I think you can intercept and drop the ICMP packet from userspace as well, if
you have the right modules installed in iptables/Xtables. But I haven't looked
closely lately (I just patched the kernel code in a kernel that probably
predated iptables itself). Probably need "root", but on the router itself, you
have root.
This CMTS-queue-management is a router function anyway, for the router adjacent
to the cable modem/CMTS. Using it from ordinary clients and servers probably
just generates randomness.
The only difference from tcptraceroute (note the tcp in front) is that you
sneak into an active TCP connection selected for active full size packet
transfer.
I'll have to trace the logic in the current Internet stack in the latest
kernels, but I'm pretty sure that iptables processes packets very low in the
stack. It ought to - one of the things you might want to do is reject forged
ICMP packets, or not forward them.
-----Original Message-----
From: "Michael Richardson" <[email protected]>
Sent: Monday, November 26, 2012 4:27pm
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: [Cerowrt-devel] [Cerowrt-users] QOS settings vs speedboost and
random bandwidth
>>>>> "dpreed" == dpreed <[email protected]> writes:
dpreed> It observed the IPv4 headers of *large* TCP/IP datagrams
dpreed> going upstream, so that it could construct "no-op"
dpreed> "content-free" datagrams that would certainly pass muster
dpreed> through all the filters and be routed exactly the same as
dpreed> the TCP/IP datagrams that were carrying large flows. It
dpreed> would remember only the most recent one.
I don't know that you need to be so precise in creating the packet, but
I guess the point is not just the ACLs, but also any traffic shapers?
dpreed> The TTL expiration causes an ICMP packet to be sent back.
dpreed> My code intercepts that packet based on its contents, and
dpreed> removes it as "handled" before it gets processed by the
dpreed> TCP/IP state machines.
This is perhaps the biggest problem with this method... having to remove
the magic ICMP so that it does no harm. Without this requirement, it
could be done entirely in userspace I think.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [email protected] http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
_______________________________________________
Cerowrt-devel mailing list
[email protected]
https://lists.bufferbloat.net/listinfo/cerowrt-devel
