[NETFILTER]: Make REJECT target compliant with RFC 1812.

Add support for iptables --reject-with-admin-prohib option
of the REJECT target, making it compliant with RFC 1812.

diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h
index ad195e435ba9a69f0204ded507dc5ed4f77dafba..4293a1ad1b016046ef55ce89576680b6d2d2b158 100644 (file)
--- a/include/linux/netfilter_ipv4/ipt_REJECT.h
+++ b/include/linux/netfilter_ipv4/ipt_REJECT.h
@@ -9,7 +9,8 @@ enum ipt_reject_with {
        IPT_ICMP_ECHOREPLY,
        IPT_ICMP_NET_PROHIBITED,
        IPT_ICMP_HOST_PROHIBITED,
-       IPT_TCP_RESET
+       IPT_TCP_RESET,
+       IPT_ICMP_ADMIN_PROHIBITED
 };
 
 struct ipt_reject_info {

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 72aacefc01d4d10c4240d0ddb738fa67c15a73f7..c1147531acd2eb0be2bb8d09e970b318478e0e59 100644 (file)
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -1,6 +1,7 @@
 /*
  * This is a module which is used for rejecting packets.
  * Added support for customized reject packets (Jozsef Kadlecsik).
+ * Added support for ICMP type-3-code-13 (Maciej Soltysiak). [RFC 1812]
  */
 #include <linux/config.h>
 #include <linux/module.h>
@@ -387,6 +388,9 @@ static unsigned int reject(struct sk_buff **pskb,
        case IPT_ICMP_HOST_PROHIBITED:
                send_unreach(*pskb, ICMP_HOST_ANO);
                break;
+       case IPT_ICMP_ADMIN_PROHIBITED:
+               send_unreach(*pskb, ICMP_PKT_FILTERED);
+               break;
        case IPT_TCP_RESET:
                send_reset(*pskb, hooknum == NF_IP_LOCAL_IN);
        case IPT_ICMP_ECHOREPLY: