diff options
| author | Michael Braun <michael-dev@fami-braun.de> | 2020-05-06 11:46:23 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-05-28 00:04:38 +0200 |
| commit | 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 (patch) | |
| tree | d9c0d580bc66489519fea51e522c63426191fe9a /doc | |
| parent | 0c0e0c263b05d5f7340c3a12335f7d27041fc7b6 (diff) | |
datatype: add frag-needed (ipv4) to reject options
This enables to send icmp frag-needed messages using reject target.
I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.
Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:
nft insert rule bridge filter FORWARD \
ip protocol tcp \
ip length > 1400 \
ip frag-off & 0x4000 != 0 \
reject with icmp type frag-needed
This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/data-types.txt | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/data-types.txt b/doc/data-types.txt index 90e19a8b..a42a55fa 100644 --- a/doc/data-types.txt +++ b/doc/data-types.txt @@ -254,6 +254,8 @@ The ICMP Code type is used to conveniently specify the ICMP header's code field. 2 |port-unreachable| 3 +|frag-needed| +4 |net-prohibited| 9 |host-prohibited| |