[PATCH 0/3] Avoid gretap fragmentation with nftables on bridge

[PATCH 0/3] Avoid gretap fragmentation with nftables on bridge

[Michael Braun]

Hi,

I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.

Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:

nft insert rule bridge filter FORWARD \
  ip protocol tcp \
  ip length > 1400 \
  ip frag-off & 0x4000 != 0 \
  reject with icmp type frag-needed

This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).

This patch series
 1. adds frag-needed ipv4 flag to nftables
 2. enables to use this with bridge vlans.

For IPv6, this would need ICMPV6_PKT_TOOBIG instead of ICMPV6_DEST_UNREACH
in nft_reject_br_send_v6_unreach, so this is not part of this series.

Regards,
M. Braun

-- 
2.20.1

[PATCH 1/3] nftables: add frag-needed (ipv4) to reject options

[Michael Braun]

This enables to send icmp frag-needed messages using reject target.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 doc/data-types.txt | 2 ++
 src/datatype.c     | 1 +
 2 files changed, 3 insertions(+)

diff --git a/doc/data-types.txt b/doc/data-types.txt
index 90e19a8b..a42a55fa 100644
--- a/doc/data-types.txt
+++ b/doc/data-types.txt
@@ -254,6 +254,8 @@ The ICMP Code type is used to conveniently specify the ICMP header's code field.
 2
 |port-unreachable|
 3
+|frag-needed|
+4
 |net-prohibited|
 9
 |host-prohibited|
diff --git a/src/datatype.c b/src/datatype.c
index b305bf60..7d652ff2 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -825,6 +825,7 @@ static const struct symbol_table icmp_code_tbl = {
 		SYMBOL("net-prohibited",	ICMP_NET_ANO),
 		SYMBOL("host-prohibited",	ICMP_HOST_ANO),
 		SYMBOL("admin-prohibited",	ICMP_PKT_FILTERED),
+		SYMBOL("frag-needed",		ICMP_FRAG_NEEDED),
 		SYMBOL_LIST_END
 	},
 };
-- 
2.20.1

[PATCH 2/3] nftables: enable reject with 802.1q

[Michael Braun]

This enables the use nft bridge reject with bridge vlan filtering.

It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 src/evaluate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index ec96dd58..20849ef3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2635,7 +2635,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
 	const struct proto_desc *desc;
 
 	desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
-	if (desc != &proto_eth)
+	if (desc != &proto_eth && desc != &proto_vlan)
 		return stmt_binary_error(ctx,
 					 &ctx->pctx.protocol[PROTO_BASE_LL_HDR],
 					 stmt, "unsupported link layer protocol");
-- 
2.20.1

[PATCH 3/3] netfilter: enable reject with bridge vlan

[Michael Braun]

Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.

Fix this by mirroring the vlan id as well.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index b325b569e761..f48cf4cfb80f 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -31,6 +31,12 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
 	ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
 	eth->h_proto = eth_hdr(oldskb)->h_proto;
 	skb_pull(nskb, ETH_HLEN);
+
+	if (skb_vlan_tag_present(oldskb)) {
+		u16 vid = skb_vlan_tag_get(oldskb);
+
+		__vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
+	}
 }
 
 static int nft_bridge_iphdr_validate(struct sk_buff *skb)
-- 
2.20.1

Re: [PATCH 3/3] netfilter: enable reject with bridge vlan

[Pablo Neira Ayuso]

On Wed, May 06, 2020 at 11:46:25AM +0200, Michael Braun wrote:
> Currently, using the bridge reject target with tagged packets
> results in untagged packets being sent back.
> 
> Fix this by mirroring the vlan id as well.

Applied, thanks.

Re: [PATCH 0/3] Avoid gretap fragmentation with nftables on bridge

[Pablo Neira Ayuso]

On Wed, May 06, 2020 at 11:46:22AM +0200, Michael Braun wrote:
> Hi,
> 
> I have a bridge with connects an gretap tunnel with some ethernet lan.
> On the gretap device I use ignore-df to avoid packets being lost without
> icmp reject to the sender of the bridged packet.
> 
> Still I want to avoid packet fragmentation with the gretap packets.
> So I though about adding an nftables rule like this:
> 
> nft insert rule bridge filter FORWARD \
>   ip protocol tcp \
>   ip length > 1400 \
>   ip frag-off & 0x4000 != 0 \
>   reject with icmp type frag-needed
> 
> This would reject all tcp packets with ip dont-fragment bit set that are
> bigger than some threshold (here 1400 bytes). The sender would then receive
> ICMP unreachable - fragmentation needed and reduce its packet size (as
> defined with PMTU).

Patches 1 and 2 are applied, thanks.

Patch 3 has been merged upstream as a bugfix since VLAN should be
preversed in any reject case.