*type*::
Type of reject, either *"tcp reset"*, *"icmpx"*, *"icmp"* or *"icmpv6"*.
*expr*::
- ICMP type to reject with.
+ ICMP code to reject with.
All properties are optional.
____
*reject* [ *with* 'REJECT_WITH' ]
-'REJECT_WITH' := *icmp type* 'icmp_code' |
- *icmpv6 type* 'icmpv6_code' |
- *icmpx type* 'icmpx_code' |
+'REJECT_WITH' := *icmp* 'icmp_code' |
+ *icmpv6* 'icmpv6_code' |
+ *icmpx* 'icmpx_code' |
*tcp reset*
____
$<stmt>0->reject.expr = $4;
datatype_set($<stmt>0->reject.expr, &icmp_code_type);
}
+ | WITH ICMP reject_with_expr
+ {
+ $<stmt>0->reject.family = NFPROTO_IPV4;
+ $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
+ $<stmt>0->reject.expr = $3;
+ datatype_set($<stmt>0->reject.expr, &icmp_code_type);
+ }
| WITH ICMP6 TYPE reject_with_expr
{
$<stmt>0->reject.family = NFPROTO_IPV6;
$<stmt>0->reject.expr = $4;
datatype_set($<stmt>0->reject.expr, &icmpv6_code_type);
}
+ | WITH ICMP6 reject_with_expr
+ {
+ $<stmt>0->reject.family = NFPROTO_IPV6;
+ $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
+ $<stmt>0->reject.expr = $3;
+ datatype_set($<stmt>0->reject.expr, &icmpv6_code_type);
+ }
| WITH ICMPX TYPE reject_with_expr
{
$<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH;
$<stmt>0->reject.expr = $4;
datatype_set($<stmt>0->reject.expr, &icmpx_code_type);
}
+ | WITH ICMPX reject_with_expr
+ {
+ $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH;
+ $<stmt>0->reject.expr = $3;
+ datatype_set($<stmt>0->reject.expr, &icmpx_code_type);
+ }
| WITH TCP RESET
{
$<stmt>0->reject.type = NFT_REJECT_TCP_RST;
case NFT_REJECT_ICMPX_UNREACH:
if (stmt->reject.icmp_code == NFT_REJECT_ICMPX_PORT_UNREACH)
break;
- nft_print(octx, " with icmpx type ");
+ nft_print(octx, " with icmpx ");
expr_print(stmt->reject.expr, octx);
break;
case NFT_REJECT_ICMP_UNREACH:
if (!stmt->reject.verbose_print &&
stmt->reject.icmp_code == ICMP_PORT_UNREACH)
break;
- nft_print(octx, " with icmp type ");
+ nft_print(octx, " with icmp ");
expr_print(stmt->reject.expr, octx);
break;
case NFPROTO_IPV6:
if (!stmt->reject.verbose_print &&
stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
break;
- nft_print(octx, " with icmpv6 type ");
+ nft_print(octx, " with icmpv6 ");
expr_print(stmt->reject.expr, octx);
break;
}
*bridge;test-bridge;input
# The output is specific for bridge family
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset
reject;ok
-ether type ip reject;ok;reject with icmp type port-unreachable
-ether type ip6 reject;ok;reject with icmpv6 type port-unreachable
+ether type ip reject;ok;reject with icmp port-unreachable
+ether type ip6 reject;ok;reject with icmpv6 port-unreachable
-reject with icmpx type host-unreachable;ok
-reject with icmpx type no-route;ok
-reject with icmpx type admin-prohibited;ok
-reject with icmpx type port-unreachable;ok;reject
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
-ether type ipv6 reject with icmp type host-unreachable;fail
-ether type ip6 reject with icmp type host-unreachable;fail
-ether type ip reject with icmpv6 type no-route;fail
+ether type ipv6 reject with icmp host-unreachable;fail
+ether type ip6 reject with icmp host-unreachable;fail
+ether type ip reject with icmpv6 no-route;fail
ether type vlan reject;ok;ether type 8021q reject
ether type arp reject;fail
ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset
ether type arp reject with tcp reset;fail
ip protocol udp reject with tcp reset;fail
-ether type ip reject with icmpx type admin-prohibited;ok
-ether type ip6 reject with icmpx type admin-prohibited;ok
-ether type 8021q reject with icmpx type admin-prohibited;ok
-ether type arp reject with icmpx type admin-prohibited;fail
+ether type ip reject with icmpx admin-prohibited;ok
+ether type ip6 reject with icmpx admin-prohibited;ok
+ether type 8021q reject with icmpx admin-prohibited;ok
+ether type arp reject with icmpx admin-prohibited;fail
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
}
]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
[
{
"reject": {
}
]
-# reject with icmpx type no-route
+# reject with icmpx no-route
[
{
"reject": {
}
]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
[
{
"reject": {
}
]
-# ether type ip reject with icmpx type admin-prohibited
+# ether type ip reject with icmpx admin-prohibited
[
{
"match": {
}
]
-# ether type ip6 reject with icmpx type admin-prohibited
+# ether type ip6 reject with icmpx admin-prohibited
[
{
"match": {
}
]
-# ether type 8021q reject with icmpx type admin-prohibited
+# ether type 8021q reject with icmpx admin-prohibited
[
{
"match": {
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 13 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
bridge test-bridge input
[ reject type 2 code 2 ]
-# reject with icmpx type no-route
+# reject with icmpx no-route
bridge test-bridge input
[ reject type 2 code 0 ]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
bridge test-bridge input
[ reject type 2 code 3 ]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
bridge test-bridge input
[ reject type 2 code 1 ]
-# ether type ip reject with icmpx type admin-prohibited
+# ether type ip reject with icmpx admin-prohibited
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 2 code 3 ]
-# ether type ip6 reject with icmpx type admin-prohibited
