From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010701 Description of problem: The kernel config files for the update to kernel 2.4.3-12 in RH 7.1 have the "CONFIG_NET_ECN" option enabled ("Explicit Congestion Notification"), which marks the SYN packets of TCP connections in a way that causes some machines to simply refuse all connections from a Linux box configured in this way. The comment on the configuration parameter claims this is just "some firewalls" that won't work with it, and that is not true. I have had this problem with both at least one firewall product and several embedded machines that had webservers and telnet capability. Very clearly, this option should not be enabled for production systems where you want good compatibility with other machines over TCP/IP. How reproducible: Always Steps to Reproduce: 1. Compile kernel with configuration and "CONFIG_NET_ECN" enabled. 2. Run tcpdump and start a telnet connection with some machine, for example, to port 80 (http) as in part of my example tcpdump included. 3. Observe weird flags on SYN packet: "ECN-Echo,CWR". 17:57:20.253747 > 192.168.30.202.32776 > 192.168.7.10.http: S [ECN-Echo,CWR] 795192512:795192512(0) win 5840 <mss 1460,sackOK,timestamp 404823 0,nop,wscale 0> (DF) Actual Results: As mentioned, packets are marked strangely, and some machines will simply refuse connections with a Linux box configured in this way. Expected Results: The initial SYN packet should be marked like the following in a tcpdump with a Linux kernel that isn't compiled with "CONFIG_NET_ECN": 18:00:30.998291 > 192.168.30.202.32770 > 192.168.7.10.http: S 1019849161:1019849161(0) win 5840 <mss 1460,sackOK,timestamp 8997 0,nop,wscale 0> (DF) Additional info:
Reassigning to kernel as this is a clear kernel bug. Kernelcfg is a tool to configure kernel modules. :) Read ya, Phil