Re: [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Michael Braun <michael-dev@fami-braun.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge
Date: Wed, 27 May 2020 23:39:37 +0200	[thread overview]
Message-ID: <20200527213937.GA2714@salvia> (raw)
In-Reply-To: <cover.1588758255.git.michael-dev@fami-braun.de>

On Wed, May 06, 2020 at 11:46:22AM +0200, Michael Braun wrote:
> Hi,
> 
> I have a bridge with connects an gretap tunnel with some ethernet lan.
> On the gretap device I use ignore-df to avoid packets being lost without
> icmp reject to the sender of the bridged packet.
> 
> Still I want to avoid packet fragmentation with the gretap packets.
> So I though about adding an nftables rule like this:
> 
> nft insert rule bridge filter FORWARD \
>   ip protocol tcp \
>   ip length > 1400 \
>   ip frag-off & 0x4000 != 0 \
>   reject with icmp type frag-needed
> 
> This would reject all tcp packets with ip dont-fragment bit set that are
> bigger than some threshold (here 1400 bytes). The sender would then receive
> ICMP unreachable - fragmentation needed and reduce its packet size (as
> defined with PMTU).

Patches 1 and 2 are applied, thanks.

Patch 3 has been merged upstream as a bugfix since VLAN should be
preversed in any reject case.

     prev parent reply	other threads:[~2020-05-27 21:39 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-06  9:46 [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Michael Braun
2020-05-06  9:46 ` [PATCH 1/3] nftables: add frag-needed (ipv4) to reject options Michael Braun
2020-05-06  9:46 ` [PATCH 2/3] nftables: enable reject with 802.1q Michael Braun
2020-05-06  9:46 ` [PATCH 3/3] netfilter: enable reject with bridge vlan Michael Braun
2020-05-25 18:40   ` Pablo Neira Ayuso
2020-05-27 21:39 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200527213937.GA2714@salvia \
    --to=pablo@netfilter.org \
    --cc=michael-dev@fami-braun.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.