From 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 Mon Sep 17 00:00:00 2001 From: Michael Braun Date: Wed, 6 May 2020 11:46:23 +0200 Subject: datatype: add frag-needed (ipv4) to reject options This enables to send icmp frag-needed messages using reject target. I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU). [ pablo: update tests/py ] Signed-off-by: Michael Braun Signed-off-by: Pablo Neira Ayuso --- doc/data-types.txt | 2 ++ src/datatype.c | 1 + tests/py/ip/icmp.t | 4 ++-- tests/py/ip/icmp.t.payload.ip | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/data-types.txt b/doc/data-types.txt index 90e19a8b..a42a55fa 100644 --- a/doc/data-types.txt +++ b/doc/data-types.txt @@ -254,6 +254,8 @@ The ICMP Code type is used to conveniently specify the ICMP header's code field. 2 |port-unreachable| 3 +|frag-needed| +4 |net-prohibited| 9 |host-prohibited| diff --git a/src/datatype.c b/src/datatype.c index 723ac649..90905258 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -825,6 +825,7 @@ static const struct symbol_table icmp_code_tbl = { SYMBOL("net-prohibited", ICMP_NET_ANO), SYMBOL("host-prohibited", ICMP_HOST_ANO), SYMBOL("admin-prohibited", ICMP_PKT_FILTERED), + SYMBOL("frag-needed", ICMP_FRAG_NEEDED), SYMBOL_LIST_END }, }; diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 6c05fb9d..cb3b3e35 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -28,8 +28,8 @@ icmp code 33-55;ok icmp code != 33-55;ok icmp code { 33-55};ok icmp code != { 33-55};ok -icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56} -icmp code != { prot-unreachable, 4, 33, 54, 56};ok +icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56} +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip index 27f22207..2185feb8 100644 --- a/tests/py/ip/icmp.t.payload.ip +++ b/tests/py/ip/icmp.t.payload.ip @@ -184,7 +184,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d ] -# icmp code != { prot-unreachable, 4, 33, 54, 56} +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} __set%d test-ip4 3 __set%d test-ip4 0 element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end] -- cgit v1.2.3