Andrea Rossato wrote:
Being able to discriminate between good and bad guys it is possible through a filtering rule,
iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN --ecn-tcp-remove.
Now, the problem is the rule seems not to be working and I cannot connect to those hosts unless turning ecn off (echo 0 > /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting something wrong.(just for documentation)
i was not getting anything wrong: there was a bug in checksum recalculation after application of the ECN target.
Patrick McHardy promprly posted a patch in netfilter-devel mailing list.
(the patch is attached to the present message)
Now the rule is working just fine!!
(should I submit a patch proposal to LARTC to document the issue?)
andrea
--- net/ipv4/netfilter/ipt_ECN.c.orig 2002-12-09 23:14:20.000000000 +0100
+++ net/ipv4/netfilter/ipt_ECN.c 2002-12-09 23:13:27.000000000 +0100
@@ -88,8 +88,8 @@
}
if (diffs[0] != *tcpflags) {
- diffs[0] = htons(diffs[0]) ^ 0xFFFF;
- diffs[1] = htons(*tcpflags);
+ diffs[0] = diffs[0] ^ 0xFFFF;
+ diffs[1] = *tcpflags;
tcph->check = csum_fold(csum_partial((char *)diffs,
sizeof(diffs),
tcph->check^0xFFFF));
