1d2912cb1SThomas Gleixner // SPDX-License-Identifier: GPL-2.0-only
2cc4723caSPatrick McHardy /*
3cc4723caSPatrick McHardy * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4cc4723caSPatrick McHardy * Copyright (c) 2013 Eric Leblond <eric@regit.org>
5cc4723caSPatrick McHardy *
6cc4723caSPatrick McHardy * Development of this code funded by Astaro AG (http://www.astaro.com/)
7cc4723caSPatrick McHardy */
8cc4723caSPatrick McHardy
9cc4723caSPatrick McHardy #include <linux/kernel.h>
10cc4723caSPatrick McHardy #include <linux/init.h>
11cc4723caSPatrick McHardy #include <linux/module.h>
12cc4723caSPatrick McHardy #include <linux/netlink.h>
13cc4723caSPatrick McHardy #include <linux/netfilter.h>
14cc4723caSPatrick McHardy #include <linux/netfilter/nf_tables.h>
15cc4723caSPatrick McHardy #include <net/netfilter/nf_tables.h>
16cc4723caSPatrick McHardy #include <net/netfilter/ipv4/nf_reject.h>
17cc4723caSPatrick McHardy #include <net/netfilter/nft_reject.h>
18cc4723caSPatrick McHardy
nft_reject_ipv4_eval(const struct nft_expr * expr,struct nft_regs * regs,const struct nft_pktinfo * pkt)1956768644SFlorian Westphal static void nft_reject_ipv4_eval(const struct nft_expr *expr,
20a55e22e9SPatrick McHardy struct nft_regs *regs,
21cc4723caSPatrick McHardy const struct nft_pktinfo *pkt)
22cc4723caSPatrick McHardy {
23cc4723caSPatrick McHardy struct nft_reject *priv = nft_expr_priv(expr);
24cc4723caSPatrick McHardy
25cc4723caSPatrick McHardy switch (priv->type) {
26cc4723caSPatrick McHardy case NFT_REJECT_ICMP_UNREACH:
270e5a1c7eSPablo Neira Ayuso nf_send_unreach(pkt->skb, priv->icmp_code, nft_hook(pkt));
28cc4723caSPatrick McHardy break;
29cc4723caSPatrick McHardy case NFT_REJECT_TCP_RST:
3085554eb9SFlorian Westphal nf_send_reset(nft_net(pkt), nft_sk(pkt), pkt->skb,
3104295878SJan Engelhardt nft_hook(pkt));
32cc4723caSPatrick McHardy break;
33c1f86676SDavid Miller default:
34c1f86676SDavid Miller break;
35cc4723caSPatrick McHardy }
36cc4723caSPatrick McHardy
37a55e22e9SPatrick McHardy regs->verdict.code = NF_DROP;
38cc4723caSPatrick McHardy }
39cc4723caSPatrick McHardy
40cc4723caSPatrick McHardy static struct nft_expr_type nft_reject_ipv4_type;
41cc4723caSPatrick McHardy static const struct nft_expr_ops nft_reject_ipv4_ops = {
42cc4723caSPatrick McHardy .type = &nft_reject_ipv4_type,
43cc4723caSPatrick McHardy .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
44cc4723caSPatrick McHardy .eval = nft_reject_ipv4_eval,
45cc4723caSPatrick McHardy .init = nft_reject_init,
46cc4723caSPatrick McHardy .dump = nft_reject_dump,
4789e1f6d2SLiping Zhang .validate = nft_reject_validate,
48*b2d30654SPablo Neira Ayuso .reduce = NFT_REDUCE_READONLY,
49cc4723caSPatrick McHardy };
50cc4723caSPatrick McHardy
51cc4723caSPatrick McHardy static struct nft_expr_type nft_reject_ipv4_type __read_mostly = {
52cc4723caSPatrick McHardy .family = NFPROTO_IPV4,
53cc4723caSPatrick McHardy .name = "reject",
54cc4723caSPatrick McHardy .ops = &nft_reject_ipv4_ops,
55cc4723caSPatrick McHardy .policy = nft_reject_policy,
56cc4723caSPatrick McHardy .maxattr = NFTA_REJECT_MAX,
57cc4723caSPatrick McHardy .owner = THIS_MODULE,
58cc4723caSPatrick McHardy };
59cc4723caSPatrick McHardy
nft_reject_ipv4_module_init(void)60cc4723caSPatrick McHardy static int __init nft_reject_ipv4_module_init(void)
61cc4723caSPatrick McHardy {
62cc4723caSPatrick McHardy return nft_register_expr(&nft_reject_ipv4_type);
63cc4723caSPatrick McHardy }
64cc4723caSPatrick McHardy
nft_reject_ipv4_module_exit(void)65cc4723caSPatrick McHardy static void __exit nft_reject_ipv4_module_exit(void)
66cc4723caSPatrick McHardy {
67cc4723caSPatrick McHardy nft_unregister_expr(&nft_reject_ipv4_type);
68cc4723caSPatrick McHardy }
69cc4723caSPatrick McHardy
70cc4723caSPatrick McHardy module_init(nft_reject_ipv4_module_init);
71cc4723caSPatrick McHardy module_exit(nft_reject_ipv4_module_exit);
72cc4723caSPatrick McHardy
73cc4723caSPatrick McHardy MODULE_LICENSE("GPL");
74cc4723caSPatrick McHardy MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
75cc4723caSPatrick McHardy MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject");
764cacc395SRob Gill MODULE_DESCRIPTION("IPv4 packet rejection for nftables");
77