Re: [LARTC] ECN and ipitables: a political issue

[Andrea Rossato <mailing_list@istitutocolli.org>]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

Andrea Rossato wrote:
> Being able to discriminate between good and bad guys it is possible 
> through a filtering rule,
> 
> iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN 
> --ecn-tcp-remove.

> Now, the problem is the rule seems not to be working and I cannot 
> connect to those hosts unless turning ecn off (echo 0 > 
> /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting 
> something wrong.

(just for documentation)

i was not getting anything wrong: there was a bug in checksum 
recalculation after application of the ECN target.
Patrick McHardy promprly posted a patch in netfilter-devel mailing list.
(the patch is attached to the present message)

Now the rule is working just fine!!

(should I submit a patch proposal to LARTC to document the issue?)

andrea


[-- Attachment #2: ipt_ECN.diff.1 --]
[-- Type: text/plain, Size: 499 bytes --]

--- net/ipv4/netfilter/ipt_ECN.c.orig	2002-12-09 23:14:20.000000000 +0100
+++ net/ipv4/netfilter/ipt_ECN.c	2002-12-09 23:13:27.000000000 +0100
@@ -88,8 +88,8 @@
 	}
 	
 	if (diffs[0] != *tcpflags) {
-		diffs[0] = htons(diffs[0]) ^ 0xFFFF;
-		diffs[1] = htons(*tcpflags);
+		diffs[0] = diffs[0] ^ 0xFFFF;
+		diffs[1] = *tcpflags;
 		tcph->check = csum_fold(csum_partial((char *)diffs,
 		                                    sizeof(diffs),
 		                                    tcph->check^0xFFFF));