Re: [patch] netfilter: implement TCPMSS target for IPv6
On Jan 15 2007 11:18, Patrick McHardy wrote: >Jan Engelhardt wrote: >> On Jan 15 2007 09:39, Patrick McHardy wrote: >> >>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff >>>is spread over the entire target function), but its worth a try. >> >> >> well here's a q: would a patch be accepted that changes >> all ipt and ip6t modules to the new xt? Even if a module is only for >> ipv4 or ipv6, I think it makes sense to reduce the number of >> different *t structures floating around. > >If you're talking about using the xt-structures in net/ipv[46]/netfilter >and removing the ipt/ip6t-wrappers, that would make sense IMO. Yup. Should the files then be renamed/moved to net/netfilter/xt_[foobaz].c in a second step? Should I leave ipt_TCPMSS/ip6t_TCPMSS untouched while you are working on that one? -`J' -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch] netfilter: implement TCPMSS target for IPv6
Jan Engelhardt wrote: > On Jan 15 2007 09:39, Patrick McHardy wrote: > >>I'm not sure how well that will work (the IPv4/IPv6-specific stuff >>is spread over the entire target function), but its worth a try. > > > "Nothing is impossible." Since you happened to take that one for > yourself... well here's a q: would a patch be accepted that changes > all ipt and ip6t modules to the new xt? Even if a module is only for > ipv4 or ipv6, I think it makes sense to reduce the number of > different *t structures floating around. If you're talking about using the xt-structures in net/ipv[46]/netfilter and removing the ipt/ip6t-wrappers, that would make sense IMO. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch] netfilter: implement TCPMSS target for IPv6
On Jan 15 2007 09:39, Patrick McHardy wrote: >> On Jan 14 2007 20:20, David Madore wrote: >> >>>Implement TCPMSS target for IPv6 by shamelessly copying from >>>Marc Boucher's IPv4 implementation. >>> >>>Signed-off-by: David A. Madore <[EMAIL PROTECTED]> >> >> >> Would not it be worthwhile to merge ipt_TCPMSS and >> ip6t_TCPMSS to xt_TCPMSS instead? > >I'm not sure how well that will work (the IPv4/IPv6-specific stuff >is spread over the entire target function), but its worth a try. "Nothing is impossible." Since you happened to take that one for yourself... well here's a q: would a patch be accepted that changes all ipt and ip6t modules to the new xt? Even if a module is only for ipv4 or ipv6, I think it makes sense to reduce the number of different *t structures floating around. -`J' -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch] netfilter: implement TCPMSS target for IPv6
David Madore wrote: > On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote: > >>On Jan 14 2007 20:20, David Madore wrote: >> >>>Implement TCPMSS target for IPv6 by shamelessly copying from >>>Marc Boucher's IPv4 implementation. >> >>Would not it be worthwhile to merge ipt_TCPMSS and >>ip6t_TCPMSS to xt_TCPMSS instead? > > > It may be, but I'm afraid that's outside my competence. I happened to > need ip6t_TCPMSS badly and soon, so I went for the quickest solution. > Of course, I'd appreciate it if someone were to do it in a better way. I'll give it a shot. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch] netfilter: implement TCPMSS target for IPv6
Jan Engelhardt wrote: > On Jan 14 2007 20:20, David Madore wrote: > >>Implement TCPMSS target for IPv6 by shamelessly copying from >>Marc Boucher's IPv4 implementation. >> >>Signed-off-by: David A. Madore <[EMAIL PROTECTED]> > > > Would not it be worthwhile to merge ipt_TCPMSS and > ip6t_TCPMSS to xt_TCPMSS instead? I'm not sure how well that will work (the IPv4/IPv6-specific stuff is spread over the entire target function), but its worth a try. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch] netfilter: implement TCPMSS target for IPv6
On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote: > On Jan 14 2007 20:20, David Madore wrote: > >Implement TCPMSS target for IPv6 by shamelessly copying from > >Marc Boucher's IPv4 implementation. > > Would not it be worthwhile to merge ipt_TCPMSS and > ip6t_TCPMSS to xt_TCPMSS instead? It may be, but I'm afraid that's outside my competence. I happened to need ip6t_TCPMSS badly and soon, so I went for the quickest solution. Of course, I'd appreciate it if someone were to do it in a better way. Happy hacking, -- David A. Madore ([EMAIL PROTECTED], http://www.madore.org/~david/ ) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [patch] netfilter: implement TCPMSS target for IPv6
