* [PATCH 1/3] nftables: add frag-needed (ipv4) to reject options
2020-05-06 9:46 [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Michael Braun
@ 2020-05-06 9:46 ` Michael Braun
2020-05-06 9:46 ` [PATCH 2/3] nftables: enable reject with 802.1q Michael Braun
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Michael Braun @ 2020-05-06 9:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: Michael Braun
This enables to send icmp frag-needed messages using reject target.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
doc/data-types.txt | 2 ++
src/datatype.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/doc/data-types.txt b/doc/data-types.txt
index 90e19a8b..a42a55fa 100644
--- a/doc/data-types.txt
+++ b/doc/data-types.txt
@@ -254,6 +254,8 @@ The ICMP Code type is used to conveniently specify the ICMP header's code field.
2
|port-unreachable|
3
+|frag-needed|
+4
|net-prohibited|
9
|host-prohibited|
diff --git a/src/datatype.c b/src/datatype.c
index b305bf60..7d652ff2 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -825,6 +825,7 @@ static const struct symbol_table icmp_code_tbl = {
SYMBOL("net-prohibited", ICMP_NET_ANO),
SYMBOL("host-prohibited", ICMP_HOST_ANO),
SYMBOL("admin-prohibited", ICMP_PKT_FILTERED),
+ SYMBOL("frag-needed", ICMP_FRAG_NEEDED),
SYMBOL_LIST_END
},
};
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/3] nftables: enable reject with 802.1q
2020-05-06 9:46 [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Michael Braun
2020-05-06 9:46 ` [PATCH 1/3] nftables: add frag-needed (ipv4) to reject options Michael Braun
@ 2020-05-06 9:46 ` Michael Braun
2020-05-06 9:46 ` [PATCH 3/3] netfilter: enable reject with bridge vlan Michael Braun
2020-05-27 21:39 ` [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Michael Braun @ 2020-05-06 9:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: Michael Braun
This enables the use nft bridge reject with bridge vlan filtering.
It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
src/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index ec96dd58..20849ef3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2635,7 +2635,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
const struct proto_desc *desc;
desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
- if (desc != &proto_eth)
+ if (desc != &proto_eth && desc != &proto_vlan)
return stmt_binary_error(ctx,
&ctx->pctx.protocol[PROTO_BASE_LL_HDR],
stmt, "unsupported link layer protocol");
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] netfilter: enable reject with bridge vlan
2020-05-06 9:46 [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Michael Braun
2020-05-06 9:46 ` [PATCH 1/3] nftables: add frag-needed (ipv4) to reject options Michael Braun
2020-05-06 9:46 ` [PATCH 2/3] nftables: enable reject with 802.1q Michael Braun
@ 2020-05-06 9:46 ` Michael Braun
2020-05-25 18:40 ` Pablo Neira Ayuso
2020-05-27 21:39 ` [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Pablo Neira Ayuso
3 siblings, 1 reply; 6+ messages in thread
From: Michael Braun @ 2020-05-06 9:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: Michael Braun
Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.
Fix this by mirroring the vlan id as well.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index b325b569e761..f48cf4cfb80f 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -31,6 +31,12 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
eth->h_proto = eth_hdr(oldskb)->h_proto;
skb_pull(nskb, ETH_HLEN);
+
+ if (skb_vlan_tag_present(oldskb)) {
+ u16 vid = skb_vlan_tag_get(oldskb);
+
+ __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
+ }
}
static int nft_bridge_iphdr_validate(struct sk_buff *skb)
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge
2020-05-06 9:46 [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge Michael Braun
` (2 preceding siblings ...)
2020-05-06 9:46 ` [PATCH 3/3] netfilter: enable reject with bridge vlan Michael Braun
@ 2020-05-27 21:39 ` Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-27 21:39 UTC (permalink / raw)
To: Michael Braun; +Cc: netfilter-devel
On Wed, May 06, 2020 at 11:46:22AM +0200, Michael Braun wrote:
> Hi,
>
> I have a bridge with connects an gretap tunnel with some ethernet lan.
> On the gretap device I use ignore-df to avoid packets being lost without
> icmp reject to the sender of the bridged packet.
>
> Still I want to avoid packet fragmentation with the gretap packets.
> So I though about adding an nftables rule like this:
>
> nft insert rule bridge filter FORWARD \
> ip protocol tcp \
> ip length > 1400 \
> ip frag-off & 0x4000 != 0 \
> reject with icmp type frag-needed
>
> This would reject all tcp packets with ip dont-fragment bit set that are
> bigger than some threshold (here 1400 bytes). The sender would then receive
> ICMP unreachable - fragmentation needed and reduce its packet size (as
> defined with PMTU).
Patches 1 and 2 are applied, thanks.
Patch 3 has been merged upstream as a bugfix since VLAN should be
preversed in any reject case.
^ permalink raw reply [flat|nested] 6+ messages in thread