--- /dev/null
+INCOMPATIBILITIES:
+
+- The REJECT target has an '--reject-with admin-prohib' option which used
+ with kernels that do not support it, will result in a plain DROP instead
+ of REJECT. Use with caution.
+ Kernels that do support it:
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <linux/version.h>
+
+/* If we are compiling against a kernel that does not support
+ * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
+ * The result will be a plain DROP of the packet instead of
+ * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ */
+#ifndef IPT_ICMP_ADMIN_PROHIBITED
+#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1
+#endif
struct reject_names {
const char *name;
{"icmp-host-prohibited", "host-prohib",
IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
{"tcp-reset", "tcp-reset",
- IPT_TCP_RESET, "TCP RST packet"}
+ IPT_TCP_RESET, "TCP RST packet"},
+ {"icmp-admin-prohibited", "admin-prohib",
+ IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
};
static void
" a reply packet according to type:\n");
print_reject_types();
+
+ printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
}
static struct option opts[] = {
.BR icmp-host-unreachable ,
.BR icmp-port-unreachable ,
.BR icmp-proto-unreachable ,
-.BR "icmp-net-prohibited or"
-.BR icmp-host-prohibited ,
+.BR icmp-net-prohibited ,
+.BR "icmp-host-prohibited or"
+.BR "icmp-admin-prohibited (*)"
which return the appropriate ICMP error message (\fBport-unreachable\fP is
the default). The option
.B tcp-reset
.I ident
(113/tcp) probes which frequently occur when sending mail to broken mail
hosts (which won't accept your mail otherwise).
+.TP
+(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
.SS SNAT
This target is only valid in the
.B nat
projects / thirdparty / iptables.git / commitdiff
