> On Tue, Apr 16, 2002 at 01:57:27PM +0200, Oskar Andreasson wrote: > > Hi all, > > > > I have a brief suggestion for a match/target which I am unable to to write myself >of many reasons, mainly that I am a very very lousy coder =). If someone is already >working on this, disregard from this mail. > > > > What I would like to propose is an ECN match/target. > > http://cvs.samba.org/cgi-bin/cvsweb/netfilter/userspace/extensions/libipt_ECN.c >
My fault, I never found that part in 1.2.6a but it should be there if I am not wrong after reading through this. One stupid question however.. where is the kernel side implementation of this target? > > I would first of all like to see a match that makes it possible to match > > packets based on their ECN values as described in RFC 3168, or possibly on > > any value that the ECN field may take. > > yup, this makes sense. > > > I would also like to see a target that lets us set the ECN values. As with > > the FTOS and TOS targets, I would generally believe the TOS type of match > > would be better (ie, it would block the user from setting ridiculous values > > that are more or less not valid according to RFC 3168.). > > Only touchin the IP haeder is not a good idea, as ECN works in combination > with the transport layer (i.e. TCP). > Makes sense to me=) I hadn't actually come to the part of the RFC so far, my mistake. > The only valid use from my point of view is removing the ECT codepoint from > the TCP header of every SYN packet in order to prevent ECN from being > negotiated for a given connection. Unless we create more "intelligence" in the match/target, but that would be extremely stupid I believe... In other words, I am inclined to agree. > > > 1) Reset all ECN enabled packets leaving a specific network or going to a > > specific network. > > experimental. Ok, I saw it and I believe you=). > > > 2) We can use this match to match packets leaving the firewall and possibly > > do specific routing to get around misbehaving routers/firewalls blocking ECN > > enabled packets. > > matching is always ok. So... one more question then, is there such a (ECN) match that I have missed as well? Have a nice day, Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED]
