Hi, Having run into problems with /proc/sys/net/ipv4/tcp_ecn being 1 for Explicit Congestion Notification I first turned it off, and then found the kernel configuration options for modules to allow me to mangle it off per iptables rule. After some bashing of head against desk I found the syntax that works to add a rule: iptables -t mangle -A OUTPUT -o eth1 -p tcp -d IP/32 --match ecn --ecn-ip-ect 0 -j ECN --ecn-tcp-remove This does indeed cause the appropriate flags to get stripped from the packet. Without it I see things like: 07:31:40.610299 80.4.77.247.33917 > 212.250.5.117.80: SWE [tcp sum ok] 301537362:301537362(0) win 5840 <mss 1460,sackOK,timestamp 2075414 0,nop,wscale 0> (DF) (ttl 64, id 45892, len 60) With it I now see: 07:32:02.470307 80.4.77.247.33919 > 212.250.5.117.80: S [bad tcp cksum bf40!] 322522142:322522142(0) win 5840 <mss 1460,sackOK,timestamp 2077600 0,nop,wscale 0> (DF) (ttl 64, id 65470, len 60) and the packets never seem to do much. Of course once I'd added a few -v's to tcpdump as above I can see the problem "[bad tcp cksum bf40!]". It would seem that mangling the packet in this way is causing the tcp checksum to become invalid. Is there something additional/different I should be doing in the rules, or is this just a plain bug in the ECN modules? -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00229.pgp
Description: PGP signature
