Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05513e9e authored Feb 05, 2014 by Patrick McHardy Committed by Pablo Neira Ayuso Feb 06, 2014

netfilter: nf_tables: add reject module for NFPROTO_INET



Add a reject module for NFPROTO_INET. It does nothing but dispatch
to the AF-specific modules based on the hook family.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent cc4723ca

include/net/netfilter/nft_reject.h

+8 −0

Original line number	Diff line number	Diff line
		@@ -14,4 +14,12 @@ int nft_reject_init(const struct nft_ctx *ctx,

		int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr);

		void nft_reject_ipv4_eval(const struct nft_expr *expr,
		struct nft_data data[NFT_REG_MAX + 1],
		const struct nft_pktinfo *pkt);

		void nft_reject_ipv6_eval(const struct nft_expr *expr,
		struct nft_data data[NFT_REG_MAX + 1],
		const struct nft_pktinfo *pkt);

		#endif

net/ipv4/netfilter/nft_reject_ipv4.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -20,7 +20,7 @@
		#include <net/netfilter/ipv4/nf_reject.h>
		#include <net/netfilter/nft_reject.h>

		static void nft_reject_ipv4_eval(const struct nft_expr *expr,
		void nft_reject_ipv4_eval(const struct nft_expr *expr,
		struct nft_data data[NFT_REG_MAX + 1],
		const struct nft_pktinfo *pkt)
		{
		@@ -37,6 +37,7 @@ static void nft_reject_ipv4_eval(const struct nft_expr *expr,

		data[NFT_REG_VERDICT].verdict = NF_DROP;
		}
		EXPORT_SYMBOL_GPL(nft_reject_ipv4_eval);

		static struct nft_expr_type nft_reject_ipv4_type;
		static const struct nft_expr_ops nft_reject_ipv4_ops = {

net/ipv6/netfilter/nft_reject_ipv6.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -19,7 +19,7 @@
		#include <net/netfilter/nft_reject.h>
		#include <net/netfilter/ipv6/nf_reject.h>

		static void nft_reject_ipv6_eval(const struct nft_expr *expr,
		void nft_reject_ipv6_eval(const struct nft_expr *expr,
		struct nft_data data[NFT_REG_MAX + 1],
		const struct nft_pktinfo *pkt)
		{
		@@ -38,6 +38,7 @@ static void nft_reject_ipv6_eval(const struct nft_expr *expr,

		data[NFT_REG_VERDICT].verdict = NF_DROP;
		}
		EXPORT_SYMBOL_GPL(nft_reject_ipv6_eval);

		static struct nft_expr_type nft_reject_ipv6_type;
		static const struct nft_expr_ops nft_reject_ipv6_ops = {

net/netfilter/Kconfig

+5 −0

Original line number	Diff line number	Diff line
		@@ -520,6 +520,11 @@ config NFT_REJECT
		explicitly deny and notify via TCP reset/ICMP informational errors
		unallowed traffic.

		config NFT_REJECT_INET
		depends on NF_TABLES_INET
		default NFT_REJECT
		tristate

		config NFT_COMPAT
		depends on NF_TABLES
		depends on NETFILTER_XTABLES

net/netfilter/Makefile

+1 −0

Original line number	Diff line number	Diff line
		@@ -79,6 +79,7 @@ obj-$(CONFIG_NFT_LIMIT) += nft_limit.o
		obj-$(CONFIG_NFT_NAT) += nft_nat.o
		obj-$(CONFIG_NFT_QUEUE) += nft_queue.o
		obj-$(CONFIG_NFT_REJECT) += nft_reject.o
		obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o
		obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o
		obj-$(CONFIG_NFT_HASH) += nft_hash.o
		obj-$(CONFIG_NFT_COUNTER) += nft_counter.o