1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
use super::{DeserializationError, Expression, Rule};
use crate::ProtoFamily;
use crate::sys::{self, libc::{self, c_char}};
/// A reject expression that defines the type of rejection message sent when discarding a packet.
#[derive(Debug, Clone, Copy, Eq, PartialEq, Hash)]
pub enum Reject {
/// Returns an ICMP unreachable packet.
Icmp(IcmpCode),
/// Rejects by sending a TCP RST packet.
TcpRst,
}
impl Reject {
fn to_raw(&self, family: ProtoFamily) -> u32 {
use libc::*;
let value = match *self {
Self::Icmp(..) => match family {
ProtoFamily::Bridge | ProtoFamily::Inet => NFT_REJECT_ICMPX_UNREACH,
_ => NFT_REJECT_ICMP_UNREACH,
},
Self::TcpRst => NFT_REJECT_TCP_RST,
};
value as u32
}
}
impl Expression for Reject {
fn get_raw_name() -> *const libc::c_char {
b"reject\0" as *const _ as *const c_char
}
fn from_expr(expr: *const sys::nftnl_expr) -> Result<Self, DeserializationError>
where
Self: Sized,
{
unsafe {
if sys::nftnl_expr_get_u32(expr, sys::NFTNL_EXPR_REJECT_TYPE as u16)
== libc::NFT_REJECT_TCP_RST as u32
{
Ok(Self::TcpRst)
} else {
Ok(Self::Icmp(IcmpCode::from_raw(sys::nftnl_expr_get_u8(
expr,
sys::NFTNL_EXPR_REJECT_CODE as u16,
))?))
}
}
}
fn to_expr(&self, rule: &Rule) -> *mut sys::nftnl_expr {
let family = rule.get_chain().get_table().get_family();
unsafe {
let expr = try_alloc!(sys::nftnl_expr_alloc(Self::get_raw_name()));
sys::nftnl_expr_set_u32(
expr,
sys::NFTNL_EXPR_REJECT_TYPE as u16,
self.to_raw(family),
);
let reject_code = match *self {
Reject::Icmp(code) => code as u8,
Reject::TcpRst => 0,
};
sys::nftnl_expr_set_u8(expr, sys::NFTNL_EXPR_REJECT_CODE as u16, reject_code);
expr
}
}
}
/// An ICMP reject code.
#[derive(Debug, Clone, Copy, Eq, PartialEq, Hash)]
#[repr(u8)]
pub enum IcmpCode {
NoRoute = libc::NFT_REJECT_ICMPX_NO_ROUTE as u8,
PortUnreach = libc::NFT_REJECT_ICMPX_PORT_UNREACH as u8,
HostUnreach = libc::NFT_REJECT_ICMPX_HOST_UNREACH as u8,
AdminProhibited = libc::NFT_REJECT_ICMPX_ADMIN_PROHIBITED as u8,
}
impl IcmpCode {
fn from_raw(code: u8) -> Result<Self, DeserializationError> {
match code as i32 {
libc::NFT_REJECT_ICMPX_NO_ROUTE => Ok(Self::NoRoute),
libc::NFT_REJECT_ICMPX_PORT_UNREACH => Ok(Self::PortUnreach),
libc::NFT_REJECT_ICMPX_HOST_UNREACH => Ok(Self::HostUnreach),
libc::NFT_REJECT_ICMPX_ADMIN_PROHIBITED => Ok(Self::AdminProhibited),
_ => Err(DeserializationError::InvalidValue),
}
}
}
|
