usage example

[deeiche]

I want to strip DF bit on traffic I'm sending through an ethernet over IP tunnel and your code looks like it might be what I need. However there is no usage explanation in the README. Also this is on Debian 10, 4.19.0-25-amd64 .

The EOIP module is built from code from here, https://github.com/bbonev/eoip .

[stoops]

Oh hey, apologies, I'm bad providing instructions on this stuff :) I wrote a super basic readme (https://github.com/stoops/nf_df/blob/main/README.md) and a short blog post (https://fossjon.com/2022/11/10/implementing-pf-scrub-no-df-bit-in-a-netfilter-linux-kernel-module-hook-ipv4-packet-header-rewrite/) however I didn't really explain very well how to install or run it.

There's a Makefile included and when I compiled and ran the kernel module I did so under the Debian Linux distribution (I don't know what would be required for other Linux ones though). Basically if I remember correctly, I checked out the code into a folder, I installed the apt-get dependencies and ran the make command and then the insmod command there after.

[deeiche]

ahhh, it took me a moment to completely understand nf_df, with this module DF is cleared on all IP packets, it is not assigned by iptables rule. It took me a moment to understand nf_df replicated PF "scrub-all no-df", even though that was pretty evident when I reread the blog post.

I was looking for something that extended iptables so I could clear DF flag on particular flows. Mikrotik and OpenBSD both have the ability to clear DF flag on IP traffic going through an EOIP tunnel.

sorry for the noise.

[stoops]

Hey, that's alright - you're observation is correct, I didn't really post a good usage example of it but I originally wrote it to modify all packets coming into the system (I wasn't sure how to hook it into iptables/nftables but that would have been cool too). You might be able to work with the C code to adjust it somehow but I'm not exactly an expert on it, it was more of an experiment that I had used at the time for my personal home network wide VPN setup where I wanted a router to be able to fragment packets over a smaller MTU WireGuard link.