rejwreply is a linux kernel patch set that adds echo-reply as a new feedback type in iptable REJECT rule. This patch enable linux to emulate thousands of targets in high-speed ICMP probing (thounsands of request per second) without overflowing connection tracking table and dropping requests.
rejwreply is a linux kernel patch set that add echo-reply as a feedback type in iptable REJECT rule.
We need this improvement because we want to use one Linux box to emulate thousands of ICMP echo targets (say a whole /16 block) for experiments. Today a Linux computer can reply to ICMP echo requests for other addresses using iptables DNAT rules. However, when there are thousands of targets and thousands of requests per second, iptables connection tracking table will overflow and drop most requests, breaking our experiment.
We fix this performance problem by adding echo reply as a new feedback type for iptables REJECT rules. Iptable REJECT rules do not require connection tracking, so this addition addresses the overflow and allows a single computer to generate ICMP echo replies for thousands of IP addresses.
We ping 655,360 Address at 12,800 ping/s and with DNAT rules, we see around 80% requests dropped by target box. In comparison, with our new rules, we see no drops at the target box.
This patch set include a patch for linux kernel (tested against linux kernel 4.4.0) and a patch for iptables utility (tested against iptables 1.6.0). Both patches need to be installed to enable this new feature.