reject: Use protocol context for indicating the reject type

This patch uses the protocol context to initialize the reject type
considering if the transport protocol is tcp, udp, etc. Before this
patch, this was left unset.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 2330bbb2af29b98a7fc081167f96541ac14a788e..c15cd55f4f0287f3b7641b173c575fb00c6ed7f1 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1132,6 +1132,18 @@ static int stmt_evaluate_meta(struct eval_ctx *ctx, struct stmt *stmt)
 
 static int stmt_evaluate_reject(struct eval_ctx *ctx, struct stmt *stmt)
 {
+       struct proto_ctx *pctx = &ctx->pctx;
+       const struct proto_desc *base;
+
+       base = pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc;
+       if (base == NULL)
+               return -1;
+
+       if (strcmp(base->name, "tcp") == 0)
+               stmt->reject.type = NFT_REJECT_TCP_RST;
+       else
+               stmt->reject.type = NFT_REJECT_ICMP_UNREACH;
+
        stmt->flags |= STMT_F_TERMINAL;
        return 0;
 }

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 5c6ca8008e45783790028d064ec0fde9978b5f9f..a98c68fc2010e825e26e5aabb8026ca5ffb144bb 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -456,6 +456,7 @@ static void netlink_parse_reject(struct netlink_parse_ctx *ctx,
        struct stmt *stmt;
 
        stmt = reject_stmt_alloc(loc);
+       stmt->reject.type = nft_rule_expr_get_u32(expr, NFT_EXPR_REJECT_TYPE);
        list_add_tail(&stmt->list, &ctx->rule->stmts);
 }