netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft] parser: support reject unreach|reset
Date: Mon,  3 Mar 2014 22:12:26 +0100	[thread overview]
Message-ID: <1393881146-12967-1-git-send-email-fw@strlen.de> (raw)

reject did not allow to use tcp reset instead of icmp unreach.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 After this patch its possibe to do something like

 rule filter output reject reset

 Which makes kernel generate bogus tcp resets in repsonse
 to non-tcp packets.

 In iptables this is avoided by making checkentry fail if -p tcp is not
 specified when tcp-reset is requested.

 How should this be handled in nft?

 src/netlink_delinearize.c |  1 +
 src/parser.y              | 22 +++++++++++++++++++---
 src/scanner.l             |  2 ++
 src/statement.c           |  8 +++++++-
 4 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 5eec6cf..9503da7 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -428,6 +428,7 @@ static void netlink_parse_reject(struct netlink_parse_ctx *ctx,
 	struct stmt *stmt;
 
 	stmt = reject_stmt_alloc(loc);
+	stmt->reject.type = nft_rule_expr_get_u32(expr, NFT_EXPR_REJECT_TYPE);
 	list_add_tail(&stmt->list, &ctx->rule->stmts);
 }
 
diff --git a/src/parser.y b/src/parser.y
index b3acc74..e748c58 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -339,6 +339,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token WEEK			"week"
 
 %token _REJECT			"reject"
+%token REJECT_RESET		"reset"
+%token REJECT_UNREACH		"unreach"
 
 %token SNAT			"snat"
 %token DNAT			"dnat"
@@ -398,8 +400,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %type <stmt>			limit_stmt
 %destructor { stmt_free($$); }	limit_stmt
 %type <val>			time_unit
-%type <stmt>			reject_stmt
-%destructor { stmt_free($$); }	reject_stmt
+%type <stmt>			reject_stmt reject_stmt_alloc
+%destructor { stmt_free($$); }	reject_stmt reject_stmt_alloc
 %type <stmt>			nat_stmt nat_stmt_alloc
 %destructor { stmt_free($$); }	nat_stmt nat_stmt_alloc
 %type <stmt>			queue_stmt queue_stmt_alloc
@@ -1142,12 +1144,26 @@ time_unit		:	SECOND		{ $$ = 1ULL; }
 			|	WEEK		{ $$ = 1ULL * 60 * 60 * 24 * 7; }
 			;
 
-reject_stmt		:	_REJECT
+reject_stmt		:	reject_stmt_alloc
+			| 	reject_stmt_alloc reject_args
+			;
+
+reject_stmt_alloc	:	_REJECT
 			{
 				$$ = reject_stmt_alloc(&@$);
 			}
 			;
 
+reject_args		:	REJECT_RESET
+			{
+				$<stmt>0->reject.type = NFT_REJECT_TCP_RST;
+			}
+			|	REJECT_UNREACH
+			{
+				$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
+			}
+			;
+
 nat_stmt		:	nat_stmt_alloc	nat_stmt_args
 			;
 
diff --git a/src/scanner.l b/src/scanner.l
index 45c6476..dcaee13 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -293,6 +293,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "week"			{ return WEEK; }
 
 "reject"		{ return _REJECT; }
+"unreach"		{ return REJECT_UNREACH; }
+"reset"			{ return REJECT_RESET; }
 
 "snat"			{ return SNAT; }
 "dnat"			{ return DNAT; }
diff --git a/src/statement.c b/src/statement.c
index 3fdd9e2..611ce5e 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -205,7 +205,13 @@ struct stmt *queue_stmt_alloc(const struct location *loc)
 
 static void reject_stmt_print(const struct stmt *stmt)
 {
-	printf("reject");
+	printf("reject ");
+	switch (stmt->reject.type) {
+	case NFT_REJECT_ICMP_UNREACH: printf("unreach"); break;
+	case NFT_REJECT_TCP_RST: printf("reset"); break;
+	default:
+		printf("[ unknown type %d ]", stmt->reject.type);
+	}
 }
 
 static const struct stmt_ops reject_stmt_ops = {
-- 
1.8.1.5


             reply	other threads:[~2014-03-03 21:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-03 21:12 Florian Westphal [this message]
2014-03-03 21:41 ` [PATCH nft] parser: support reject unreach|reset Eric Leblond
2014-03-03 22:03   ` Florian Westphal
2014-03-04  9:08     ` Patrick McHardy
2014-03-04  9:01   ` Patrick McHardy
2014-03-04  8:50 ` Patrick McHardy
2014-03-04  9:03   ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1393881146-12967-1-git-send-email-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).