subject:"\[patch\] netfilter\: implement TCPMSS target for IPv6"

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-15 Thread Jan Engelhardt


On Jan 15 2007 11:18, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Jan 15 2007 09:39, Patrick McHardy wrote:
>> 
>>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>>is spread over the entire target function), but its worth a try.
>> 
>> 
>> well here's a q: would a patch be accepted that changes
>> all ipt and ip6t modules to the new xt? Even if a module is only for
>> ipv4 or ipv6, I think it makes sense to reduce the number of
>> different *t structures floating around.
>
>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>and removing the ipt/ip6t-wrappers, that would make sense IMO.

Yup. Should the files then be renamed/moved to net/netfilter/xt_[foobaz].c
in a second step?

Should I leave ipt_TCPMSS/ip6t_TCPMSS untouched while you are working on 
that one?


-`J'
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-15 Thread Patrick McHardy

Jan Engelhardt wrote:
> On Jan 15 2007 09:39, Patrick McHardy wrote:
> 
>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>is spread over the entire target function), but its worth a try.
> 
> 
> "Nothing is impossible." Since you happened to take that one for
> yourself... well here's a q: would a patch be accepted that changes
> all ipt and ip6t modules to the new xt? Even if a module is only for
> ipv4 or ipv6, I think it makes sense to reduce the number of
> different *t structures floating around.


If you're talking about using the xt-structures in net/ipv[46]/netfilter
and removing the ipt/ip6t-wrappers, that would make sense IMO.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-15 Thread Jan Engelhardt


On Jan 15 2007 09:39, Patrick McHardy wrote:
>> On Jan 14 2007 20:20, David Madore wrote:
>> 
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>>
>>>Signed-off-by: David A. Madore <[EMAIL PROTECTED]>
>> 
>> 
>> Would not it be worthwhile to merge ipt_TCPMSS and
>> ip6t_TCPMSS to xt_TCPMSS instead?
>
>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>is spread over the entire target function), but its worth a try.

"Nothing is impossible." Since you happened to take that one for
yourself... well here's a q: would a patch be accepted that changes
all ipt and ip6t modules to the new xt? Even if a module is only for
ipv4 or ipv6, I think it makes sense to reduce the number of
different *t structures floating around.


-`J'
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-15 Thread Patrick McHardy

David Madore wrote:
> On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote:
> 
>>On Jan 14 2007 20:20, David Madore wrote:
>>
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>
>>Would not it be worthwhile to merge ipt_TCPMSS and
>>ip6t_TCPMSS to xt_TCPMSS instead?
> 
> 
> It may be, but I'm afraid that's outside my competence.  I happened to
> need ip6t_TCPMSS badly and soon, so I went for the quickest solution.
> Of course, I'd appreciate it if someone were to do it in a better way.

I'll give it a shot.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-15 Thread Patrick McHardy

Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
> 
>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>Marc Boucher's IPv4 implementation.
>>
>>Signed-off-by: David A. Madore <[EMAIL PROTECTED]>
> 
> 
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?

I'm not sure how well that will work (the IPv4/IPv6-specific stuff
is spread over the entire target function), but its worth a try.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-14 Thread David Madore

On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
> >Implement TCPMSS target for IPv6 by shamelessly copying from
> >Marc Boucher's IPv4 implementation.
> 
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?

It may be, but I'm afraid that's outside my competence.  I happened to
need ip6t_TCPMSS badly and soon, so I went for the quickest solution.
Of course, I'd appreciate it if someone were to do it in a better way.

Happy hacking,

-- 
 David A. Madore
([EMAIL PROTECTED],
 http://www.madore.org/~david/ )
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] netfilter: implement TCPMSS target for IPv6

2007-01-14 Thread Jan Engelhardt


On Jan 14 2007 20:20, David Madore wrote:
>
>Implement TCPMSS target for IPv6 by shamelessly copying from
>Marc Boucher's IPv4 implementation.
>
>Signed-off-by: David A. Madore <[EMAIL PROTECTED]>

Would not it be worthwhile to merge ipt_TCPMSS and
ip6t_TCPMSS to xt_TCPMSS instead?


-`J'
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[patch] netfilter: implement TCPMSS target for IPv6

2007-01-14 Thread David Madore

Implement TCPMSS target for IPv6 by shamelessly copying from
Marc Boucher's IPv4 implementation.

