From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrea Rossato Date: Fri, 06 Dec 2002 18:38:27 +0000 Subject: [LARTC] ECN and ipitables: a political issue Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi there! I recently discovered that the linux kernel support Explicit Congestion Notification and that a fully ecn enabled network would have virtually no dropped packets. Enabling that feature is a way to respect the infrastructure we use, and servers, routers or firewalls not complying with regularly approved standard like rfc 793 and 3168 are dammaging all of us, in a way not very different from that of spammers. Being able to discriminate between good and bad guys it is possible through a filtering rule, iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN --ecn-tcp-remove. Many thanks to the guys who wrote the kernel support and the target! This is not a solution of the problem, but at least gives you the power to send an email the the system/network administrators and put that rule in our ILLEGAL_HOST_AND_NETS_VIOLATING_RFC793 chain. Many of those hosts simply do not have access to their routers' or firewalls' configuration. Now, the problem is the rule seems not to be working and I cannot connect to those hosts unless turning ecn off (echo 0 > /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting something wrong. Miciej Soltysiak had a similar probelm with an illegal box in his network. Did you find a solution? Please help. If I will solve this problem I promise that I will submit a patch proposal to the LARTC's mantainers. That's the best I can do to make people aware of this issue. Thanks a lot. Andrea _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/