Red Hat Bugzilla – Bug 49483
Bug in 2.4.3-12 kernel config for TCP/IP
Last modified: 2007-04-18 12:34:55 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010701
Description of problem:
The kernel config files for the update to kernel 2.4.3-12 in RH 7.1 have
the "CONFIG_NET_ECN" option enabled ("Explicit Congestion Notification"),
which marks the SYN packets of TCP connections in a way that causes some
machines to simply refuse all connections from a Linux box configured in
this way. The comment on the configuration parameter claims this is just
"some firewalls" that won't work with it, and that is not true. I have had
this problem with both at least one firewall product and several embedded
machines that had webservers and telnet capability.
Very clearly, this option should not be enabled for production systems
where you want good compatibility with other machines over TCP/IP.
Steps to Reproduce:
1. Compile kernel with configuration and "CONFIG_NET_ECN" enabled.
2. Run tcpdump and start a telnet connection with some machine, for
example, to port 80 (http) as in part of my example tcpdump included.
3. Observe weird flags on SYN packet: "ECN-Echo,CWR".
17:57:20.253747 > 192.168.30.202.32776 > 192.168.7.10.http: S
[ECN-Echo,CWR] 795192512:795192512(0) win 5840 <mss 1460,sackOK,timestamp
404823 0,nop,wscale 0> (DF)
Actual Results: As mentioned, packets are marked strangely, and some
machines will simply refuse connections with a Linux box configured in this
Expected Results: The initial SYN packet should be marked like the
following in a tcpdump with a Linux kernel that isn't compiled with
18:00:30.998291 > 192.168.30.202.32770 > 192.168.7.10.http: S
1019849161:1019849161(0) win 5840 <mss 1460,sackOK,timestamp 8997
0,nop,wscale 0> (DF)
Reassigning to kernel as this is a clear kernel bug.
Kernelcfg is a tool to configure kernel modules. :)
Read ya, Phil