type = "tcp reset";
break;
case NFT_REJECT_ICMPX_UNREACH:
- if (stmt->reject.icmp_code == NFT_REJECT_ICMPX_PORT_UNREACH)
- break;
type = "icmpx";
jexpr = expr_print_json(stmt->reject.expr, octx);
break;
case NFT_REJECT_ICMP_UNREACH:
switch (stmt->reject.family) {
case NFPROTO_IPV4:
- if (!stmt->reject.verbose_print &&
- stmt->reject.icmp_code == ICMP_PORT_UNREACH)
- break;
type = "icmp";
jexpr = expr_print_json(stmt->reject.expr, octx);
break;
case NFPROTO_IPV6:
- if (!stmt->reject.verbose_print &&
- stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
- break;
type = "icmpv6";
jexpr = expr_print_json(stmt->reject.expr, octx);
break;
-# reject with icmp type host-unreachable
-[
- {
- "reject": {
- "expr": "host-unreachable",
- "type": "icmp"
- }
- }
-]
-
-# reject with icmp type net-unreachable
-[
- {
- "reject": {
- "expr": "net-unreachable",
- "type": "icmp"
- }
- }
-]
-
-# reject with icmp type prot-unreachable
-[
- {
- "reject": {
- "expr": "prot-unreachable",
- "type": "icmp"
- }
- }
-]
-
-# reject with icmp type net-prohibited
-[
- {
- "reject": {
- "expr": "net-prohibited",
- "type": "icmp"
- }
- }
-]
-
-# reject with icmp type host-prohibited
-[
- {
- "reject": {
- "expr": "host-prohibited",
- "type": "icmp"
- }
- }
-]
-
-# reject with icmp type admin-prohibited
-[
- {
- "reject": {
- "expr": "admin-prohibited",
- "type": "icmp"
- }
- }
-]
-
-# reject with icmpv6 type no-route
-[
- {
- "reject": {
- "expr": "no-route",
- "type": "icmpv6"
- }
- }
-]
-
-# reject with icmpv6 type admin-prohibited
-[
- {
- "reject": {
- "expr": "admin-prohibited",
- "type": "icmpv6"
- }
- }
-]
-
-# reject with icmpv6 type addr-unreachable
-[
- {
- "reject": {
- "expr": "addr-unreachable",
- "type": "icmpv6"
- }
- }
-]
-
-# reject with icmpv6 type port-unreachable
-[
- {
- "reject": {
- "expr": "port-unreachable",
- "type": "icmpv6"
- }
- }
-]
-
# mark 12345 ip protocol tcp reject with tcp reset
[
{
}
]
-# reject with icmpx type port-unreachable
+# reject
[
{
- "reject": null
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpx"
+ }
}
]
}
}
]
+
+# ether type vlan reject
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "vlan"
+ }
+ },
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpx"
+ }
+ }
+]
+
}
]
-# meta nfproto ipv4 reject
+# reject
[
{
"reject": {
"expr": "port-unreachable",
- "type": "icmp"
+ "type": "icmpx"
}
}
]
-# meta nfproto ipv6 reject
+# meta nfproto ipv4 reject
[
{
"reject": {
"expr": "port-unreachable",
- "type": "icmpv6"
+ "type": "icmp"
}
}
]
-# reject with icmpx type port-unreachable
+# meta nfproto ipv6 reject
[
{
- "reject": null
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
+ }
}
]
projects / thirdparty / nftables.git / commitdiff
