iptables -j icmp_frag

Add missing ICMP FRAG_NEEDED reply to iptables. Intended for CentOS 8

Build

Build & install kernel module

Dependencies (incomplete):

elfutils-libelf-devel kernel-devel

cd ./data/kernel-module
make -C /lib/modules/$(uname -r)/build/ M=$(pwd) modules
sudo insmod ./ipt_icmp_frag.ko

Build & install modified iptables

Dependencies (incomplete):

libtool

Only extensions/xt_icmp_frag.c is new.

To enable nfttables, you also need to download source code of libmnl, libnftnl, libnfnetlink and libnetfilter_conntrack, and compile from source

cd ./data/iptables-modified/iptables-1.8.4
./configure --disable-nftables --prefix=$HOME/.local
make -j4
make install

Test and usage example

vagrant up --provision # this brings up a CentOS 8 VM
vagrant ssh # The following command happens in vagrant box

# Build and install kernel modules / modified iptables as above
# ./data/ is synced to /vagrant_data

~/.local/sbin/iptables -A INPUT -p tcp --dport 6789 -j icmp_frag --mtu 13

sudo tcpdump -i lo -vvvvv &
mtr -tTP 6789 -4 localhost >/dev/null
# Expect to see tcpdump outputs ICMP frag needed reply

About

Missing ICMP FRAG_NEEDED reply for iptables

Apache License 2.0

Languages

Language:C 80.9%Language:Roff 10.8%Language:Shell 2.5%Language:Perl 1.6%Language:1C Enterprise 1.3%Language:Makefile 0.8%Language:Python 0.7%Language:Raku 0.6%Language:M4 0.4%Language:XSLT 0.3%Language:Terra 0.2%Language:Objective-C 0.0%