* [LARTC] ECN and ipitables: a political issue
@ 2002-12-06 18:38 Andrea Rossato
2002-12-14 10:52 ` Andrea Rossato
0 siblings, 1 reply; 2+ messages in thread
From: Andrea Rossato @ 2002-12-06 18:38 UTC (permalink / raw)
To: lartc
Hi there!
I recently discovered that the linux kernel support Explicit Congestion
Notification and that a fully ecn enabled network would have virtually
no dropped packets.
Enabling that feature is a way to respect the infrastructure we use, and
servers, routers or firewalls not complying with regularly approved
standard like rfc 793 and 3168 are dammaging all of us, in a way not
very different from that of spammers.
Being able to discriminate between good and bad guys it is possible
through a filtering rule,
iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN
--ecn-tcp-remove.
Many thanks to the guys who wrote the kernel support and the target!
This is not a solution of the problem, but at least gives you the power
to send an email the the system/network administrators and put that rule
in our ILLEGAL_HOST_AND_NETS_VIOLATING_RFC793 chain. Many of those hosts
simply do not have access to their routers' or firewalls' configuration.
Now, the problem is the rule seems not to be working and I cannot
connect to those hosts unless turning ecn off (echo 0 >
/proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting
something wrong.
Miciej Soltysiak had a similar probelm with an illegal box in his
network. Did you find a solution?
Please help. If I will solve this problem I promise that I will submit a
patch proposal to the LARTC's mantainers. That's the best I can do to
make people aware of this issue.
Thanks a lot.
Andrea
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] ECN and ipitables: a political issue
2002-12-06 18:38 [LARTC] ECN and ipitables: a political issue Andrea Rossato
@ 2002-12-14 10:52 ` Andrea Rossato
0 siblings, 0 replies; 2+ messages in thread
From: Andrea Rossato @ 2002-12-14 10:52 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 807 bytes --]
Andrea Rossato wrote:
> Being able to discriminate between good and bad guys it is possible
> through a filtering rule,
>
> iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN
> --ecn-tcp-remove.
> Now, the problem is the rule seems not to be working and I cannot
> connect to those hosts unless turning ecn off (echo 0 >
> /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting
> something wrong.
(just for documentation)
i was not getting anything wrong: there was a bug in checksum
recalculation after application of the ECN target.
Patrick McHardy promprly posted a patch in netfilter-devel mailing list.
(the patch is attached to the present message)
Now the rule is working just fine!!
(should I submit a patch proposal to LARTC to document the issue?)
andrea
[-- Attachment #2: ipt_ECN.diff.1 --]
[-- Type: text/plain, Size: 499 bytes --]
--- net/ipv4/netfilter/ipt_ECN.c.orig 2002-12-09 23:14:20.000000000 +0100
+++ net/ipv4/netfilter/ipt_ECN.c 2002-12-09 23:13:27.000000000 +0100
@@ -88,8 +88,8 @@
}
if (diffs[0] != *tcpflags) {
- diffs[0] = htons(diffs[0]) ^ 0xFFFF;
- diffs[1] = htons(*tcpflags);
+ diffs[0] = diffs[0] ^ 0xFFFF;
+ diffs[1] = *tcpflags;
tcph->check = csum_fold(csum_partial((char *)diffs,
sizeof(diffs),
tcph->check^0xFFFF));
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-12-14 10:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-06 18:38 [LARTC] ECN and ipitables: a political issue Andrea Rossato
2002-12-14 10:52 ` Andrea Rossato
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.