Created
October 27, 2011 18:16
-
-
Save bauer1j/1320355 to your computer and use it in GitHub Desktop.
ECN testing configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
iptables -t filter -F | |
iptables -t mangle -F | |
# Make sure that ecn is turned on for outgoing connections | |
sysctl -w net.ipv4.tcp_ecn=1 | |
# Modify tcp syn retries as we mangle SYNs 3 and 4 to be non-ECN | |
sysctl -w net.ipv4.tcp_syn_retries=6 | |
# Increase the capacity of the connection tracking system (note this has to be sized for the memory of the machine) | |
sysctl -w net.nf_conntrack_max=16777216 | |
echo 1048576 > /sys/module/nf_conntrack/parameters/hashsize | |
# Set a low mss to maximize the number of packets we receive from the server | |
iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 300 | |
# Check to see if the connection is ECN enabled | |
iptables -t filter -A OUTPUT -p tcp --syn -m ecn --ecn-tcp-cwr --ecn-tcp-ece --ecn-ip-ect 0 -j CONNMARK --set-mark 1 | |
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m connmark --mark 1 -m ecn ! --ecn-tcp-cwr --ecn-tcp-ece -j CONNMARK --set-mark 6 | |
# If we don't get a SYN/ACK after 2 attempts (a possible SYN/ECN blackhole), lets remove the bits and see if we can connect | |
# orig retry1: ECN | |
# retry2 retry3: non-ECN | |
iptables -t mangle -A OUTPUT -p tcp -m conntrack --ctstate NEW -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes-dir original --connbytes-mode packets --connbytes 3:4 -j ECN --ecn-tcp-remove | |
# We keep setting CE on all outbound TCP packets with data until we hear a ECE. (The first rule marks all TCP packets with data.) | |
iptables -t filter -A OUTPUT -p tcp -m connmark --mark 4/4 -m u32 --u32 "6 & 0xFF = 6 && 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 0 & 0xFF = 0x0:0xFF" -j MARK --set-mark 8 | |
iptables -t filter -A INPUT -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-ece -m connmark --mark 4/4 -j CONNMARK --set-mark 0/4 | |
iptables -t mangle -A POSTROUTING -p tcp -m mark --mark 8 -j TOS --set-tos 3 | |
# We keep causing our TCP stack to set ECE on all outbound TCP packets until we hear a CWR by setting CE on all inbound data packets | |
iptables -t mangle -A INPUT -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-cwr -m connmark --mark 2/2 -j CONNMARK --set-mark 0/2 | |
iptables -t mangle -A INPUT -p tcp -m connmark --mark 2/2 -m connbytes --connbytes 2: --connbytes-dir reply --connbytes-mode packets -j TOS --set-tos 3 | |
echo | |
echo "******** Filter *************" | |
echo | |
sudo iptables -t filter -L -v | |
echo | |
echo "******** Mangle *************" | |
echo | |
sudo iptables -t mangle -L -v |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment