<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>ECN</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="ECN"></a>ECN</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001, 2002, 2003, 2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id278208"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#ecn">Explicit Congestion Notification (ECN)</a></span></dt></dl></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>2006-01-17. The ECN Netfilter target in recent 2.6 Linux Kernels is
broken. Symptoms are that you will be unable to establish a TCP connection
to hosts defined in the /etc/shorewall/ecn file.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="ecn"></a>Explicit Congestion Notification (ECN)</h2></div></div></div><p>Explicit Congestion Notification (ECN) is described in RFC 3168 and
is a proposed Internet standard. Unfortunately, not all sites support ECN
and when a TCP connection offering ECN is sent to sites that don't support
it, the result is often that the connection request is ignored.</p><p>To allow ECN to be used, Shorewall allows you to enable ECN on your
Linux systems then disable it in your firewall when the destination
matches a list that you create (the /etc/shorewall/ecn file).</p><p>You enable ECN by</p><pre class="programlisting">echo 1 > /proc/sys/net/ipv4/tcp_ecn</pre><p>You must arrange for that command to be executed at system boot.
Most distributions have a method for doing that -- on RedHat, you make an
entry in /etc/sysctl.conf.</p><pre class="programlisting">net.ipv4.tcp_ecn = 1</pre><p>Entries in /etc/shorewall/ecn have two columns as follows:</p><div class="variablelist"><dl><dt><span class="term">INTERFACE</span></dt><dd><p>The name of an interface on your system</p></dd><dt><span class="term">HOST(S)</span></dt><dd><p>An address (host or subnet) of a system or group of systems
accessed through the interface in the first column. You may include
a comma-separated list of such addresses in this column.</p></dd></dl></div><div class="example"><a id="Example1"></a><p class="title"><b>Example 1. Your external interface is eth0 and you want to disable ECN for
tcp connections to 192.0.2.0/24:</b></p><div class="example-contents"><div class="table"><a id="Table1"></a><p class="title"><b>Table 1. /etc/shorewall/ecn</b></p><div class="table-contents"><table summary="/etc/shorewall/ecn" border="1"><colgroup><col /><col /></colgroup><thead><tr><th align="center">INTERFACE</th><th align="center">HOST(S)</th></tr></thead><tbody><tr><td>eth0</td><td>192.0.2.0/24</td></tr></tbody></table></div></div><p><br class="table-break" /></p></div></div><br class="example-break" /></div></div></body></html>
