Книга: Iptables Tutorial 1.2.2
Ecn match
Ecn match
The ecn match is used to match on the different ECN fields in the TCP and IPv4 headers. ECN is described in detail in the RFC 3168 - The Addition of Explicit Congestion Notification (ECN) to IP RFC. The match is explicitly loaded by using -m ecn in the command line. The ecn match takes three different options as described below.
Table 10-14. Ecn match options
| Match | --ecn |
| Kernel | 2.4, 2.5 and 2.6 |
| Example | iptables -A INPUT -p tcp -m ecn --ecn-tcp-cwr |
| Explanation | This match is used to match the CWR (Congestion Window Received) bit, if it has been set. The CWR flag is set to notify the other endpoint of the connection that they have received an ECE, and that they have reacted to it. Per default this matches if the CWR bit is set, but the match may also be inversed using an exclamation point. |
| Match | --ecn-tcp-ece |
| Kernel | 2.4, 2.5 and 2.6 |
| Example | iptables -A INPUT -p tcp -m ecn --ecn-tcp-ece |
| Explanation | This match can be used to match the ECE (ECN-Echo) bit. The ECE is set once one of the endpoints has received a packet with the CE bit set by a router. The endpoint then sets the ECE in the returning ACK packet, to notify the other endpoint that it needs to slow down. The other endpoint then sends a CWR packet as described in the --ecn-tcp-cwr explanation. This matches per default if the ECE bit is set, but may be inversed by using an exclamation point. |
| Match | --ecn-ip-ect |
| Kernel | 2.4, 2.5 and 2.6 |
| Example | iptables -A INPUT -p tcp -m ecn --ecn-ip-ect 1 |
| Explanation | The --ecn-ip-ect match is used to match the ECT (ECN Capable Transport) codepoints. The ECT codepoints has several types of usage. Mainly, they are used to negotiate if the connection is ECN capable by setting one of the two bits to 1. The ECT is also used by routers to indicate that they are experiencing congestion, by setting both ECT codepoints to 1. The ECT values are all available in the in the ECN Field in IP table below. |
| The match can be inversed using an exclamation point, for example ! --ecn-ip-ect 2 which will match all ECN values but the ECT(0) codepoint. The valid value range is 0-3 in iptables. See the above table for their values. |
Table 10-15. ECN Field in IP
| Iptables value | ECT | CE | [Obsolete] RFC 2481 names for the ECN bits. |
|---|---|---|---|
| 0 | 0 | 0 | Not-ECT, ie. non-ECN capable connection. |
| 1 | 0 | 1 | ECT(1), New naming convention of ECT codepoints in RFC 3168. |
| 2 | 1 | 0 | ECT(0), New naming convention of ECT codepoints in RFC 3168. |
| 3 | 1 | 1 | CE (Congestion Experienced), Used to notify endpoints of congestion |
Оглавление книги
Оглавление статьи/книги
- Addrtype match
- AH/ESP match
- Comment match
- Connmark match
- Conntrack match
- Dscp match
- Ecn match
- Hashlimit match
- Helper match
- IP range match
- Length match
- Limit match
- Mac match
- Mark match
- Multiport match
- Owner match
- Packet type match
- Realm match
- Recent match
- State match
- Tcpmss match
- Tos match
- Ttl match
- Unclean match