diff mbox

[nft,2/3] rt: add path mtu support

Message ID 20170822135141.10785-3-fw@strlen.de
State Accepted
Delegated to: Florian Westphal
Headers show

Commit Message

Florian Westphal Aug. 22, 2017, 1:51 p.m. UTC 
Only use case is to allow similar behaviour to iptables
TCPMSS --clamp-mss-to-pmtu, by combining this with exthdr statement:

tcp option maxseg size set rt mtu

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 v2: rename to 'rt mtu' instead of 'rt mss' to avoid
 adding a new MSS token to the scanner.

 doc/nft.xml                         | 7 +++++++
 include/linux/netfilter/nf_tables.h | 1 +
 src/parser_bison.y                  | 1 +
 src/rt.c                            | 5 +++++
 4 files changed, 14 insertions(+)

Comments

Pablo Neira Ayuso Aug. 22, 2017, 4:16 p.m. UTC | #1 
On Tue, Aug 22, 2017 at 03:51:40PM +0200, Florian Westphal wrote:
> Only use case is to allow similar behaviour to iptables
> TCPMSS --clamp-mss-to-pmtu, by combining this with exthdr statement:
> 
> tcp option maxseg size set rt mtu
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/doc/nft.xml b/doc/nft.xml
index d3213d0281e1..4e2730f698cb 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2836,6 +2836,11 @@  filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole :
 								<entry>Routing nexthop</entry>
 								<entry>ipv4_addr/ipv6_addr</entry>
 							</row>
+							<row>
+								<entry>mtu</entry>
+								<entry>TCP maximum segment size of route</entry>
+								<entry>integer (16 bit)</entry>
+							</row>
 						</tbody>
 					</tgroup>
 				</table>
@@ -4270,6 +4275,8 @@  ip forward ip dscp set 42
 					<title>change tcp mss</title>
 					<programlisting>
 tcp option maxseg size set 1360
+# set a size based on route information:
+tcp option maxseg size set rt mtu
 					</programlisting>
 				</example>
 			</para>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 40096de04e96..5441b190852f 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -813,6 +813,7 @@  enum nft_rt_keys {
 	NFT_RT_CLASSID,
 	NFT_RT_NEXTHOP4,
 	NFT_RT_NEXTHOP6,
+	NFT_RT_TCPMSS,
 };
 
 /**
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 7898ea3fe7bc..18be53e88c77 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3094,6 +3094,7 @@  rt_expr			:	RT	rt_key
 
 rt_key			:	CLASSID		{ $$ = NFT_RT_CLASSID; }
 			|	NEXTHOP		{ $$ = NFT_RT_NEXTHOP4; }
+			|	MTU		{ $$ = NFT_RT_TCPMSS; }
 			;
 
 ct_expr			: 	CT	ct_key
diff --git a/src/rt.c b/src/rt.c
index cd2d5a4ed7b9..91be5a11c5a2 100644
--- a/src/rt.c
+++ b/src/rt.c
@@ -73,6 +73,11 @@  static const struct rt_template rt_templates[] = {
 					      16 * BITS_PER_BYTE,
 					      BYTEORDER_BIG_ENDIAN,
 					      true),
+	[NFT_RT_TCPMSS]		= RT_TEMPLATE("mtu",
+					      &integer_type,
+					      2 * BITS_PER_BYTE,
+					      BYTEORDER_HOST_ENDIAN,
+					      false),
 };
 
 static void rt_expr_print(const struct expr *expr, struct output_ctx *octx)