rt: add path mtu support

Only use case is to allow similar behaviour to iptables
TCPMSS --clamp-mss-to-pmtu, by combining this with exthdr statement:

tcp option maxseg size set rt mtu

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/nft.xml b/doc/nft.xml
index d3213d0281e1ec445fecd144b70668b85e0c3b2e..4e2730f698cb8dc67ebeff194b2923255fed96bd 100644 (file)
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2836,6 +2836,11 @@ filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole :
                                                                <entry>Routing nexthop</entry>
                                                                <entry>ipv4_addr/ipv6_addr</entry>
                                                        </row>
+                                                       <row>
+                                                               <entry>mtu</entry>
+                                                               <entry>TCP maximum segment size of route</entry>
+                                                               <entry>integer (16 bit)</entry>
+                                                       </row>
                                                </tbody>
                                        </tgroup>
                                </table>
@@ -4270,6 +4275,8 @@ ip forward ip dscp set 42
                                        <title>change tcp mss</title>
                                        <programlisting>
 tcp option maxseg size set 1360
+# set a size based on route information:
+tcp option maxseg size set rt mtu
                                        </programlisting>
                                </example>
                        </para>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 40096de04e96311114e27d775dfc7d189d8e7ad6..5441b190852f076b8e4ff1de70b4e0e3c362cf50 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -813,6 +813,7 @@ enum nft_rt_keys {
        NFT_RT_CLASSID,
        NFT_RT_NEXTHOP4,
        NFT_RT_NEXTHOP6,
+       NFT_RT_TCPMSS,
 };
 
 /**

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 7898ea3fe7bc7ea68f0085cad65f068319cc2a7f..18be53e88c77dbfe88fe12c90e0da1144db71b3c 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3094,6 +3094,7 @@ rt_expr                   :       RT      rt_key
 
 rt_key                 :       CLASSID         { $$ = NFT_RT_CLASSID; }
                        |       NEXTHOP         { $$ = NFT_RT_NEXTHOP4; }
+                       |       MTU             { $$ = NFT_RT_TCPMSS; }
                        ;
 
 ct_expr                        :       CT      ct_key

diff --git a/src/rt.c b/src/rt.c
index cd2d5a4ed7b95c44a02a46ec44d73404b0665eab..91be5a11c5a2872ab5a93048a1492e737554fa78 100644 (file)
--- a/src/rt.c
+++ b/src/rt.c
@@ -73,6 +73,11 @@ static const struct rt_template rt_templates[] = {
                                              16 * BITS_PER_BYTE,
                                              BYTEORDER_BIG_ENDIAN,
                                              true),
+       [NFT_RT_TCPMSS]         = RT_TEMPLATE("mtu",
+                                             &integer_type,
+                                             2 * BITS_PER_BYTE,
+                                             BYTEORDER_HOST_ENDIAN,
+                                             false),
 };
 
 static void rt_expr_print(const struct expr *expr, struct output_ctx *octx)