJECT_TCP_RST:
+ if (priv->family == NFPROTO_IPV4)
+ nf_send_reset(pkt->skb, pkt->hooknum);
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+ else if (priv->family == NFPROTO_IPV6)
+ nf_send_reset6(net, pkt->skb, pkt->hooknum);
+#endif
break;
}
if (tb[NFTA_REJECT_TYPE] == NULL)
return -EINVAL;
+ priv->family = ctx->afi->family;
priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
switch (priv->type) {
case NFT_REJECT_ICMP_UNREACH:
{
const struct nft_reject *priv = nft_expr_priv(expr);
- if (nla_put_be32(skb, NFTA_REJECT_TYPE, priv->type))
+ if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))
goto nla_put_failure;
switch (priv->type) {