diff options
| author |   Laura Garcia Liebana <nevola@gmail.com> | 2020-05-31 22:26:23 +0200 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2020-06-30 18:21:02 +0200 |
| commit | f53b9b0bdc59c0823679f2e3214e0d538f5951b9 (patch) | |
| tree | ec4a73ff313b5481ecb726dcad675f41aab7c766 /net/netfilter | |
| parent | Merge branch 'dpaa2-eth-send-a-scatter-gather-FD-instead-of-realloc-ing' (diff) | |
| download | linux-dev-f53b9b0bdc59c0823679f2e3214e0d538f5951b9.tar.xz linux-dev-f53b9b0bdc59c0823679f2e3214e0d538f5951b9.zip | |
netfilter: introduce support for reject at prerouting stage
REJECT statement can be only used in INPUT, FORWARD and OUTPUT
chains. This patch adds support of REJECT, both icmp and tcp
reset, at PREROUTING stage.
The need for this patch comes from the requirement of some
forwarding devices to reject traffic before the natting and
routing decisions.
The main use case is to be able to send a graceful termination
to legitimate clients that, under any circumstances, the NATed
endpoints are not available. This option allows clients to
decide either to perform a reconnection or manage the error in
their side, instead of just dropping the connection and let
them die due to timeout.
It is supported ipv4, ipv6 and inet families for nft
infrastructure.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nft_reject.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c index 86eafbb0fdd0..61fb7e8afbf0 100644 --- a/net/netfilter/nft_reject.c +++ b/net/netfilter/nft_reject.c @@ -30,7 +30,8 @@ int nft_reject_validate(const struct nft_ctx *ctx, return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT)); + (1 << NF_INET_LOCAL_OUT) | + (1 << NF_INET_PRE_ROUTING)); } EXPORT_SYMBOL_GPL(nft_reject_validate); |