From 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 Mon Sep 17 00:00:00 2001
From: Michael Braun <michael-dev@fami-braun.de>
Date: Wed, 6 May 2020 11:46:23 +0200
Subject: datatype: add frag-needed (ipv4) to reject options

This enables to send icmp frag-needed messages using reject target.

I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.

Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:

nft insert rule bridge filter FORWARD \
  ip protocol tcp \
  ip length > 1400 \
  ip frag-off & 0x4000 != 0 \
  reject with icmp type frag-needed

This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).

[ pablo: update tests/py ]

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/data-types.txt | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'doc/data-types.txt')

diff --git a/doc/data-types.txt b/doc/data-types.txt
index 90e19a8b..a42a55fa 100644
--- a/doc/data-types.txt
+++ b/doc/data-types.txt
@@ -254,6 +254,8 @@ The ICMP Code type is used to conveniently specify the ICMP header's code field.
 2
 |port-unreachable|
 3
+|frag-needed|
+4
 |net-prohibited|
 9
 |host-prohibited|
-- 
cgit v1.2.3