tcpmss match for IPv6 ?

tcpmss match for IPv6 ?

[Pascal Hambourg]

Hello,

I hope this is the right list for my question.
Support of the TCPMSS target for IPv6 was recently added in the kernel 
and ip6tables. It can help fixing some MTU blackhole issues, so thanks. 
However there is currently no support of the tcpmss match for IPv6 yet, 
although xt_tcpmss.c in the kernel seems to be IPv6 compatible.

Has anyone already submitted a patch to add support for an IPv6 tcpmss 
match in ip6tables ? It seems trivial to derive from the existing IPv4 
tcpmss match for iptables. I believe I could even do it although I am 
not a software developper and don't know how to submit a patch.

I ask because I would have a use for an IPv6 tcpmss match in conjunction 
with the IPv6 TCPMSS target. "-j TCPMSS --clamp-mss-to-pmtu" may not be 
optimal, still allowing underlying fragmentation at a lower layer 
because of encapsulation (e.g. my ISP uses IPv6 over PPP over L2TP over 
UDP over IP over ethernet, where the optimal non-fragmenting IPv6 MTU is 
1460 due to the PPP+L2TP+UDP+IP overhead). Lowering the MTU is not an 
option, as I want to keep the ability to send and receive as big packets 
as the link allows. "-j TCPMSS --set-mss 1400" could be used to prevent 
TCP connections from causing fragmentation of the L2TP packets, but I 
must check that the original MSS is above 1400 before changing it. Else 
it would increase the MSS, which is not desirable. So I would need the 
tcpmss match in order to check the original MSS. Another solution would 
be a new "--clamp-mss <value>" option in the TCPMSS target which would 
clamp (i.e. decreases if higher) the MSS down to an arbitrary value 
instead of a value based on the PMTU. But I feel it would be more 
complicated.

Thanks for your attention.

Re: tcpmss match for IPv6 ?

[Patrick McHardy]

Pascal Hambourg wrote:
> Hello,
> 
> I hope this is the right list for my question.
> Support of the TCPMSS target for IPv6 was recently added in the kernel
> and ip6tables. It can help fixing some MTU blackhole issues, so thanks.
> However there is currently no support of the tcpmss match for IPv6 yet,
> although xt_tcpmss.c in the kernel seems to be IPv6 compatible.
> 
> Has anyone already submitted a patch to add support for an IPv6 tcpmss
> match in ip6tables ? It seems trivial to derive from the existing IPv4
> tcpmss match for iptables. I believe I could even do it although I am
> not a software developper and don't know how to submit a patch.


The latest iptables release should contain an IPv6 capable TCPMSS target.

Re: tcpmss match for IPv6 ?

[Pascal Hambourg]

Patrick McHardy a écrit :
> 
> The latest iptables release should contain an IPv6 capable TCPMSS target.

Thanks, but I was talking about an IPv6 capable tcpmss *match*.

I just made libip6t_tcpmss.c, ip6t_tcpmss.h and libip6t_tcpmss.man from 
the existing corresponding IPv4 files in iptables 1.3.8, roughly by 
replacing all occurrences of 'ip' with 'ip6'. It builds and seems to 
work on my x86 box. Shall I post a diff -ruN against the original 
iptables 1.3.8 tree here for review ?

Re: tcpmss match for IPv6 ?

[Patrick McHardy]

Pascal Hambourg wrote:
> Patrick McHardy a écrit :
> 
>>
>> The latest iptables release should contain an IPv6 capable TCPMSS target.
> 
> 
> Thanks, but I was talking about an IPv6 capable tcpmss *match*.


Sorry, I misunderstood.

> I just made libip6t_tcpmss.c, ip6t_tcpmss.h and libip6t_tcpmss.man from
> the existing corresponding IPv4 files in iptables 1.3.8, roughly by
> replacing all occurrences of 'ip' with 'ip6'. It builds and seems to
> work on my x86 box. Shall I post a diff -ruN against the original
> iptables 1.3.8 tree here for review ?


ip6_tables ports for x_tables matches and targets should ideally already
use the xt_ structures and constants. If you send a patch for tcpmss
I'll happily add it to SVN.


