Message ID | 20170720190610.6886-1-philipp@redfish-solutions.com |
---|---|
State | Accepted, archived |
Delegated to: | stephen hemminger |
Headers | show |
On Thu, 20 Jul 2017 13:06:10 -0600 "Philip Prindeville" <philipp@redfish-solutions.com> wrote: > From: Philip Prindeville <philipp@redfish-solutions.com> > > In the presence of firewalls which improperly block ICMP Unreachable > (including Fragmentation Required) messages, Path MTU Discovery is > prevented from working. > > The workaround is to handle IPv4 payloads opaquely, ignoring the DF > bit. > > Kernel commit 22a59be8b7693eb2d0897a9638f5991f2f8e4ddd ("net: ipv4: > Add ability to have GRE ignore DF bit in IPv4 payloads") is > complemented by this user-space changeset which exposes control of > this setting. > > Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> > Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Applied, thanks Philip
> On Jul 20, 2017, at 6:26 PM, Stephen Hemminger <stephen@networkplumber.org> wrote: > > On Thu, 20 Jul 2017 13:06:10 -0600 > "Philip Prindeville" <philipp@redfish-solutions.com> wrote: > >> From: Philip Prindeville <philipp@redfish-solutions.com> >> >> In the presence of firewalls which improperly block ICMP Unreachable >> (including Fragmentation Required) messages, Path MTU Discovery is >> prevented from working. >> >> The workaround is to handle IPv4 payloads opaquely, ignoring the DF >> bit. >> >> Kernel commit 22a59be8b7693eb2d0897a9638f5991f2f8e4ddd ("net: ipv4: >> Add ability to have GRE ignore DF bit in IPv4 payloads") is >> complemented by this user-space changeset which exposes control of >> this setting. >> >> Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> >> Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> > > Applied, thanks Philip Thanks! Sorry I didn’t realize that the first submission a year ago hadn’t been applied and it took me this long to redux and resubmit it. Michele: hopefully this comes out in your distro-of-choice fairly soon. Like I said, I thought this had already been rolled in. -Philip
Guys, thanks heaps for this, much appreciated! Cheers. Mike -----Original Message----- From: Philip Prindeville [mailto:philipp@redfish-solutions.com] Sent: Friday, 21 July 2017 10:35 AM To: Stephen Hemminger <stephen@networkplumber.org> Cc: netdev@vger.kernel.org; Michele Lucini <mlucini@safearea.com.au> Subject: Re: [PATCH v3] iproute2: add support for GRE ignore-df knob > On Jul 20, 2017, at 6:26 PM, Stephen Hemminger <stephen@networkplumber.org> wrote: > > On Thu, 20 Jul 2017 13:06:10 -0600 > "Philip Prindeville" <philipp@redfish-solutions.com> wrote: > >> From: Philip Prindeville <philipp@redfish-solutions.com> >> >> In the presence of firewalls which improperly block ICMP Unreachable >> (including Fragmentation Required) messages, Path MTU Discovery is >> prevented from working. >> >> The workaround is to handle IPv4 payloads opaquely, ignoring the DF >> bit. >> >> Kernel commit 22a59be8b7693eb2d0897a9638f5991f2f8e4ddd ("net: ipv4: >> Add ability to have GRE ignore DF bit in IPv4 payloads") is >> complemented by this user-space changeset which exposes control of >> this setting. >> >> Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> >> Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> > > Applied, thanks Philip Thanks! Sorry I didn’t realize that the first submission a year ago hadn’t been applied and it took me this long to redux and resubmit it. Michele: hopefully this comes out in your distro-of-choice fairly soon. Like I said, I thought this had already been rolled in. -Philip
