Linux gretap - net/ipv4/ip_gre.c - how to set value of key->tun_flags

Question

I'm trying to transport over a gretap tunnel between two Linux (Centos 6) hosts some cloned IP pkts in order to feed an IDS style device.

Given that PMTU discovery will not work on the cloned pkts I'm trying to transport I have to find a way to clear the DF bit in the header of the GRE pkt, so that it can be fragmented by the sending host and re-assembled at the other end. Otherwise largish pkts (... near the 1500 bytes nmark) will be silently dropped, after the GRE overhead is added.

I've found a working solution that involves configuring an iptables plugin in order to clear the said DF bit, but that solution is a bit too convoluted. See here: http://backreference.org/2013/07/23/gre-bridging-ipsec-and-nfqueue/ .

I had a peek at the source code of net/ipv4/ip_gre.c and in there I've found these interesting lines (around line 432 from here: https://github.com/torvalds/linux/blob/master/net/ipv4/ip_gre.c ):

df = key->tun_flags & TUNNEL_DONT_FRAGMENT ?  htons(IP_DF) : 0;

iptunnel_xmit(skb->sk, rt, skb, fl.saddr, key->u.ipv4.dst, IPPROTO_GRE,
          key->tos, key->ttl, df, false);
return;

The first line in particular seems to enable some logic to conditionally set the DF bit on the outgoing GRE pkt. Assuming I understand the code correctly, that would allow pkts to leave my Linux host without a DF bit set, which should in turn allow for fragmentation.

I've been trying to figure out how I could set the value of key->tun_flags, so that the conditional statement results in a "0" but I couldn't find any CLU that would allow me to do that (ip li, ifconfig, udevadm, etc...).

Does anybody know how the value of key->tun_flags can be manipulated?

Seems like the only entry point is BPF http://lxr.free-electrons.com/source/net/core/filter.c#L2460 — Chaitanya Lala, Mar 02 '17 at 01:41

score 2 · Answer 1 · edited Dec 05 '21 at 07:55

"man 8 ip-tunnel"

          ignore-df
                 enable IPv4 DF suppression on this tunnel.
                 Normally datagrams that exceed the MTU will be
                 fragmented; the presence of the DF flag inhibits
                 this, resulting instead in an ICMP Unreachable
                 (Fragmentation Required) message.  Enabling this
                 attribute causes the DF flag to be ignored.

For example:

ip link add gretap1 type gretap remote xxx.yyy.zzz.ppp ignore-df nopmtudisc

will remove the DF flag. Note that you must also set nopmtudisc option, see https://bugzilla.kernel.org/show_bug.cgi?id=14837, final comment.

A kernel version greater than v5.10.10 is required to support the ignore-df option.

I looked hi and lo for this - the options to prevent fragmentation have to be included in the add command. They can't be modified later. As of writing this none of system-networkd, netplan or NetworkManager supports the ignore-df option, The ip-route2 tools must be used. — BitByteDog, Dec 05 '21 at 07:58

Linux gretap - net/ipv4/ip_gre.c - how to set value of key->tun_flags

1 Answers1