BTW, Yasuyuki, whats the current state of your x_tables userspace
patches? I recall they we're almost finished when you posted them
a couple of month ago.

Re: tcpmss match for IPv6 ?

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Sat, 14 Jul 2007 17:14:50 +0200

> BTW, Yasuyuki, whats the current state of your x_tables userspace
> patches? I recall they we're almost finished when you posted them
> a couple of month ago.

OK, I'll post the updated patchset soon.

Actually I've been missing timing to post the updated patches.
I had a plan to post them 2 weeks later since 2.6.22 was released,
to confirm no serious problem by the recent iptables and kernel 2.6.22.

But I'm glad if you think it's time to commit them.

-- Yasuyuki Kozakai

[PATCH] tcpmss match for IPv6 (libip6t_tcpmss)

[Pascal Hambourg]

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

Patrick McHardy a écrit :
> Pascal Hambourg wrote:
> 
>>I just made libip6t_tcpmss.c, ip6t_tcpmss.h and libip6t_tcpmss.man from
>>the existing corresponding IPv4 files in iptables 1.3.8, roughly by
>>replacing all occurrences of 'ip' with 'ip6'. It builds and seems to
>>work on my x86 box. Shall I post a diff -ruN against the original
>>iptables 1.3.8 tree here for review ?
> 
> ip6_tables ports for x_tables matches and targets should ideally already
> use the xt_ structures and constants. If you send a patch for tcpmss
> I'll happily add it to SVN.

As I explained before, my patch is directly adapted from libipt_tcpmss 
and does not use the xtables definitions.

> BTW, Yasuyuki, whats the current state of your x_tables userspace
> patches? I recall they we're almost finished when you posted them
> a couple of month ago.

Now Yasuyuki has posted his x_tables patches including the porting 
tcpmss to x_tables, mine seems superfluous. However I post it for those 
who might want to try it with the current stable iptables. I am glad 
that my proposal indirectly triggered the posting of the x_tables 
patches. :-)

[-- Attachment #2: libip6t_tcpmss.patch --]
[-- Type: text/plain, Size: 6008 bytes --]

diff -ruN iptables-1.3.8-orig/extensions/Makefile iptables-1.3.8/extensions/Makefile
--- iptables-1.3.8-orig/extensions/Makefile	2007-03-22 01:04:36.000000000 +0100
+++ iptables-1.3.8/extensions/Makefile	2007-07-12 16:23:12.000000000 +0200
@@ -6,7 +6,7 @@
 # package (HW)
 #
 PF_EXT_SLIB:=ah addrtype comment connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TTL ULOG
-PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TCPMSS
+PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp tcpmss udp CONNMARK HL LOG NFQUEUE MARK TCPMSS
 
