From: Michael Braun <michael-dev@fami-braun.de>
To: netfilter-devel@vger.kernel.org
Cc: Michael Braun <michael-dev@fami-braun.de>
Subject: [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge
Date: Wed, 6 May 2020 11:46:22 +0200 [thread overview]
Message-ID: <cover.1588758255.git.michael-dev@fami-braun.de> (raw)
Hi,
I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.
Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:
nft insert rule bridge filter FORWARD \
ip protocol tcp \
ip length > 1400 \
ip frag-off & 0x4000 != 0 \
reject with icmp type frag-needed
This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).
This patch series
1. adds frag-needed ipv4 flag to nftables
2. enables to use this with bridge vlans.
For IPv6, this would need ICMPV6_PKT_TOOBIG instead of ICMPV6_DEST_UNREACH
in nft_reject_br_send_v6_unreach, so this is not part of this series.
Regards,
M. Braun
--
2.20.1
next reply other threads:[~2020-05-06 9:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 9:46 Michael Braun [this message]
2020-05-06 9:46 ` [PATCH 1/3] nftables: add frag-needed (ipv4) to reject options Michael Braun
2020-05-06 9:46 ` [PATCH 2/3] nftables: enable reject with 802.1q Michael Braun
2020-05-06 9:46 ` [PATCH 3/3] netfilter: enable reject with bridge vlan Michael Braun
2020-05-25 18:40 ` Pablo Neira Ayuso
2020-05-27 21:39 ` [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1588758255.git.michael-dev@fami-braun.de \
--to=michael-dev@fami-braun.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.