On Tue, 7 Jan 2003, Marius Cristian CONSTANTIN wrote: > I am running a firewall based on 2.4.20 kernel and 1.2.7a iptables > version. Also patch-o-matic is version 20020825. > I am tryin to disable ECN per destination host, using -j ECN target > and --ecn-tcp-remove option. > When I try to connect to the hosts using the rule in mangle table, if > the tcp_ecn option is enabled, tcpdump shows bad checksum. According to > documentation this is only a display bug, because tcpdump has a copy of > packet, and does not see entire info. Still, I cannot connect to the host. > If I disable ECN entirely (by using /proc/sys/net/ipv4/tcp_ecn) > connection works perfectly. Any clue or indication to achieve the desire > results (ECN enabled in general, but disabled for some hosts)?. > I've searched the archives, found someone reporting similar problem > (http://lists.netfilter.org/pipermail/netfilter/2002-August/037228.html), > but no answer. Apparently you need the patch below - at least that works for me: diff -urN linux-2.4.20.orig/net/ipv4/netfilter/ipt_ECN.c linux-2.4.20/net/ipv4/netfilter/ipt_ECN.c --- linux-2.4.20.orig/net/ipv4/netfilter/ipt_ECN.c 2002-11-29 00:53:15.000000000 +0100 +++ linux-2.4.20/net/ipv4/netfilter/ipt_ECN.c 2002-12-28 20:08:20.000000000 +0100 @@ -87,8 +87,8 @@ } if (diffs[0] != *tcpflags) { - diffs[0] = htons(diffs[0]) ^ 0xFFFF; - diffs[1] = htons(*tcpflags); + diffs[0] = diffs[0] ^ 0xFFFF; + diffs[1] = *tcpflags; tcph->check = csum_fold(csum_partial((char *)diffs, sizeof(diffs), tcph->check^0xFFFF)); /Rasmus -- -- [ Rasmus "Møffe" Bøg Hansen ] --------------------------------------- Expect the unexpected. - HitchHikers Guide to the Galaxy, Douglas Adams ----------------------------------[ moffe at amagerkollegiet dot dk ] --
