diff options
| author | Michael Braun <michael-dev@fami-braun.de> | 2020-05-06 11:46:23 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-05-28 00:04:38 +0200 |
| commit | 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 (patch) | |
| tree | d9c0d580bc66489519fea51e522c63426191fe9a /tests | |
| parent | 0c0e0c263b05d5f7340c3a12335f7d27041fc7b6 (diff) | |
datatype: add frag-needed (ipv4) to reject options
This enables to send icmp frag-needed messages using reject target.
I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.
Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:
nft insert rule bridge filter FORWARD \
ip protocol tcp \
ip length > 1400 \
ip frag-off & 0x4000 != 0 \
reject with icmp type frag-needed
This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/py/ip/icmp.t | 4 | ||||
| -rw-r--r-- | tests/py/ip/icmp.t.payload.ip | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t index 6c05fb9d..cb3b3e35 100644 --- a/tests/py/ip/icmp.t +++ b/tests/py/ip/icmp.t @@ -28,8 +28,8 @@ icmp code 33-55;ok icmp code != 33-55;ok icmp code { 33-55};ok icmp code != { 33-55};ok -icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56} -icmp code != { prot-unreachable, 4, 33, 54, 56};ok +icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56} +icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok icmp checksum 12343 accept;ok icmp checksum != 12343 accept;ok diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip index 27f22207..2185feb8 100644 --- a/tests/py/ip/icmp.t.payload.ip +++ b/tests/py/ip/icmp.t.payload.ip @@ -184,7 +184,7 @@ ip test-ip4 input [ payload load 1b @ transport header + 1 => reg 1 ] [ lookup reg 1 set __set%d ] -# icmp code != { prot-unreachable, 4, 33, 54, 56} +# icmp code != { prot-unreachable, frag-needed, 33, 54, 56} __set%d test-ip4 3 __set%d test-ip4 0 element 00000002 : 0 [end] element 00000004 : 0 [end] element 00000036 : 0 [end] element 00000021 : 0 [end] element 00000038 : 0 [end] |