summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason Fesler <jfesler@gigo.com>2015-02-20 08:04:54 -0800
committerJason Fesler <jfesler@gigo.com>2015-02-20 08:04:54 -0800
commit153f1124ffaf5c84586a643ff01d300821449024 (patch)
treeb0b77d2587b2c843a47a90ab343df009a66f362d
parentf622e392d47d659a080a60c156e3e1e9913ec53f (diff)
parent4b568cb0bb60544f284b3963b2eea7408884f24a (diff)
downloadmtu1280d-153f1124ffaf5c84586a643ff01d300821449024.tar.gz
mtu1280d-153f1124ffaf5c84586a643ff01d300821449024.zip
Merge branch 'master' of github.com:falling-sky/mtu1280d
Diffstat
-rw-r--r--README.md11
-rw-r--r--mtu1280d.c5
2 files changed, 9 insertions, 7 deletions
diff --git a/README.md b/README.md
index 42099ab..51fc3ad 100644
--- a/README.md
+++ b/README.md
@@ -21,10 +21,13 @@ large packets destined to the desired IP to the netfilter queue.
Example rules:
```
-iptables -t mangle -A PREROUTING -d 2001:470:1f04:d63::2/128 -m length --length 1281:65535 -j -NFQUEUE --queue-num 1280
-iptables -A INPUT -m mark --mark 0x501 -m comment --comment "Drop packets marked 1281 (too big)" -j DROP
+iptables -t mangle -A PREROUTING -d 2001:db1::1280/128 -j -NFQUEUE --queue-num 1280
```
+mtu1280d will, when it sees a packet > 1280 bytes long,
+both reject the packet as well as generate an ICMPv6 Packet Too Big
+back to the sender.
+
REQUIREMENTS
------------
@@ -60,7 +63,7 @@ ip6tables-restore /etc/iptables/rules.v6
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
--A PREROUTING -d 2001:470:1:18::1280/128 -m length --length 1:65535 -m comment --comment "Mark packets using mtu1280d as small enough (1280) or too big (1281)" -j NFQUEUE --queue-num 1280
+-A PREROUTING -d 2001:db8::1280/128 -j NFQUEUE --queue-num 1280
COMMIT
# Completed on Wed Feb 18 10:14:54 2015
# Generated by ip6tables-save v1.4.21 on Wed Feb 18 10:14:54 2015
@@ -69,8 +72,6 @@ COMMIT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CHECK_ABUSE - [0:0]
-:ONLY-GIGO - [0:0]
--A INPUT -m mark --mark 0x501 -m comment --comment "Drop packets marked 1281 (too big)" -j DROP
COMMIT
# Completed on Wed Feb 18 10:14:54 2015
```
diff --git a/mtu1280d.c b/mtu1280d.c
index 00eaa2d..8b6a5bd 100644
--- a/mtu1280d.c
+++ b/mtu1280d.c
@@ -396,10 +396,11 @@ cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
}
}
mark = block_pkt (nfa);
+ int v = (mark == 1280) ? NF_ACCEPT : NF_DROP;
if (do_debug) {
- printf("\nnfq_set_verdict2(qh, id=%d, v=NF_ACCEPT, mark=%d, 0, NULL)\n",id,mark);
+ printf("\nnfq_set_verdict2(qh, id=%d, v=%d, mark=%d, 0, NULL)\n",id,v,mark);
}
- return nfq_set_verdict2 (qh, id, NF_ACCEPT, mark, 0, NULL);
+ return nfq_set_verdict2 (qh, id, v, mark, 0, NULL);
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-07 23:11:08 +0000