extensions: libipt_REJECT: Avoid to print the default reject with value in the transl...

Avoid to print the reject with value in the translation when the value is the default.

Before this patch:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable

After this patch:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 41487762d0d09fcc05e72613c43cb3259bfe2caf..c211da91cbe4c0f05dc9d1a8c89c0a3a70b8b544 100644 (file)
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -171,7 +171,9 @@ static int REJECT_xlate(const void *ip, const struct xt_entry_target *target,
                        break;
        }
 
-       if (reject->with == IPT_TCP_RESET)
+       if (reject->with == IPT_ICMP_PORT_UNREACHABLE)
+               xt_xlate_add(xl, "reject");
+       else if (reject->with == IPT_TCP_RESET)
                xt_xlate_add(xl, "reject with %s",
                           reject_table_xlate[i].name);
        else