I am running a firewall based on 2.4.20 kernel and 1.2.7a iptables
version. Also patch-o-matic is version 20020825.
I am tryin to disable ECN per destination host, using -j ECN target
and --ecn-tcp-remove option.
When I try to connect to the hosts using the rule in mangle table, if
the tcp_ecn option is enabled, tcpdump shows bad checksum. According to
documentation this is only a display bug, because tcpdump has a copy of
packet, and does not see entire info. Still, I cannot connect to the host.
If I disable ECN entirely (by using /proc/sys/net/ipv4/tcp_ecn)
connection works perfectly. Any clue or indication to achieve the desire
results (ECN enabled in general, but disabled for some hosts)?.
I've searched the archives, found someone reporting similar problem
(http://lists.netfilter.org/pipermail/netfilter/2002-August/037228.html),
but no answer.
Thanx in advance,
Marius Cristian CONSTANTIN
