diff options
author | Jose M. Guisado Gomez <guigom@riseup.net> | 2020-10-22 22:43:53 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-10-31 12:41:00 +0300 |
commit | 6bbb9ad36c93d3a422de862b78bd5330b44b3fa4 (patch) | |
tree | 59faa76de1a76f952377de267fda8acf63eee50a /net/netfilter/Kconfig | |
parent | 312ca575a50543a886a5dfa2af1e72aa6a5b601e (diff) | |
download | linux-6bbb9ad36c93d3a422de862b78bd5330b44b3fa4.tar.xz |
netfilter: nft_reject: add reject verdict support for netdev
Adds support for reject from ingress hook in netdev family.
Both stacks ipv4 and ipv6. With reject packets supporting ICMP
and TCP RST.
This ability is required in devices that need to REJECT legitimate
clients which traffic is forwarded from the ingress hook.
Joint work with Laura Garcia.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/Kconfig')
-rw-r--r-- | net/netfilter/Kconfig | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 52370211e46b..49fbef0d99be 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -682,6 +682,16 @@ config NFT_FIB_NETDEV The lookup will be delegated to the IPv4 or IPv6 FIB depending on the protocol of the packet. +config NFT_REJECT_NETDEV + depends on NFT_REJECT_IPV4 + depends on NFT_REJECT_IPV6 + tristate "Netfilter nf_tables netdev REJECT support" + help + This option enables the REJECT support from the netdev table. + The return packet generation will be delegated to the IPv4 + or IPv6 ICMP or TCP RST implementation depending on the + protocol of the packet. + endif # NF_TABLES_NETDEV endif # NF_TABLES |