git.osdn.net Git - tomoyo/tomoyo-test1.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 31 Oct 2020 10:24:08 +0000 (11:24 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 1 Nov 2020 11:52:17 +0000 (12:52 +0100)
commit	117ca1f8920cf4087bf82f44bd2a51b49d6aae63
tree	1b66dfb688a7aa52f5a53615526074515ce1a66b	tree \| snapshot
parent	35b7ee34abdb722192635528f162ddd8cac25765	commit \| diff

netfilter: nft_reject_inet: allow to use reject from inet ingress

Enhance validation to support for reject from inet ingress chains.

Note that, reject from inet ingress and netdev ingress differ.

Reject packets from inet ingress are sent through ip_local_out() since
inet reject emulates the IP layer receive path. So the reject packet
follows to classic IP output and postrouting paths.

The reject action from netdev ingress assumes the packet not yet entered
the IP layer, so the reject packet is sent through dev_queue_xmit().
Therefore, reject packets from netdev ingress do not follow the classic
IP output and postrouting paths.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nf_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_reject_ipv6.c		diff \| blob \| history
net/netfilter/nft_reject_inet.c		diff \| blob \| history