From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Laura Garcia Liebana <nevola@gmail.com>
Cc: netfilter-devel@vger.kernel.org, devel@zevenet.com
Subject: Re: [PATCH nf-next 2/2] netfilter: nft: add support of reject verdict from ingress
Date: Tue, 9 Jun 2020 17:35:41 +0200 [thread overview]
Message-ID: <20200609153541.GA25538@salvia> (raw)
In-Reply-To: <20200608190103.GA23207@nevthink>
Hi Laura,
On Mon, Jun 08, 2020 at 09:01:03PM +0200, Laura Garcia Liebana wrote:
> diff --git a/net/netfilter/nft_reject_netdev.c b/net/netfilter/nft_reject_netdev.c
> new file mode 100644
> index 000000000000..64123d80210d
> --- /dev/null
> +++ b/net/netfilter/nft_reject_netdev.c
[...]
> +static void nft_reject_netdev_eval(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + switch (ntohs(pkt->skb->protocol)) {
> + case ETH_P_IP:
> + nft_reject_ipv4_eval(expr, regs, pkt);
> + break;
> + case ETH_P_IPV6:
> + nft_reject_ipv6_eval(expr, regs, pkt);
> + break;
> + }
We should reuse nft_reject_br_send_v4_tcp_reset() and
nft_reject_br_send_v4_unreach() and call dev_queue_xmit() to send the
reject packet.
No need to inject this from LOCAL_OUT, given this packet is being
rejects from the ingress path.
The reject action for netdev is more similar to the one that bridge
supports than what we have for inet actually.
You can probably move the bridge functions to
net/netfilter/nf_reject.c so this code can be shared between bridge
reject and netdev.
I like your code refactoring in patch 1 though.
next prev parent reply other threads:[~2020-06-09 15:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 19:01 [PATCH nf-next 2/2] netfilter: nft: add support of reject verdict from ingress Laura Garcia Liebana
2020-06-09 15:35 ` Pablo Neira Ayuso [this message]
2020-06-12 8:34 ` Laura García Liébana
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609153541.GA25538@salvia \
--to=pablo@netfilter.org \
--cc=devel@zevenet.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).