Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / iptables / 5a52c517ebb2c7421f57b0f00f2de6697cdd7a9c^! / .
commit5a52c517ebb2c7421f57b0f00f2de6697cdd7a9c[log] [tgz]
authorHarald Welte <laforge@gnumonks.org>Sat May 24 11:44:18 2003 +0000
committerHarald Welte <laforge@gnumonks.org>Sat May 24 11:44:18 2003 +0000
tree8509d79b3c4781322acf5dee727d5a0d5af5cdc9
parent690a395725367c814ec20b5508a98eef9bea5bac [diff]
finally commit the overly delayed RFC1812 admin prohibited option

diff --git a/INCOMPATIBILITIES b/INCOMPATIBILITIES
new file mode 100644
index 0000000..fd695e1
--- /dev/null
+++ b/INCOMPATIBILITIES

@@ -0,0 +1,6 @@
+INCOMPATIBILITIES:
+
+- The REJECT target has an '--reject-with admin-prohib' option which used
+  with kernels that do not support it, will result in a plain DROP instead
+  of REJECT.  Use with caution.
+  Kernels that do support it:

diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index ba63a0a..8170edd 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c

@@ -9,6 +9,16 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <linux/version.h>
+
+/* If we are compiling against a kernel that does not support
+ * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
+ * The result will be a plain DROP of the packet instead of
+ * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ */
+#ifndef IPT_ICMP_ADMIN_PROHIBITED
+#define IPT_ICMP_ADMIN_PROHIBITED	IPT_TCP_RESET + 1
+#endif
 
 struct reject_names {
 	const char *name;
@@ -35,7 +45,9 @@
 	{"icmp-host-prohibited", "host-prohib",
 	 IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
 	{"tcp-reset", "tcp-reset",
-	 IPT_TCP_RESET, "TCP RST packet"}
+	 IPT_TCP_RESET, "TCP RST packet"},
+	{"icmp-admin-prohibited", "admin-prohib",
+	 IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
 };
 
 static void
@@ -64,6 +76,8 @@
 "                                a reply packet according to type:\n");
 
 	print_reject_types();
+
+	printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
 }
 
 static struct option opts[] = {

diff --git a/iptables.8 b/iptables.8
index bd58e09..f73ff46 100644
--- a/iptables.8
+++ b/iptables.8

@@ -864,8 +864,9 @@
 .BR icmp-host-unreachable ,
 .BR icmp-port-unreachable ,
 .BR icmp-proto-unreachable ,
-.BR "icmp-net-prohibited or"
-.BR icmp-host-prohibited ,
+.BR icmp-net-prohibited ,
+.BR "icmp-host-prohibited or"
+.BR "icmp-admin-prohibited (*)"
 which return the appropriate ICMP error message (\fBport-unreachable\fP is
 the default).  The option
 .B tcp-reset
@@ -874,6 +875,8 @@
 .I ident
 (113/tcp) probes which frequently occur when sending mail to broken mail
 hosts (which won't accept your mail otherwise).
+.TP
+(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
 .SS SNAT
 This target is only valid in the
 .B nat