netfilter: nft_reject: support for IPv6 and TCP reset

	depends on NF_TABLES

	tristate "IPv4 nf_tables support"

config NFT_REJECT_IPV4

	depends on NF_TABLES_IPV4

	tristate "nf_tables IPv4 reject support"

config NFT_CHAIN_ROUTE_IPV4

	depends on NF_TABLES_IPV4

	tristate "IPv4 nf_tables route chain support"

obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o

obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o

obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o

obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o

obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o

obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o

	  This is required if you intend to use the userspace queueing

	  infrastructure (also known as NFQUEUE) from nftables.

config NFT_REJECT

	depends on NF_TABLES

	depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6

	default m if NETFILTER_ADVANCED=n

	tristate "Netfilter nf_tables reject support"

config NFT_COMPAT

	depends on NF_TABLES

	depends on NETFILTER_XTABLES

obj-$(CONFIG_NFT_LIMIT)		+= nft_limit.o

obj-$(CONFIG_NFT_NAT)		+= nft_nat.o

obj-$(CONFIG_NFT_QUEUE)		+= nft_queue.o

obj-$(CONFIG_NFT_REJECT) 	+= nft_reject.o

obj-$(CONFIG_NFT_RBTREE)	+= nft_rbtree.o

obj-$(CONFIG_NFT_HASH)		+= nft_hash.o

obj-$(CONFIG_NFT_COUNTER)	+= nft_counter.o

/*

 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>

 * Copyright (c) 2013 Eric Leblond <eric@regit.org>

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 as

#include <linux/netfilter/nf_tables.h>

#include <net/netfilter/nf_tables.h>

#include <net/icmp.h>

#include <net/netfilter/ipv4/nf_reject.h>

#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)

#include <net/netfilter/ipv6/nf_reject.h>

#endif

struct nft_reject {

	enum nft_reject_types	type:8;

	u8			icmp_code;

	u8			family;

};

static void nft_reject_eval(const struct nft_expr *expr,

			      const struct nft_pktinfo *pkt)

{

	struct nft_reject *priv = nft_expr_priv(expr);

	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);

	switch (priv->type) {

	case NFT_REJECT_ICMP_UNREACH:

		icmp_send(pkt->skb, ICMP_DEST_UNREACH, priv->icmp_code, 0);

		if (priv->family == NFPROTO_IPV4)

			nf_send_unreach(pkt->skb, priv->icmp_code);

#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)

		else if (priv->family == NFPROTO_IPV6)

			nf_send_unreach6(net, pkt->skb, priv->icmp_code,

				      pkt->hooknum);

#endif

		break;

	case NFT_REJECT_TCP_RST:

		if (priv->family == NFPROTO_IPV4)

			nf_send_reset(pkt->skb, pkt->hooknum);

#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)

		else if (priv->family == NFPROTO_IPV6)

			nf_send_reset6(net, pkt->skb, pkt->hooknum);

#endif

		break;

	}

	if (tb[NFTA_REJECT_TYPE] == NULL)

		return -EINVAL;

	priv->family = ctx->afi->family;

	priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));

	switch (priv->type) {

	case NFT_REJECT_ICMP_UNREACH:

{

	const struct nft_reject *priv = nft_expr_priv(expr);

	if (nla_put_be32(skb, NFTA_REJECT_TYPE, priv->type))

	if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))

		goto nla_put_failure;

	switch (priv->type) {