ECN Tom Eastep 2001 2002 2003 2005 2016 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. 2006-01-17. The ECN Netfilter target in some 2.6 Linux Kernels is broken. Symptoms are that you will be unable to establish a TCP connection to hosts defined in the /etc/shorewall/ecn file.
Explicit Congestion Notification (ECN) Explicit Congestion Notification (ECN) is described in RFC 3168 and is a proposed Internet standard. Unfortunately, not all sites support ECN and when a TCP connection offering ECN is sent to sites that don't support it, the result is often that the connection request is ignored. To allow ECN to be used, Shorewall allows you to enable ECN on your Linux systems then disable it in your firewall when the destination matches a list that you create (the /etc/shorewall/ecn file). You enable ECN by echo 1 > /proc/sys/net/ipv4/tcp_ecn You must arrange for that command to be executed at system boot. Most distributions have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf. net.ipv4.tcp_ecn = 1 Entries in /etc/shorewall/ecn have two columns as follows: INTERFACE The name of an interface on your system HOST(S) An address (host or subnet) of a system or group of systems accessed through the interface in the first column. You may include a comma-separated list of such addresses in this column. Your external interface is eth0 and you want to disable ECN for tcp connections to 192.0.2.0/24: /etc/shorewall/ecn INTERFACE HOST(S) eth0 192.0.2.0/24
Beginning with Shorewall 5.0.6, you may also specify clearing of the ECN flags through use of the ECN action in shorewall-mangle(8).