| Message ID | alpine.LNX.2.20.2103071733480.15162@fanir.tuyoix.net |
|---|---|
| State | Not Applicable |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | {PATCH nf] x_tables: Allow REJECT targets in PREROUTING chains | expand |
On Sun, Mar 07, 2021 at 06:16:10PM -0700, Marc Aurèle La France wrote: > Extend commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9 "netfilter: > introduce support for reject at prerouting stage", which appeared in > 5.9, by making the corresponding changes to x_tables REJECT targets. > > Please Reply-To-All. This patch LGTM. > Thanks. > > Marc. > > Signed-off-by: Marc Aurèle La France <tsi@tuyoix.net> > Tested-by: Marc Aurèle La France <tsi@tuyoix.net> > > --- a/net/ipv4/netfilter/ipt_REJECT.c > +++ b/net/ipv4/netfilter/ipt_REJECT.c > @@ -92,7 +92,7 @@ static struct xt_target reject_tg_reg __read_mostly = { > .targetsize = sizeof(struct ipt_reject_info), > .table = "filter", > .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | > - (1 << NF_INET_LOCAL_OUT), > + (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_PRE_ROUTING), > .checkentry = reject_tg_check, > .me = THIS_MODULE, > }; > --- a/net/ipv6/netfilter/ip6t_REJECT.c > +++ b/net/ipv6/netfilter/ip6t_REJECT.c > @@ -102,7 +102,7 @@ static struct xt_target reject_tg6_reg __read_mostly = { > .targetsize = sizeof(struct ip6t_reject_info), > .table = "filter", > .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | > - (1 << NF_INET_LOCAL_OUT), > + (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_PRE_ROUTING), > .checkentry = reject_tg6_check, > .me = THIS_MODULE > };
On Mon, 8 Mar 2021, Pablo Neira Ayuso wrote: > On Sun, Mar 07, 2021 at 06:16:10PM -0700, Marc Aurèle La France wrote: >> Extend commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9 "netfilter: >> introduce support for reject at prerouting stage", which appeared in >> 5.9, by making the corresponding changes to x_tables REJECT targets. >> Please Reply-To-All. > This patch LGTM. ... except that I have since realised it relies on another change I'm carrying that allows REJECT targets in all tables, not just filter, something I doubt you are open to. Withdrawn. Thanks for youur time. Marc.
--- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c @@ -92,7 +92,7 @@ static struct xt_target reject_tg_reg __read_mostly = { .targetsize = sizeof(struct ipt_reject_info), .table = "filter", .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT), + (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_PRE_ROUTING), .checkentry = reject_tg_check, .me = THIS_MODULE, }; --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c @@ -102,7 +102,7 @@ static struct xt_target reject_tg6_reg __read_mostly = { .targetsize = sizeof(struct ip6t_reject_info), .table = "filter", .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) | - (1 << NF_INET_LOCAL_OUT), + (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_PRE_ROUTING), .checkentry = reject_tg6_check, .me = THIS_MODULE };