diff --git a/doc/ip-cref.tex b/doc/ip-cref.tex index 242cc266b7acd34adcf390e6272944e333d6160e..179baa2fb75e7013274f030d6ae47a0c64ff728a 100644 --- a/doc/ip-cref.tex +++ b/doc/ip-cref.tex @@ -2524,6 +2524,13 @@ It must be an address on another interface of this host. It is enabled by default. Note that a fixed ttl is incompatible with this option: tunnelling with a fixed ttl always makes pmtu discovery. +\item \verb|ignore-df| + +--- (only GRE tunnels) enable IPv4 DF flag suppression on this tunnel. + If is disabled by default. Enabling this option will cause IPv4 + payloads to be handled like any other GRE payload, + regardless of the DF flag. + \item \verb|key K|, \verb|ikey K|, \verb|okey K| --- (only GRE tunnels) use keyed GRE with key \verb|K|. \verb|K| is diff --git a/ip/link_gre.c b/ip/link_gre.c index 82df900614bfdb1aa53985e1d36d4b99d4990291..c2ec5f26902ffc27b1f8aad1a67ed52964a53610 100644 --- a/ip/link_gre.c +++ b/ip/link_gre.c @@ -34,6 +34,7 @@ static void print_usage(FILE *f) " [ ttl TTL ]\n" " [ tos TOS ]\n" " [ [no]pmtudisc ]\n" + " [ [no]ignore-df ]\n" " [ dev PHYS_DEV ]\n" " [ noencap ]\n" " [ encap { fou | gue | none } ]\n" @@ -93,6 +94,7 @@ static int gre_parse_opt(struct link_util *lu, int argc, char **argv, __u16 encapsport = 0; __u16 encapdport = 0; __u8 metadata = 0; + __u8 ignore_df = 0; __u32 fwmark = 0; if (!(n->nlmsg_flags & NLM_F_CREATE)) { @@ -164,6 +166,10 @@ get_failed: if (greinfo[IFLA_GRE_COLLECT_METADATA]) metadata = 1; + if (greinfo[IFLA_GRE_IGNORE_DF]) + ignore_df = + !!rta_getattr_u8(greinfo[IFLA_GRE_IGNORE_DF]); + if (greinfo[IFLA_GRE_FWMARK]) fwmark = rta_getattr_u32(greinfo[IFLA_GRE_FWMARK]); } @@ -311,6 +317,13 @@ get_failed: encapflags |= ~TUNNEL_ENCAP_FLAG_REMCSUM; } else if (strcmp(*argv, "external") == 0) { metadata = 1; + } else if (strcmp(*argv, "ignore-df") == 0) { + ignore_df = 1; + } else if (strcmp(*argv, "noignore-df") == 0) { + /* + *only the lsb is significant, use 2 for presence + */ + ignore_df = 2; } else if (strcmp(*argv, "fwmark") == 0) { NEXT_ARG(); if (get_u32(&fwmark, *argv, 0)) @@ -355,6 +368,9 @@ get_failed: addattr16(n, 1024, IFLA_GRE_ENCAP_SPORT, htons(encapsport)); addattr16(n, 1024, IFLA_GRE_ENCAP_DPORT, htons(encapdport)); + if (ignore_df) + addattr8(n, 1024, IFLA_GRE_IGNORE_DF, ignore_df & 1); + return 0; } @@ -454,6 +470,9 @@ static void gre_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[]) else fputs("external ", f); + if (tb[IFLA_GRE_IGNORE_DF] && rta_getattr_u8(tb[IFLA_GRE_IGNORE_DF])) + fputs("ignore-df ", f); + if (tb[IFLA_GRE_ENCAP_TYPE] && rta_getattr_u16(tb[IFLA_GRE_ENCAP_TYPE]) != TUNNEL_ENCAP_NONE) { __u16 type = rta_getattr_u16(tb[IFLA_GRE_ENCAP_TYPE]); diff --git a/man/man8/ip-tunnel.8 b/man/man8/ip-tunnel.8 index 4938c7405ce850c0774837b8654cfe236344319c..7ddbffb23cff1b01a348f3b664d578ccaa8a52cb 100644 --- a/man/man8/ip-tunnel.8 +++ b/man/man8/ip-tunnel.8 @@ -49,6 +49,7 @@ ip-tunnel - tunnel configuration .BR 6rd-reset " ]" .br .RB "[ [" no "]" pmtudisc " ]" +.RB "[ [" no "]" ignore-df " ]" .RB "[ " dev .IR PHYS_DEV " ]" @@ -176,6 +177,14 @@ with this option: tunneling with a fixed ttl always makes pmtu discovery. .TP +.B ignore-df +enable IPv4 DF suppression on this tunnel. +Normally datagrams that exceed the MTU will be fragmented; the presence +of the DF flag inhibits this, resulting instead in an ICMP Unreachable +(Fragmentation Required) message. Enabling this attribute casues the +DF flag to be ignored. + +.TP .BI key " K" .TP .BI ikey " K"