From 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 Mon Sep 17 00:00:00 2001
From: Michael Braun <michael-dev@fami-braun.de>
Date: Wed, 6 May 2020 11:46:23 +0200
Subject: datatype: add frag-needed (ipv4) to reject options

This enables to send icmp frag-needed messages using reject target.

I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.

Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:

nft insert rule bridge filter FORWARD \
  ip protocol tcp \
  ip length > 1400 \
  ip frag-off & 0x4000 != 0 \
  reject with icmp type frag-needed

This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).

[ pablo: update tests/py ]

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/datatype.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/datatype.c')

diff --git a/src/datatype.c b/src/datatype.c
index 723ac649..90905258 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -825,6 +825,7 @@ static const struct symbol_table icmp_code_tbl = {
 		SYMBOL("net-prohibited",	ICMP_NET_ANO),
 		SYMBOL("host-prohibited",	ICMP_HOST_ANO),
 		SYMBOL("admin-prohibited",	ICMP_PKT_FILTERED),
+		SYMBOL("frag-needed",		ICMP_FRAG_NEEDED),
 		SYMBOL_LIST_END
 	},
 };
-- 
cgit v1.2.3