I think you can intercept and drop the ICMP packet from userspace as well, if you have the right modules installed in iptables/Xtables.  But I haven't looked closely lately  (I just patched the kernel code in a kernel that probably predated iptables itself).  Probably need "root", but on the router itself, you have root.

 

This CMTS-queue-management is a router function anyway, for the router adjacent to the cable modem/CMTS.  Using it from ordinary clients and servers probably just generates randomness.

 

The only difference from tcptraceroute (note the tcp in front) is that you sneak into an active TCP connection selected for active full size packet transfer.

 

I'll have to trace the logic in the current Internet stack in the latest kernels, but I'm pretty sure that iptables processes packets very low in the stack.  It ought to - one of the things you might want to do is reject forged ICMP packets, or not forward them.

 

-----Original Message-----
From: "Michael Richardson" <mcr@sandelman.ca>
Sent: Monday, November 26, 2012 4:27pm
To: dpreed@reed.com
Cc: cerowrt-users@lists.bufferbloat.net, cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] [Cerowrt-users] QOS settings vs speedboost and random bandwidth


>>>>> "dpreed" == dpreed <dpreed@reed.com> writes:
dpreed> It observed the IPv4 headers of *large* TCP/IP datagrams
dpreed> going upstream, so that it could construct "no-op"
dpreed> "content-free" datagrams that would certainly pass muster
dpreed> through all the filters and be routed exactly the same as
dpreed> the TCP/IP datagrams that were carrying large flows. It
dpreed> would remember only the most recent one.

I don't know that you need to be so precise in creating the packet, but
I guess the point is not just the ACLs, but also any traffic shapers?

dpreed> The TTL expiration causes an ICMP packet to be sent back.
dpreed> My code intercepts that packet based on its contents, and
dpreed> removes it as "handled" before it gets processed by the
dpreed> TCP/IP state machines.

This is perhaps the biggest problem with this method... having to remove
the magic ICMP so that it does no harm. Without this requirement, it
could be done entirely in userspace I think.

--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.