 ifeq ($(DO_SELINUX), 1)
 PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
diff -ruN iptables-1.3.8-orig/extensions/libip6t_tcpmss.c iptables-1.3.8/extensions/libip6t_tcpmss.c
--- iptables-1.3.8-orig/extensions/libip6t_tcpmss.c	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.8/extensions/libip6t_tcpmss.c	2007-07-12 21:22:26.000000000 +0200
@@ -0,0 +1,152 @@
+/* Shared library add-on to ip6tables to add tcp MSS matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6t_tcpmss.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"tcpmss match v%s options:\n"
+"[!] --mss value[:value]	Match TCP MSS range.\n"
+"				(only valid for TCP SYN or SYN/ACK packets)\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "mss", 1, 0, '1' },
+	{0}
+};
+
+static u_int16_t
+parse_tcp_mssvalue(const char *mssvalue)
+{
+	unsigned int mssvaluenum;
+
+	if (string_to_number(mssvalue, 0, 65535, &mssvaluenum) != -1)
+		return (u_int16_t)mssvaluenum;
+
+	exit_error(PARAMETER_PROBLEM,
+		   "Invalid mss `%s' specified", mssvalue);
+}
+
+static void
+parse_tcp_mssvalues(const char *mssvaluestring,
+		    u_int16_t *mss_min, u_int16_t *mss_max)
+{
+	char *buffer;
+	char *cp;
+
+	buffer = strdup(mssvaluestring);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		*mss_min = *mss_max = parse_tcp_mssvalue(buffer);
+	else {
+		*cp = '\0';
+		cp++;
+
+		*mss_min = buffer[0] ? parse_tcp_mssvalue(buffer) : 0;
+		*mss_max = cp[0] ? parse_tcp_mssvalue(cp) : 0xFFFF;
+	}
+	free(buffer);
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ip6t_entry *entry,
+      unsigned int *nfcache,
+      struct ip6t_entry_match **match)
+{
+	struct ip6t_tcpmss_match_info *mssinfo =
+		(struct ip6t_tcpmss_match_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one `--mss' allowed");
+		check_inverse(optarg, &invert, &optind, 0);
+		parse_tcp_mssvalues(argv[optind-1],
+				    &mssinfo->mss_min, &mssinfo->mss_max);
+		if (invert)
+			mssinfo->invert = 1;
+		*flags = 1;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void
+print_tcpmss(u_int16_t mss_min, u_int16_t mss_max, int invert, int numeric)
+{
+	if (invert)
+		printf("! ");
+
+	if (mss_min == mss_max)
+		printf("%u ", mss_min);
+	else
+		printf("%u:%u ", mss_min, mss_max);
+}
+
+/* Final check; must have specified --mss. */
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			   "tcpmss match: You must specify `--mss'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ip6t_ip6 *ip,
+      const struct ip6t_entry_match *match,
+      int numeric)
+{
+	const struct ip6t_tcpmss_match_info *mssinfo =
+		(const struct ip6t_tcpmss_match_info *)match->data;
+
+	printf("tcpmss match ");
+	print_tcpmss(mssinfo->mss_min, mssinfo->mss_max,
+		     mssinfo->invert, numeric);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
+{
+	const struct ip6t_tcpmss_match_info *mssinfo =
+		(const struct ip6t_tcpmss_match_info *)match->data;
+
+	printf("--mss ");
+	print_tcpmss(mssinfo->mss_min, mssinfo->mss_max,
+		     mssinfo->invert, 0);
+}
+
+static struct ip6tables_match tcpmss = {
+	.next		= NULL,
+	.name		= "tcpmss",
+	.version	= IPTABLES_VERSION,
+	.size		= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_match_info)),
+	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_match_info)),
+	.help		= &help,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_match6(&tcpmss);
+}
diff -ruN iptables-1.3.8-orig/extensions/libip6t_tcpmss.man iptables-1.3.8/extensions/libip6t_tcpmss.man
--- iptables-1.3.8-orig/extensions/libip6t_tcpmss.man	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.8/extensions/libip6t_tcpmss.man	2007-07-12 15:55:12.000000000 +0200
@@ -0,0 +1,4 @@
+This matches the TCP MSS (maximum segment size) field of the TCP header.  You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
+.TP
+.BI "[!] "--mss " value[:value]"
+Match a given TCP MSS value or range.
diff -ruN iptables-1.3.8-orig/include/linux/netfilter_ipv6/ip6t_tcpmss.h iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_tcpmss.h
--- iptables-1.3.8-orig/include/linux/netfilter_ipv6/ip6t_tcpmss.h	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_tcpmss.h	2007-07-12 16:20:51.000000000 +0200
@@ -0,0 +1,9 @@
+#ifndef _IP6T_TCPMSS_MATCH_H
+#define _IP6T_TCPMSS_MATCH_H
+
+struct ip6t_tcpmss_match_info {
+    u_int16_t mss_min, mss_max;
+    u_int8_t invert;
+};
+
+#endif /*_IP6T_TCPMSS_MATCH_H*/