diff options
| author | Michael Braun <michael-dev@fami-braun.de> | 2020-05-06 11:46:23 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-05-28 00:04:38 +0200 |
| commit | 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 (patch) | |
| tree | d9c0d580bc66489519fea51e522c63426191fe9a /src/datatype.c | |
| parent | 0c0e0c263b05d5f7340c3a12335f7d27041fc7b6 (diff) | |
datatype: add frag-needed (ipv4) to reject options
This enables to send icmp frag-needed messages using reject target.
I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.
Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:
nft insert rule bridge filter FORWARD \
ip protocol tcp \
ip length > 1400 \
ip frag-off & 0x4000 != 0 \
reject with icmp type frag-needed
This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/datatype.c')
| -rw-r--r-- | src/datatype.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/datatype.c b/src/datatype.c index 723ac649..90905258 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -825,6 +825,7 @@ static const struct symbol_table icmp_code_tbl = { SYMBOL("net-prohibited", ICMP_NET_ANO), SYMBOL("host-prohibited", ICMP_HOST_ANO), SYMBOL("admin-prohibited", ICMP_PKT_FILTERED), + SYMBOL("frag-needed", ICMP_FRAG_NEEDED), SYMBOL_LIST_END }, }; |