Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.



2006-01-17. The ECN Netfilter target in recent 2.6 Linux Kernels is broken. Symptoms are that you will be unable to establish a TCP connection to hosts defined in the /etc/shorewall/ecn file.

Explicit Congestion Notification (ECN)

Explicit Congestion Notification (ECN) is described in RFC 3168 and is a proposed internet standard. Unfortunately, not all sites support ECN and when a TCP connection offering ECN is sent to sites that don't support it, the result is often that the connection request is ignored.

To allow ECN to be used, Shorewall allows you to enable ECN on your Linux systems then disable it in your firewall when the destination matches a list that you create (the /etc/shorewall/ecn file).

You enable ECN by

echo 1 > /proc/sys/net/ipv4/tcp_ecn

You must arrange for that command to be executed at system boot. Most distributions have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.

net.ipv4.tcp_ecn = 1

Entries in /etc/shorewall/ecn have two columns as follows:


The name of an interface on your system


An address (host or subnet) of a system or group of systems accessed through the interface in the first column. You may include a comma-separated list of such addresses in this column.

Example 1. Your external interface is eth0 and you want to disable ECN for tcp connections to

Table 1. /etc/shorewall/ecn