Match DF ( Don´t Fragment) bit

Match DF ( Don´t Fragment) bit

[Mathias Sundman]

I´m using vtun to create an encrypted ethernet bridge.

My setup is like this:
LocalNet1 - BRIDGE1 - Internet - BRIDGE2 - LocalNet2

where BRIDGE1 and BRIDGE2 is linux mashines that bridge
between one physical interface and a tap device created
by vtun.

This works great, however there is a problem with the MTU.

If a mashine on LocalNet1 sends full size packets (1500b)
to a mashine on LocalNet2, it will exceed 1500 bytes
when it´s encrypted and sent over the internet. These packets
will then be fragmented. This is fine as long as the fragments
gets through...

However, this is not always the case. Therefor I´ve tried to
find a way to make the mashines understand that they can´t
use that big packets when talking to mashines on the other side
of the bridge.

So I made a quick hack in netfilter/iptables which enabled me
to return ICMP "dest-unreachable, fragementation needed but
DF flag set" packets when a to large packet arrives.

That seemed to do the trick, but I´d like to do this only if the
original packet had the DF flag set, so my question is, is it
possible to check whether the DF flag is set or not?

(Please CC me on replies)

Regards
Mathias Sundman

Re: Match DF ( Don´t Fragment) bit

[Maciej Soltysiak]

On Wed, 23 Apr 2003, Mathias Sundman wrote:

> If a mashine on LocalNet1 sends full size packets (1500b)
> to a mashine on LocalNet2, it will exceed 1500 bytes
> when it´s encrypted and sent over the internet. These packets
> will then be fragmented. This is fine as long as the fragments
> gets through...
How about using -j TCPMSS --clamp-mss-to-pmtu
or setting mtu to a lower value to avoid fragmentation ?

> That seemed to do the trick, but I´d like to do this only if the
> original packet had the DF flag set, so my question is, is it
> possible to check whether the DF flag is set or not?
AFAIK there are no matches like that, but writing one would be very easy.
I can do it for you if you are desperate.

Though i am not a networking / bridging guru, i belive there must be a way
to solve your problem without clever netfilter tricks.

Regards,
Maciej

Re: Match DF ( Don´t Fragment) bit

[Dmitry Labutcky]

Hi!

> On Wed, 23 Apr 2003, Mathias Sundman wrote:
> > If a mashine on LocalNet1 sends full size packets (1500b)
> > to a mashine on LocalNet2, it will exceed 1500 bytes
> > when it´s encrypted and sent over the internet. These packets
> > will then be fragmented. This is fine as long as the fragments
> > gets through...
>
> How about using -j TCPMSS --clamp-mss-to-pmtu
> or setting mtu to a lower value to avoid fragmentation ?

But if one or more routers in tracepath does not support pmtu?
Setting mtu to lower is solution, but this not always good idea.
Another solution may be in clear DF flag on forwaders packets.


-- 
/bye
----------------------------------------------------------------------
Dmitry U.Labutcky                  System administrator of Swift Trace
mail to: avl@strace.net            Simferopol, Crimea, Ukraine
phone:   +380-652-516546           Yaltinskaya 20, office 502

Re: Match DF ( Don´t Fragment) bit

[Martijn Lievaart]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]

Mathias Sundman wrote:

>I´m using vtun to create an encrypted ethernet bridge.
>
>My setup is like this:
>LocalNet1 - BRIDGE1 - Internet - BRIDGE2 - LocalNet2
>
>where BRIDGE1 and BRIDGE2 is linux mashines that bridge
>between one physical interface and a tap device created
>by vtun.
>
>This works great, however there is a problem with the MTU.
>
>If a mashine on LocalNet1 sends full size packets (1500b)
>to a mashine on LocalNet2, it will exceed 1500 bytes
>when it´s encrypted and sent over the internet. These packets
>will then be fragmented. This is fine as long as the fragments
>gets through...
>
>However, this is not always the case. Therefor I´ve tried to
>find a way to make the mashines understand that they can´t
>use that big packets when talking to mashines on the other side
>of the bridge.
>
>So I made a quick hack in netfilter/iptables which enabled me
>to return ICMP "dest-unreachable, fragementation needed but
>DF flag set" packets when a to large packet arrives.
>
>That seemed to do the trick, but I´d like to do this only if the
>original packet had the DF flag set, so my question is, is it
>possible to check whether the DF flag is set or not?
>
>
>

This patch should do the trick, but the u32 patch can also be used.

HTH,
M4


[-- Attachment #2: dontfrag.patch --]
[-- Type: text/plain, Size: 1745 bytes --]

--- linux-2.4.19/net/ipv4/netfilter/ipt_dontfrag.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.19.dontfrag/net/ipv4/netfilter/ipt_dontfrag.c	2003-04-02 21:52:49.000000000 +0200
@@ -0,0 +1,61 @@
+/*
+  This is a module which is used to match the ipv4 DF bit.
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+  ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  01 apr 2003 Martijn Lievaart <m@rtij.nl> : No joke, initial development
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/ip.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Martijn Lievaart <m@rtij.nl>");
+MODULE_DESCRIPTION("IP tables dont-frag bit matching module ");
+MODULE_LICENSE("GPL");
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct iphdr *iph = skb->nh.iph;
+        const __u16 frag_off = __constant_htons(iph->frag_off);
+	return (frag_off & IP_DF) != 0;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_ip *ip,
+	   void *matchinfo,
+	   unsigned int matchsize,
+	   unsigned int hook_mask)
+{
+	return 1;
+}
+
+static struct ipt_match dontfrag_match
+= { { NULL, NULL }, "dontfrag", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+/* 	printk("ipt_dontfrag loading\n"); */
+	return ipt_register_match(&dontfrag_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&dontfrag_match);
+/* 	printk("ipt_dontfrag unloaded\n"); */
+}
+
+module_init(init);
+module_exit(fini);

[-- Attachment #3: dontfrag.patch.config.in --]
[-- Type: text/plain, Size: 176 bytes --]

  dep_tristate '  TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
  dep_tristate '  dontfrag match support' CONFIG_IP_NF_MATCH_DONTFRAG $CONFIG_IP_NF_IPTABLES

[-- Attachment #4: dontfrag.patch.help --]
[-- Type: text/plain, Size: 485 bytes --]

Author: Martijn Lievaart <m@rtij.nl>
Status: ItWorksForMe(tm)

This patch adds CONFIG_IP_NF_MATCH_DONTFRAG which allows you to match
the ipv4 DF bit. This is useful with the FRAGNEEDED target to
investigate pmtud problems or to force pmtud when other parts of the
network don't NAT the icmp-fragmentation-needed messages correctly.

You probably want to use the length patch as well.

Example:
iptables -A INPUT -d x.x.x.x -m dontfrag -m length --length 1401: -j FRAGNEEDED --mtu 1400

[-- Attachment #5: dontfrag.patch.makefile --]
[-- Type: text/plain, Size: 97 bytes --]

obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_DONTFRAG) += ipt_dontfrag.o