Skip to content

Instantly share code, notes, and snippets.

Created Oct 27, 2011
What would you like to do?
ECN testing configuration
# This script depends upon the conntrack, connmark, connbytes, and the ecn modules of iptables.
# These are installed by default on the Linux boxes we employed, but if your distribution is
# older, you may need to update your kernel and iptables. This script also assumes that the users
# which runs it has the sufficient privileges to run all the commands below.
# Careful, this script flushes the filter and mangle tables.
iptables -t filter -F
iptables -t mangle -F
# Make sure that ecn is turned on for outgoing connections
sysctl -w net.ipv4.tcp_ecn=1
# Modify tcp syn retries as we mangle SYNs 3 and 4 to be non-ECN
sysctl -w net.ipv4.tcp_syn_retries=6
# Increase the capacity of the connection tracking system (note this has to be sized for the memory of the machine)
sysctl -w net.nf_conntrack_max=16777216
echo 1048576 > /sys/module/nf_conntrack/parameters/hashsize
# Set a low mss to maximize the number of packets we receive from the server
iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 300
# Check to see if the connection is ECN enabled
iptables -t filter -A OUTPUT -p tcp --syn -m ecn --ecn-tcp-cwr --ecn-tcp-ece --ecn-ip-ect 0 -j CONNMARK --set-mark 1
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m connmark --mark 1 -m ecn ! --ecn-tcp-cwr --ecn-tcp-ece -j CONNMARK --set-mark 6
# If we don't get a SYN/ACK after 2 attempts (a possible SYN/ECN blackhole), lets remove the bits and see if we can connect
# orig retry1: ECN
# retry2 retry3: non-ECN
iptables -t mangle -A OUTPUT -p tcp -m conntrack --ctstate NEW -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes-dir original --connbytes-mode packets --connbytes 3:4 -j ECN --ecn-tcp-remove
# We keep setting CE on all outbound TCP packets with data until we hear a ECE. (The first rule marks all TCP packets with data.)
iptables -t filter -A OUTPUT -p tcp -m connmark --mark 4/4 -m u32 --u32 "6 & 0xFF = 6 && 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 0 & 0xFF = 0x0:0xFF" -j MARK --set-mark 8
iptables -t filter -A INPUT -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-ece -m connmark --mark 4/4 -j CONNMARK --set-mark 0/4
iptables -t mangle -A POSTROUTING -p tcp -m mark --mark 8 -j TOS --set-tos 3
# We keep causing our TCP stack to set ECE on all outbound TCP packets until we hear a CWR by setting CE on all inbound data packets
iptables -t mangle -A INPUT -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-cwr -m connmark --mark 2/2 -j CONNMARK --set-mark 0/2
iptables -t mangle -A INPUT -p tcp -m connmark --mark 2/2 -m connbytes --connbytes 2: --connbytes-dir reply --connbytes-mode packets -j TOS --set-tos 3
echo "******** Filter *************"
iptables -t filter -L -v
echo "******** Mangle *************"
iptables -t mangle -L -v
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment