netfilter: nft_reject: add reject verdict support for netdev

Adds support for reject from ingress hook in netdev family. Both stacks ipv4 and ipv6. With reject packets supporting ICMP and TCP RST. This ability is required in devices that need to REJECT legitimate clients which traffic is forwarded from the ingress hook. Joint work with Laura Garcia. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Jose M. Guisado Gomez <guigom@riseup.net> 2020-10-22 21:43:53 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-31 10:41:00 +0100
commit: 6bbb9ad36c93d3a422de862b78bd5330b44b3fa4 (patch)
tree: 59faa76de1a76f952377de267fda8acf63eee50a /net/netfilter/Kconfig
parent: 312ca575a50543a886a5dfa2af1e72aa6a5b601e (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 52370211e46b..49fbef0d99be 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -682,6 +682,16 @@ config NFT_FIB_NETDEV
 	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
 	  on the protocol of the packet.
 
+config NFT_REJECT_NETDEV
+	depends on NFT_REJECT_IPV4
+	depends on NFT_REJECT_IPV6
+	tristate "Netfilter nf_tables netdev REJECT support"
+	help
+	  This option enables the REJECT support from the netdev table.
+	  The return packet generation will be delegated to the IPv4
+	  or IPv6 ICMP or TCP RST implementation depending on the
+	  protocol of the packet.
+
 endif # NF_TABLES_NETDEV
 
 endif # NF_TABLES
author	Jose M. Guisado Gomez <guigom@riseup.net>	2020-10-22 21:43:53 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-10-31 10:41:00 +0100
commit	6bbb9ad36c93d3a422de862b78bd5330b44b3fa4 (patch)
tree	59faa76de1a76f952377de267fda8acf63eee50a /net/netfilter/Kconfig
parent	312ca575a50543a886a5dfa2af1e72aa6a5b601e (diff)