Signed-off-by: David A. Madore <[EMAIL PROTECTED]>

---

 Note: The patch for ip6tables to make use of this module can be
 obtained from ftp://quatramaran.ens.fr/pub/madore/misc/ip6t-TCPMSS/
 > (also contains a version of this same patch for 2.6.19.2).

 include/linux/netfilter_ipv6/ip6t_TCPMSS.h |   10 ++
 net/ipv6/netfilter/Kconfig |   26 
 net/ipv6/netfilter/Makefile|1 +
 net/ipv6/netfilter/ip6t_TCPMSS.c   |  225 
 4 files changed, 262 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter_ipv6/ip6t_TCPMSS.h 
b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
new file mode 100644
index 000..412d1cb
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+   u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0x
+
+#endif /*_IP6T_TCPMSS_H*/
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index adcd613..3890a59 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -154,6 +154,32 @@ config IP6_NF_TARGET_REJECT
 
  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_TARGET_TCPMSS
+   tristate "TCPMSS target support"
+   depends on IP6_NF_IPTABLES
+   ---help---
+ This option adds a `TCPMSS' target, which allows you to alter the
+ MSS value of TCP SYN packets, to control the maximum size for that
+ connection (usually limiting it to your outgoing interface's MTU
+ minus 60).
+
+ This is used to overcome criminally braindead ISPs or servers which
+ block ICMPv6 Packet Too Big packets.  The symptoms of this
+ problem are that everything works fine from your Linux
+ firewall/router, but machines behind it can never exchange large
+ packets:
+   1) Web browsers connect, then hang with no data received.
+   2) Small mail works fine, but large emails hang.
+   3) ssh works fine, but scp hangs after initial handshaking.
+
+ Workaround: activate this option and add a rule to your firewall
+ configuration like:
+
+ ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+-j TCPMSS --clamp-mss-to-pmtu
+
+ To compile it as a module, choose M here.  If unsure, say N.
+
 config IP6_NF_MANGLE
tristate "Packet mangling"
depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index ac1dfeb..616a006 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -19,6 +19,7 @@ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
 obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
+obj-$(CONFIG_IP6_NF_TARGET_TCPMSS) += ip6t_TCPMSS.o
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv6-objs  :=  nf_conntrack_l3proto_ipv6.o 
nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o
diff --git a/net/ipv6/netfilter/ip6t_TCPMSS.c b/net/ipv6/netfilter/ip6t_TCPMSS.c
new file mode 100644
index 000..ab492c3
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_TCPMSS.c
@@ -0,0 +1,225 @@
+/*
+ * This is a module which is used for setting the MSS option in TCP packets.
+ *
+ * Copyright (C) 2007 David Madore <[EMAIL PROTECTED]>
+ *
+ * Shamelessly based on net/ipv4/netfilter/ipt_TCPMSS.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+#include 
+#include 
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("David Madore <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("ip6tables TCP MSS modification module");
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+   /* Beware zero-length options: make finite progress */
+   if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+   return 1;
+   else
+   return opt[offset+1];
+}
+
+static unsigned int
+ip6t_tcpmss_target(struct sk_buff **pskb,
+  const struct net_device *in,
+  const struct net_device *out,
+  unsigned int hooknum,
+  const struct xt_target *target,
+  const void *targinfo)
+{
+   const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+   struct tcphdr *tcph;
+   struct ipv6hdr *ipv6h;
+   u_int8_t nexthdr;
+   int tcphoff;
+   u_int16_t tcplen, newmss;
+   __be16 newiplen, oldval;
+   unsigned int i;
+   u_int8_t *opt;
+
+   if (!skb_make_writable(pskb, (*pskb)->len))
+   return NF_DROP;
+
+   ipv6h = (*pskb)->nh.

Re: [patch] netfilter: implement TCPMSS target for IPv6

Re: [patch] netfilter: implement TCPMSS target for IPv6

Re: [patch] netfilter: implement TCPMSS target for IPv6

Re: [patch] netfilter: implement TCPMSS target for IPv6

Re: [patch] netfilter: implement TCPMSS target for IPv6

Re: [patch] netfilter: implement TCPMSS target for IPv6

Re: [patch] netfilter: implement TCPMSS target for IPv6

[patch] netfilter: implement TCPMSS target for IPv6

8 matches

Site Navigation

Mail list logo

Footer information