Re: [Cerowrt-devel] cerowrt-3.10.32-9 released

[Dave Taht <dave.taht@gmail.com>]

On Mon, Mar 17, 2014 at 7:30 AM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Dave Taht <dave.taht@gmail.com> writes:
>
>> At least one blueray player we know of isn't working through the
>> default dhcp/dns/upnp setup.
>
> Why would a bluray player need upnp? *shudder*

It's a sony. Where products from that org are concerned, I tend to
suspect they will be reporting back to the mothership.

>> I've modeled  something that basically should  work in my bcp38 repo.
>
> So, not sure exactly how it's supposed to work; does this hook into the
> firewall after NAT'ing has been applied? Otherwise you'd presumably need
> to add exceptions for the configured internal network(s)? (I think that
> may be what is going on in the bcp script at ln 38, but some sort of
> auto-detection of the relevant network(s) would be needed? Or as a
> minimum a whitelist configuration option?)

It would hook into the wan firewall rules regardless of NAT. So there is
no need to specifically exempt internal addresses. The situation we want
to prevent is packets sourced from a NATted address exiting the wan

say your network is 172.30.42.0/24.

Someone starts pinging 172.29.42.1 from inside your network. The default
non-source-specific route will then send those packets out the wan, with
a source address of your default gw and a destination of 172.29.42.1...

where
they will wander the internet until someone drops them, which can be
quite far out. In the case of the dsl box I'm testing today, they do
get dropped at
the first hop. On cable I've seen 3-5 hops.

I didn't claim it all worked yet. The core remaining problem is detecting
a double nat situation via some dhcp hook and adding an exception for that
network and it's default netmask and default gateway.

>
> Could double-nat be detected from wan iface hotplug or somesuch?

I would hope so. But haven't found the hook yet. (and the resulting
table needs to be preserved across dhcp renews and other network
activity, which is in part why it's not setup in the firewall rules in
the testy scripts...)


>> That said, surviving an ipv6 renumber is a problem. Many clients
>> probably don't respect an address assignment lifetime.
>
> Application-transparent MPTCP from the operating system with automatic
> failover? Pretty please? :)

Linux kernel patches for that are available. They are quite invasive and I
don't know when they will make mainline linux.

http://multipath-tcp.org/pmwiki.php?n=Main.Release88

I'd like to see netperf support added to that.

>
> -Toke



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html