datatype: add frag-needed (ipv4) to reject options

This enables to send icmp frag-needed messages using reject target.

I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.

Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:

nft insert rule bridge filter FORWARD \
  ip protocol tcp \
  ip length > 1400 \
  ip frag-off & 0x4000 != 0 \
  reject with icmp type frag-needed

This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).

[ pablo: update tests/py ]

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/data-types.txt b/doc/data-types.txt
index 90e19a8b4d807518af3841e6b20d93865d6018a2..a42a55fae953439e5f0494fa0d3b732f0075a2dc 100644 (file)
--- a/doc/data-types.txt
+++ b/doc/data-types.txt
@@ -254,6 +254,8 @@ The ICMP Code type is used to conveniently specify the ICMP header's code field.
 2
 |port-unreachable|
 3
+|frag-needed|
+4
 |net-prohibited|
 9
 |host-prohibited|

diff --git a/src/datatype.c b/src/datatype.c
index 723ac649ea42b28fca2cfd3b9894a782b548327d..90905258bc307f019199fcb902667f7584d94059 100644 (file)
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -825,6 +825,7 @@ static const struct symbol_table icmp_code_tbl = {
                SYMBOL("net-prohibited",        ICMP_NET_ANO),
                SYMBOL("host-prohibited",       ICMP_HOST_ANO),
                SYMBOL("admin-prohibited",      ICMP_PKT_FILTERED),
+               SYMBOL("frag-needed",           ICMP_FRAG_NEEDED),
                SYMBOL_LIST_END
        },
 };

diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index 6c05fb9d0fbca05fb9545fa3c3a5b13445bbb9d4..cb3b3e356964ebfa76678914c4435ca8ef99aa7e 100644 (file)
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -28,8 +28,8 @@ icmp code 33-55;ok
 icmp code != 33-55;ok
 icmp code { 33-55};ok
 icmp code != { 33-55};ok
-icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, 4, 33, 54, 56}
-icmp code != { prot-unreachable, 4, 33, 54, 56};ok
+icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56}
+icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok
 
 icmp checksum 12343 accept;ok
 icmp checksum != 12343 accept;ok

diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index 27f222072d5dcace723494327a4c04e5bb92eaba..2185feb81021c6843c1387e0fd2512ecb1798a8e 100644 (file)
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -184,7 +184,7 @@ ip test-ip4 input
   [ payload load 1b @ transport header + 1 => reg 1 ]
   [ lookup reg 1 set __set%d ]
 
-# icmp code != { prot-unreachable, 4, 33, 54, 56}
+# icmp code != { prot-unreachable, frag-needed, 33, 54, 56}
 __set%d test-ip4 3
 __set%d test-ip4 0
        element 00000002  : 0 [end]     element 00000004  : 0 [end]     element 00000036  : 0 [end]     element 00000021  : 0 [end]     element 00000038  : 0 [end]