[svlug] