git.ipfire.org Git - thirdparty/nftables.git/commit

author	Álvaro Neira Ayuso <alvaroneay@gmail.com>
	Wed, 11 Jun 2014 16:51:03 +0000 (18:51 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 16 Jun 2014 09:53:19 +0000 (11:53 +0200)
commit	34040b1e345c8fa31b1c468713ff7c3815e4a8a1
tree	ba8d928aa811b5de919c94592f3f8f966503662d	tree
parent	11b2bb2fc0652dce73c78e7b0cee5c32c5af80e8	commit \| diff

reject: add ICMP code parameter for indicating the type of error

This patch allows to indicate the ICMP code field in case that we
use to reject. Before, we have always sent network unreachable error
as ICMP code, now we can explicitly indicate the ICMP code that
we want to use. Examples:

nft add rule filter input tcp dport 22 reject with host-unreach
nft add rule filter input udp dport 22 reject with host-unreach

In this case, it will use the host unreachable code to reject traffic.

The default code field still is network unreachable and we can also
use the rules without the with like that:

nft add rule filter input udp dport 22 reject

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/statement.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
src/netlink_linearize.c		diff \| blob \| blame \| history
src/parser.y		diff \| blob \| blame \| history
src/scanner.l		diff \| blob \| blame \| history
src/statement.c		diff \| blob \| blame \| history