On Tue, Apr 16, 2002 at 01:57:27PM +0200, Oskar Andreasson wrote: > Hi all, > > I have a brief suggestion for a match/target which I am unable to to write myself of >many reasons, mainly that I am a very very lousy coder =). If someone is already >working on this, disregard from this mail. > > What I would like to propose is an ECN match/target.
http://cvs.samba.org/cgi-bin/cvsweb/netfilter/userspace/extensions/libipt_ECN.c > I would first of all like to see a match that makes it possible to match > packets based on their ECN values as described in RFC 3168, or possibly on > any value that the ECN field may take. yup, this makes sense. > I would also like to see a target that lets us set the ECN values. As with > the FTOS and TOS targets, I would generally believe the TOS type of match > would be better (ie, it would block the user from setting ridiculous values > that are more or less not valid according to RFC 3168.). Only touchin the IP haeder is not a good idea, as ECN works in combination with the transport layer (i.e. TCP). The only valid use from my point of view is removing the ECT codepoint from the TCP header of every SYN packet in order to prevent ECN from being negotiated for a given connection. > 1) Reset all ECN enabled packets leaving a specific network or going to a > specific network. experimental. > 2) We can use this match to match packets leaving the firewall and possibly > do specific routing to get around misbehaving routers/firewalls blocking ECN > enabled packets. matching is always ok. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
