Hi!
On Mon, 25 Feb 2002 14:40:47 +0100
"Harald Welte" <laforge@xxxxxxxxxxxx> wrote:
> I've written a small iptables target for the iptables 'mangle' chain,
> which allows users to remove the ECN bits of the IPv4 header ::on a
> per-rule basis.
So this target is doing what is described in section 18.1.13 of RFC 3168.
You might run into a problem when an upstream router marked the packet instead
of dropping it. By setting the codepoint to 0, you will remove the congestion
indication. This will not be a problem if you only use this target on outgoing
packets and if you don't have a marking router in the inner network. Otherwise
it will be one.
Since you don't know what people will do with this target and if they really
understand what it does, I fear that it might become a problem.
Instead, I suggest to only clear the ECE and CWR TCP flags on SYN-packets.
Sebastian
|