diff options
| author | Jason Fesler <jfesler@vm1.test-ipv6.com> | 2015-02-20 07:59:37 -0800 |
|---|---|---|
| committer | Jason Fesler <jfesler@vm1.test-ipv6.com> | 2015-02-20 07:59:37 -0800 |
| commit | 4b568cb0bb60544f284b3963b2eea7408884f24a (patch) | |
| tree | 61b4cd45c906b3faafe23513341fa0145c27c82f /README.md | |
| parent | 1a4c7e35b936d9a941e53583672a94d7d097aaf9 (diff) | |
| download | mtu1280d-4b568cb0bb60544f284b3963b2eea7408884f24a.tar.gz mtu1280d-4b568cb0bb60544f284b3963b2eea7408884f24a.zip | |
Figured out NF_DROP
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 11 |
1 files changed, 6 insertions, 5 deletions
@@ -21,10 +21,13 @@ large packets destined to the desired IP to the netfilter queue. Example rules: ``` -iptables -t mangle -A PREROUTING -d 2001:470:1f04:d63::2/128 -m length --length 1281:65535 -j -NFQUEUE --queue-num 1280 -iptables -A INPUT -m mark --mark 0x501 -m comment --comment "Drop packets marked 1281 (too big)" -j DROP +iptables -t mangle -A PREROUTING -d 2001:db1::1280/128 -j -NFQUEUE --queue-num 1280 ``` +mtu1280d will, when it sees a packet > 1280 bytes long, +both reject the packet as well as generate an ICMPv6 Packet Too Big +back to the sender. + REQUIREMENTS ------------ @@ -60,7 +63,7 @@ ip6tables-restore /etc/iptables/rules.v6 :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A PREROUTING -d 2001:470:1:18::1280/128 -m length --length 1:65535 -m comment --comment "Mark packets using mtu1280d as small enough (1280) or too big (1281)" -j NFQUEUE --queue-num 1280 +-A PREROUTING -d 2001:db8::1280/128 -j NFQUEUE --queue-num 1280 COMMIT # Completed on Wed Feb 18 10:14:54 2015 # Generated by ip6tables-save v1.4.21 on Wed Feb 18 10:14:54 2015 @@ -69,8 +72,6 @@ COMMIT :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :CHECK_ABUSE - [0:0] -:ONLY-GIGO - [0:0] --A INPUT -m mark --mark 0x501 -m comment --comment "Drop packets marked 1281 (too big)" -j DROP COMMIT # Completed on Wed Feb 18 10:14:54 2015 ``` |