1cc4723caSPatrick McHardy /* 2cc4723caSPatrick McHardy * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> 3cc4723caSPatrick McHardy * Copyright (c) 2013 Eric Leblond <eric@regit.org> 4cc4723caSPatrick McHardy * 5cc4723caSPatrick McHardy * This program is free software; you can redistribute it and/or modify 6cc4723caSPatrick McHardy * it under the terms of the GNU General Public License version 2 as 7cc4723caSPatrick McHardy * published by the Free Software Foundation. 8cc4723caSPatrick McHardy * 9cc4723caSPatrick McHardy * Development of this code funded by Astaro AG (http://www.astaro.com/) 10cc4723caSPatrick McHardy */ 11cc4723caSPatrick McHardy 12cc4723caSPatrick McHardy #include <linux/kernel.h> 13cc4723caSPatrick McHardy #include <linux/init.h> 14cc4723caSPatrick McHardy #include <linux/module.h> 15cc4723caSPatrick McHardy #include <linux/netlink.h> 16cc4723caSPatrick McHardy #include <linux/netfilter.h> 17cc4723caSPatrick McHardy #include <linux/netfilter/nf_tables.h> 18cc4723caSPatrick McHardy #include <net/netfilter/nf_tables.h> 19cc4723caSPatrick McHardy #include <net/netfilter/ipv4/nf_reject.h> 20cc4723caSPatrick McHardy #include <net/netfilter/nft_reject.h> 21cc4723caSPatrick McHardy 2256768644SFlorian Westphal static void nft_reject_ipv4_eval(const struct nft_expr *expr, 23a55e22e9SPatrick McHardy struct nft_regs *regs, 24cc4723caSPatrick McHardy const struct nft_pktinfo *pkt) 25cc4723caSPatrick McHardy { 26cc4723caSPatrick McHardy struct nft_reject *priv = nft_expr_priv(expr); 27cc4723caSPatrick McHardy 28cc4723caSPatrick McHardy switch (priv->type) { 29cc4723caSPatrick McHardy case NFT_REJECT_ICMP_UNREACH: 30ee586bbcSFlorian Westphal nf_send_unreach(pkt->skb, priv->icmp_code, 31ee586bbcSFlorian Westphal pkt->ops->hooknum); 32cc4723caSPatrick McHardy break; 33cc4723caSPatrick McHardy case NFT_REJECT_TCP_RST: 34cc4723caSPatrick McHardy nf_send_reset(pkt->skb, pkt->ops->hooknum); 35cc4723caSPatrick McHardy break; 36c1f86676SDavid Miller default: 37c1f86676SDavid Miller break; 38cc4723caSPatrick McHardy } 39cc4723caSPatrick McHardy 40a55e22e9SPatrick McHardy regs->verdict.code = NF_DROP; 41cc4723caSPatrick McHardy } 42cc4723caSPatrick McHardy 43cc4723caSPatrick McHardy static struct nft_expr_type nft_reject_ipv4_type; 44cc4723caSPatrick McHardy static const struct nft_expr_ops nft_reject_ipv4_ops = { 45cc4723caSPatrick McHardy .type = &nft_reject_ipv4_type, 46cc4723caSPatrick McHardy .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)), 47cc4723caSPatrick McHardy .eval = nft_reject_ipv4_eval, 48cc4723caSPatrick McHardy .init = nft_reject_init, 49cc4723caSPatrick McHardy .dump = nft_reject_dump, 50cc4723caSPatrick McHardy }; 51cc4723caSPatrick McHardy 52cc4723caSPatrick McHardy static struct nft_expr_type nft_reject_ipv4_type __read_mostly = { 53cc4723caSPatrick McHardy .family = NFPROTO_IPV4, 54cc4723caSPatrick McHardy .name = "reject", 55cc4723caSPatrick McHardy .ops = &nft_reject_ipv4_ops, 56cc4723caSPatrick McHardy .policy = nft_reject_policy, 57cc4723caSPatrick McHardy .maxattr = NFTA_REJECT_MAX, 58cc4723caSPatrick McHardy .owner = THIS_MODULE, 59cc4723caSPatrick McHardy }; 60cc4723caSPatrick McHardy 61cc4723caSPatrick McHardy static int __init nft_reject_ipv4_module_init(void) 62cc4723caSPatrick McHardy { 63cc4723caSPatrick McHardy return nft_register_expr(&nft_reject_ipv4_type); 64cc4723caSPatrick McHardy } 65cc4723caSPatrick McHardy 66cc4723caSPatrick McHardy static void __exit nft_reject_ipv4_module_exit(void) 67cc4723caSPatrick McHardy { 68cc4723caSPatrick McHardy nft_unregister_expr(&nft_reject_ipv4_type); 69cc4723caSPatrick McHardy } 70cc4723caSPatrick McHardy 71cc4723caSPatrick McHardy module_init(nft_reject_ipv4_module_init); 72cc4723caSPatrick McHardy module_exit(nft_reject_ipv4_module_exit); 73cc4723caSPatrick McHardy 74cc4723caSPatrick McHardy MODULE_LICENSE("GPL"); 75cc4723caSPatrick McHardy MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 76cc4723caSPatrick McHardy MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject"); 77