extensions: libipt_REJECT: Drop ancient kernel compat hack

The IPT_ICMP_ADMIN_PROHIBITED fallback define and associated
compatibility notes were relevant for 2.4 kernels. The INCOMPATIBILITIES
file referencing these was already dropped in commit 92ce78d04677
("Drop INCOMPATIBILITIES file"), so clean up the remaining leftovers in
the REJECT extension source and man page.

Signed-off-by: Tommi Rantala <tommi.rantala@cujo.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 743dfffc78069c9ae3056cc6b7a039a0d38c4b1d..8bfe0fd769b687639a60cbdb5c5637014ee0a00d 100644 (file)
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -6,16 +6,6 @@
 #include <string.h>
 #include <xtables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #include <string.h>
 #include <xtables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>

-#include <linux/version.h>
-
-/* If we are compiling against a kernel that does not support
- * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
- * The result will be a plain DROP of the packet instead of
- * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
- */
-#ifndef IPT_ICMP_ADMIN_PROHIBITED
-#define IPT_ICMP_ADMIN_PROHIBITED      IPT_TCP_RESET + 1
-#endif

 
 struct reject_names {
        const char *name;
 
 struct reject_names {
        const char *name;


@@ -73,7 +63,7 @@ static const struct reject_names reject_table[] = {
        },
        [IPT_ICMP_ADMIN_PROHIBITED] = {
                "icmp-admin-prohibited", "admin-prohib",
        },
        [IPT_ICMP_ADMIN_PROHIBITED] = {
                "icmp-admin-prohibited", "admin-prohib",

-               "ICMP administratively prohibited (*)",
+               "ICMP administratively prohibited",

                "admin-prohibited",
        },
 };
                "admin-prohibited",
        },
 };


@@ -102,8 +92,6 @@ static void REJECT_help(void)
 "                                a reply packet according to type:\n");
 
        print_reject_types();
 "                                a reply packet according to type:\n");
 
        print_reject_types();

-
-       printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");

 }
 
 static const struct xt_option_entry REJECT_opts[] = {
 }
 
 static const struct xt_option_entry REJECT_opts[] = {

diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man
index a7196cdc9e4525933c74d2b0bdf0cf74b03ce873..ea4d92e648cdf30a2da2c548914c6792e50451fd 100644 (file)
--- a/extensions/libipt_REJECT.man
+++ b/extensions/libipt_REJECT.man
@@ -19,7 +19,7 @@ The type given can be
 \fBicmp\-proto\-unreachable\fP,
 \fBicmp\-net\-prohibited\fP,
 \fBicmp\-host\-prohibited\fP, or
 \fBicmp\-proto\-unreachable\fP,
 \fBicmp\-net\-prohibited\fP,
 \fBicmp\-host\-prohibited\fP, or

-\fBicmp\-admin\-prohibited\fP (*),
+\fBicmp\-admin\-prohibited\fP,

 which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
 the default).  The option
 \fBtcp\-reset\fP
 which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
 the default).  The option
 \fBtcp\-reset\fP


@@ -28,8 +28,6 @@ TCP RST packet to be sent back.  This is mainly useful for blocking
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).

-.IP
-(*) Using icmp\-admin\-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT

 .PP
 \fIWarning:\fP You should not indiscriminately apply the REJECT target to
 packets whose connection state is classified as INVALID; instead, you should
 .PP
 \fIWarning:\fP You should not indiscriminately apply the REJECT target to
 packets whose connection state is classified as INVALID; instead, you should