+# ether type ip6 reject with icmpx admin-prohibited
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ cmp eq reg 1 0x00000081 ]
[ reject type 1 code 0 ]
-# ether type 8021q reject with icmpx type admin-prohibited
+# ether type 8021q reject with icmpx admin-prohibited
bridge
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
*inet;test-inet;input
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
reject;ok
-meta nfproto ipv4 reject;ok;reject with icmp type port-unreachable
-meta nfproto ipv6 reject;ok;reject with icmpv6 type port-unreachable
+meta nfproto ipv4 reject;ok;reject with icmp port-unreachable
+meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable
-reject with icmpx type host-unreachable;ok
-reject with icmpx type no-route;ok
-reject with icmpx type admin-prohibited;ok
-reject with icmpx type port-unreachable;ok;reject
-reject with icmpx type 3;ok;reject with icmpx type admin-prohibited
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
+reject with icmpx 3;ok;reject with icmpx admin-prohibited
-meta nfproto ipv4 reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable
-meta nfproto ipv6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route
+meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
-meta nfproto ipv6 reject with icmp type host-unreachable;fail
-meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail
-meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail
+meta nfproto ipv6 reject with icmp host-unreachable;fail
+meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail
+meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail
meta l4proto udp reject with tcp reset;fail
-meta nfproto ipv4 reject with icmpx type admin-prohibited;ok
-meta nfproto ipv6 reject with icmpx type admin-prohibited;ok
+meta nfproto ipv4 reject with icmpx admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx admin-prohibited;ok
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
}
]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
[
{
"reject": {
}
]
-# reject with icmpx type no-route
+# reject with icmpx no-route
[
{
"reject": {
}
]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
[
{
"reject": {
}
]
-# meta nfproto ipv4 reject with icmp type host-unreachable
+# meta nfproto ipv4 reject with icmp host-unreachable
[
{
"match": {
}
]
-# meta nfproto ipv6 reject with icmpv6 type no-route
+# meta nfproto ipv6 reject with icmpv6 no-route
[
{
"match": {
}
]
-# meta nfproto ipv4 reject with icmpx type admin-prohibited
+# meta nfproto ipv4 reject with icmpx admin-prohibited
[
{
"match": {
}
]
-# meta nfproto ipv6 reject with icmpx type admin-prohibited
+# meta nfproto ipv6 reject with icmpx admin-prohibited
[
{
"match": {
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 13 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 4 ]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
inet test-inet input
[ reject type 2 code 2 ]
-# reject with icmpx type no-route
+# reject with icmpx no-route
inet test-inet input
[ reject type 2 code 0 ]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
inet test-inet input
[ reject type 2 code 3 ]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
inet test-inet input
[ reject type 2 code 1 ]
-# reject with icmpx type 3
+# reject with icmpx 3
inet test-inet input
[ reject type 2 code 3 ]
-# meta nfproto ipv4 reject with icmp type host-unreachable
+# meta nfproto ipv4 reject with icmp host-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 1 ]
-# meta nfproto ipv6 reject with icmpv6 type no-route
+# meta nfproto ipv6 reject with icmpv6 no-route
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 0 ]
-# meta nfproto ipv4 reject with icmpx type admin-prohibited
+# meta nfproto ipv4 reject with icmpx admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 2 code 3 ]
-# meta nfproto ipv6 reject with icmpx type admin-prohibited
+# meta nfproto ipv6 reject with icmpx admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
*ip;test-ip4;output
reject;ok
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok;reject
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-reject with icmp type 3;ok;reject
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok;reject
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+reject with icmp 3;ok;reject
mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset
-reject with icmp type no-route;fail
-reject with icmpv6 type no-route;fail
+reject with icmp no-route;fail
+reject with icmpv6 no-route;fail
ip test-ip4 output
[ reject type 0 code 3 ]
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
ip test-ip4 output
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
ip test-ip4 output
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
ip test-ip4 output
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
ip test-ip4 output
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
ip test-ip4 output
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
ip test-ip4 output
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
ip test-ip4 output
[ reject type 0 code 13 ]
-# reject with icmp type 3
+# reject with icmp 3
ip test-ip4 output
[ reject type 0 code 3 ]
*ip6;test-ip6;output
reject;ok
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok;reject
