blob: 42099abb33dcec865b7e0b263badb8f8cd3f08da (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
mtu1280d - emulates serving via a low MTU IPv6 tunnel
----------------------------------------------------
This program is will generate ICMPv6 "Packet Too Big"
responses with an MTU of 1280. mtu1280d will connect to
a netfilter_queue socket, listening for packets; and
respond to all packets sent to that queue.
This is meant to be ran on a secondary IP for your host.
It is recommend that your primary IP is NOT used with
this technique in case of application failure.
To deploy, compile build and install. Copy
in one of the init or init.d scripts, and make sure
it is set for auto-start for your OS. An actual reboot
is recommended.
Once up and running, configure ip6tables to route
large packets destined to the desired IP to the netfilter queue.
Example rules:
```
iptables -t mangle -A PREROUTING -d 2001:470:1f04:d63::2/128 -m length --length 1281:65535 -j -NFQUEUE --queue-num 1280
iptables -A INPUT -m mark --mark 0x501 -m comment --comment "Drop packets marked 1281 (too big)" -j DROP
```
REQUIREMENTS
------------
RedHat/Centos/Fedora:
* libnetfilter_queue-devel
* gcc, make
* ip6tables - and a way to automatically load ip6tables on startup
Ubuntu/Debian:
* build-essential
* libnetfilter-queue-dev
* ip6tables - and a way to automatically load ip6tables on startup
IPTABLES / IP6TABLES
--------------------
For reference, this is what jfesler does:
/etc/rc.local:
```
iptables-restore /etc/iptables/rules.v4
ip6tables-restore /etc/iptables/rules.v6
```
/etc/iptables/rules.v6 (simplified version, only includes mtu1280d rule)
```
# Generated by ip6tables-save v1.4.21 on Wed Feb 18 10:14:54 2015
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 2001:470:1:18::1280/128 -m length --length 1:65535 -m comment --comment "Mark packets using mtu1280d as small enough (1280) or too big (1281)" -j NFQUEUE --queue-num 1280
COMMIT
# Completed on Wed Feb 18 10:14:54 2015
# Generated by ip6tables-save v1.4.21 on Wed Feb 18 10:14:54 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CHECK_ABUSE - [0:0]
:ONLY-GIGO - [0:0]
-A INPUT -m mark --mark 0x501 -m comment --comment "Drop packets marked 1281 (too big)" -j DROP
COMMIT
# Completed on Wed Feb 18 10:14:54 2015
```
LICENSE
-------
GPLv2, due to the duplicated code from Hararld Welte's
libnetfilter_queue-1.0.2/utils/nfqnl_test.c (included).
|
