From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrea Rossato <mailing_list@istitutocolli.org>
Date: Sat, 14 Dec 2002 10:52:57 +0000
Subject: Re: [LARTC] ECN and ipitables: a political issue
MIME-Version: 1
Content-Type: multipart/mixed; boundary="------------090000090307010108030004"
Message-Id: <marc-lartc-103986328831220@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-103920005828158@msgid-missing>
In-Reply-To: <marc-lartc-103920005828158@msgid-missing>
To: lartc@vger.kernel.org

This is a multi-part message in MIME format.
--------------090000090307010108030004
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Andrea Rossato wrote:
> Being able to discriminate between good and bad guys it is possible 
> through a filtering rule,
> 
> iptables -A POSTROUTING -t mangle -p tcp -d bad.guy.com -j ECN 
> --ecn-tcp-remove.

> Now, the problem is the rule seems not to be working and I cannot 
> connect to those hosts unless turning ecn off (echo 0 > 
> /proc/sys/net/ipv4/tcp_ecn), the wrong solution. I suspect I'm getting 
> something wrong.

(just for documentation)

i was not getting anything wrong: there was a bug in checksum 
recalculation after application of the ECN target.
Patrick McHardy promprly posted a patch in netfilter-devel mailing list.
(the patch is attached to the present message)

Now the rule is working just fine!!

(should I submit a patch proposal to LARTC to document the issue?)

andrea


--------------090000090307010108030004
Content-Type: text/plain;
 name="ipt_ECN.diff.1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ipt_ECN.diff.1"

--- net/ipv4/netfilter/ipt_ECN.c.orig	2002-12-09 23:14:20.000000000 +0100
+++ net/ipv4/netfilter/ipt_ECN.c	2002-12-09 23:13:27.000000000 +0100
@@ -88,8 +88,8 @@
 	}
 	
 	if (diffs[0] != *tcpflags) {
-		diffs[0] = htons(diffs[0]) ^ 0xFFFF;
-		diffs[1] = htons(*tcpflags);
+		diffs[0] = diffs[0] ^ 0xFFFF;
+		diffs[1] = *tcpflags;
 		tcph->check = csum_fold(csum_partial((char *)diffs,
 		                                    sizeof(diffs),
 		                                    tcph->check^0xFFFF));

--------------090000090307010108030004--

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/