On Fri, Jun 19, 2020 at 03:45:57PM +0200, Eugene Crosser wrote: > On 6/16/20 6:33 PM, Jan Engelhardt wrote: > > >>> Why not make a patch to publicly expose the skb's data via nft_meta? > >>> No more custom modules, no more userspace modifications [..] > >> > >> For our particular use case, we are running the skb through the kernel > >> function `skb_validate_network_len()` with custom mtu size [..] > > > > I find no such function in the current or past kernels. Perhaps you could post > > the code of the module(s) you already have, and we can assess if it, or the > > upstream ideals, can be massaged to make the code stick. > > I really really don't see our module being useful for anyone else! Even > for us, it's just a stopgap measure, hopefully to be dropped after a few > months. That said, I believe that the company will have no objections > against publishing it. I've uploaded initial (untested) code on github > here https://github.com/crosser/ebt-pmtud, in case anyone is interested. I think there is a way to achieve this with nft 0.9.6 ? commit 2a20b5bdbde8a1b510f75b1522772b07e51a77d7 Author: Michael Braun <...> Date: Wed May 6 11:46:23 2020 +0200 datatype: add frag-needed (ipv4) to reject options This enables to send icmp frag-needed messages using reject target. I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU).
