Adding ECN strip functions

2010-06-19 21:41:27 +00:00 · 2010-06-19 21:41:27 +00:00 · 2a620be8ef
parent b8cd81bc6a
commit 2a620be8ef
3 changed files with 15 additions and 0 deletions
--- a/1
+++ b/1
@ -1,5 +1,6 @@
 0.8 - Brielle Bruns <bruns@2mbit.com>
 	- IPv6 Connection Tracking fixes
+	- Strip ECN off of specific outbound packets

 0.7 - Brielle Bruns <bruns@2mbit.com>
 	- MSS Clamp on IPv6
--- a/options.default
+++ b/options.default
@ -60,6 +60,10 @@ NATEXTIF="eth0"
 # IP Ranges to block all traffic incoming/outgoing
 BLOCKEDIP=$BASEDIR/blocked

+# Strip ECN off of packets - helps with blackholes
+# Either individual IPs or 0.0.0.0/0
+STRIPECN="0.0.0.0/0"
+

 # IPv6 related features.  Commenting out IPV6 variable disables ALL
 # IPv6 related items
--- a/rc.firewall
+++ b/rc.firewall
@ -44,6 +44,16 @@ if [ $BLOCKEDIP ]; then
 echo -ne "\n"
 fi

+if [ "$STRIPECN" ]; then
+	for i in $STRIPECN; do
+		echo "Stripping ECN off of TCP packets to $i"
+		$IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \
+			--ecn-remove 1
+	done
+echo -ne "\n"
+fi
+
+
 if [ "$CLAMPMSS" ]; then
 	echo "Clamping MSS to PMTU..."
 	for i in $CLAMPMSS; do