From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 26 Sep 2014 12:35:14 +0000 (+0200)
Subject: netfilter: nft_reject: introduce icmp code abstraction for inet and bridge
X-Git-Tag: fixes-against-v3.18-rc2~144^2~40^2~8
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51b0a5d8c21a91801bbef9bcc8639dc0b206c6cd;p=pandora-kernel.git

netfilter: nft_reject: introduce icmp code abstraction for inet and bridge

This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
an abstraction to the ICMP and ICMPv6 codes that you can use from the
inet and bridge tables, they are:

* NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
* NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
* NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
* NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited

You can still use the specific codes when restricting the rule to match
the corresponding layer 3 protocol.

I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
different semantics depending on the table family and to allow the user
to specify ICMP family specific codes if they restrict it to the
corresponding family.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

Reading git-diff-tree failed