On Jan 14 2007 20:20, David Madore wrote: > >Implement TCPMSS target for IPv6 by shamelessly copying from >Marc Boucher's IPv4 implementation. > >Signed-off-by: David A. Madore <[EMAIL PROTECTED]> Would not it be worthwhile to merge ipt_TCPMSS and ip6t_TCPMSS to xt_TCPMSS instead? -`J' -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[patch] netfilter: implement TCPMSS target for IPv6
Implement TCPMSS target for IPv6 by shamelessly copying from Marc Boucher's IPv4 implementation. Signed-off-by: David A. Madore <[EMAIL PROTECTED]> --- Note: The patch for ip6tables to make use of this module can be obtained from ftp://quatramaran.ens.fr/pub/madore/misc/ip6t-TCPMSS/ > (also contains a version of this same patch for 2.6.19.2). include/linux/netfilter_ipv6/ip6t_TCPMSS.h | 10 ++ net/ipv6/netfilter/Kconfig | 26 net/ipv6/netfilter/Makefile|1 + net/ipv6/netfilter/ip6t_TCPMSS.c | 225 4 files changed, 262 insertions(+), 0 deletions(-) diff --git a/include/linux/netfilter_ipv6/ip6t_TCPMSS.h b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h new file mode 100644 index 000..412d1cb --- /dev/null +++ b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h @@ -0,0 +1,10 @@ +#ifndef _IP6T_TCPMSS_H +#define _IP6T_TCPMSS_H + +struct ip6t_tcpmss_info { + u_int16_t mss; +}; + +#define IP6T_TCPMSS_CLAMP_PMTU 0x + +#endif /*_IP6T_TCPMSS_H*/ diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index adcd613..3890a59 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -154,6 +154,32 @@ config IP6_NF_TARGET_REJECT To compile it as a module, choose M here. If unsure, say N. +config IP6_NF_TARGET_TCPMSS + tristate "TCPMSS target support" + depends on IP6_NF_IPTABLES + ---help--- + This option adds a `TCPMSS' target, which allows you to alter the + MSS value of TCP SYN packets, to control the maximum size for that + connection (usually limiting it to your outgoing interface's MTU + minus 60). + + This is used to overcome criminally braindead ISPs or servers which + block ICMPv6 Packet Too Big packets. The symptoms of this + problem are that everything works fine from your Linux + firewall/router, but machines behind it can never exchange large + packets: + 1) Web browsers connect, then hang with no data received. + 2) Small mail works fine, but large emails hang. + 3) ssh works fine, but scp hangs after initial handshaking. + + Workaround: activate this option and add a rule to your firewall + configuration like: + + ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ +-j TCPMSS --clamp-mss-to-pmtu + + To compile it as a module, choose M here. If unsure, say N. + config IP6_NF_MANGLE tristate "Packet mangling" depends on IP6_NF_IPTABLES diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index ac1dfeb..616a006 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile @@ -19,6 +19,7 @@ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o +obj-$(CONFIG_IP6_NF_TARGET_TCPMSS) += ip6t_TCPMSS.o # objects for l3 independent conntrack nf_conntrack_ipv6-objs := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o diff --git a/net/ipv6/netfilter/ip6t_TCPMSS.c b/net/ipv6/netfilter/ip6t_TCPMSS.c new file mode 100644 index 000..ab492c3 --- /dev/null +++ b/net/ipv6/netfilter/ip6t_TCPMSS.c @@ -0,0 +1,225 @@ +/* + * This is a module which is used for setting the MSS option in TCP packets. + * + * Copyright (C) 2007 David Madore <[EMAIL PROTECTED]> + * + * Shamelessly based on net/ipv4/netfilter/ipt_TCPMSS.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include +#include + +#include +#include + +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("David Madore <[EMAIL PROTECTED]>"); +MODULE_DESCRIPTION("ip6tables TCP MSS modification module"); + +static inline unsigned int +optlen(const u_int8_t *opt, unsigned int offset) +{ + /* Beware zero-length options: make finite progress */ + if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) + return 1; + else + return opt[offset+1]; +} + +static unsigned int +ip6t_tcpmss_target(struct sk_buff **pskb, + const struct net_device *in, + const struct net_device *out, + unsigned int hooknum, + const struct xt_target *target, + const void *targinfo) +{ + const struct ip6t_tcpmss_info *tcpmssinfo = targinfo; + struct tcphdr *tcph; + struct ipv6hdr *ipv6h; + u_int8_t nexthdr; + int tcphoff; + u_int16_t tcplen, newmss; + __be16 newiplen, oldval; + unsigned int i; + u_int8_t *opt; + + if (!skb_make_writable(pskb, (*pskb)->len)) + return NF_DROP; + + ipv6h = (*pskb)->nh.