-reject with icmpv6 type policy-fail;ok
-reject with icmpv6 type reject-route;ok
-reject with icmpv6 type 3;ok;reject with icmpv6 type addr-unreachable
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok;reject
+reject with icmpv6 policy-fail;ok
+reject with icmpv6 reject-route;ok
+reject with icmpv6 3;ok;reject with icmpv6 addr-unreachable
mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset
-reject with icmpv6 type host-unreachable;fail
-reject with icmp type host-unreachable;fail
+reject with icmpv6 host-unreachable;fail
+reject with icmp host-unreachable;fail
ip6 test-ip6 output
[ reject type 0 code 4 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
ip6 test-ip6 output
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
ip6 test-ip6 output
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
ip6 test-ip6 output
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
ip6 test-ip6 output
[ reject type 0 code 4 ]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
ip6 test-ip6 output
[ reject type 0 code 5 ]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
ip6 test-ip6 output
[ reject type 0 code 6 ]
-# reject with icmpv6 type 3
+# reject with icmpv6 3
ip6 test-ip6 output
[ reject type 0 code 3 ]
*netdev;test-netdev;ingress
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok
-reject with icmpv6 type policy-fail;ok
-reject with icmpv6 type reject-route;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
+reject with icmpv6 policy-fail;ok
+reject with icmpv6 reject-route;ok
mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
reject;ok
-meta protocol ip reject;ok;reject with icmp type port-unreachable
-meta protocol ip6 reject;ok;reject with icmpv6 type port-unreachable
+meta protocol ip reject;ok;reject with icmp port-unreachable
+meta protocol ip6 reject;ok;reject with icmpv6 port-unreachable
-reject with icmpx type host-unreachable;ok
-reject with icmpx type no-route;ok
-reject with icmpx type admin-prohibited;ok
-reject with icmpx type port-unreachable;ok;reject
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
-meta protocol ip reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable
-meta protocol ip6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route
+meta protocol ip reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta protocol ip6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
-meta protocol ip6 reject with icmp type host-unreachable;fail
-meta protocol ip ip protocol icmp reject with icmpv6 type no-route;fail
-meta protocol ip6 ip protocol icmp reject with icmp type host-unreachable;fail
+meta protocol ip6 reject with icmp host-unreachable;fail
+meta protocol ip ip protocol icmp reject with icmpv6 no-route;fail
+meta protocol ip6 ip protocol icmp reject with icmp host-unreachable;fail
meta l4proto udp reject with tcp reset;fail
-meta protocol ip reject with icmpx type admin-prohibited;ok
-meta protocol ip6 reject with icmpx type admin-prohibited;ok
+meta protocol ip reject with icmpx admin-prohibited;ok
+meta protocol ip6 reject with icmpx admin-prohibited;ok
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
}
]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
[
{
"reject": {
}
]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
[
{
"reject": {
}
]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
[
{
"reject": {
}
]
-# reject with icmpx type no-route
+# reject with icmpx no-route
[
{
"reject": {
}
]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
[
{
"reject": {
}
]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
[
{
"reject": {
}
]
-# meta protocol ip reject with icmp type host-unreachable
+# meta protocol ip reject with icmp host-unreachable
[
{
"reject": {
}
]
-# meta protocol ip6 reject with icmpv6 type no-route
+# meta protocol ip6 reject with icmpv6 no-route
[
{
"reject": {
}
]
-# meta protocol ip reject with icmpx type admin-prohibited
+# meta protocol ip reject with icmpx admin-prohibited
[
{
"match": {
}
]
-# meta protocol ip6 reject with icmpx type admin-prohibited
+# meta protocol ip6 reject with icmpx admin-prohibited
[
{
"match": {
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 13 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 5 ]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
netdev
[ reject type 2 code 2 ]
-# reject with icmpx type no-route
+# reject with icmpx no-route
netdev
[ reject type 2 code 0 ]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
netdev
[ reject type 2 code 3 ]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
netdev
[ reject type 2 code 1 ]
-# meta protocol ip reject with icmp type host-unreachable
+# meta protocol ip reject with icmp host-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
-# meta protocol ip6 reject with icmpv6 type no-route
+# meta protocol ip6 reject with icmpv6 no-route
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
-# meta protocol ip reject with icmpx type admin-prohibited
+# meta protocol ip reject with icmpx admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 2 code 3 ]
-# meta protocol ip6 reject with icmpx type admin-prohibited
+# meta protocol ip6 reject with icmpx admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
projects / thirdparty / nftables.git / commitdiff
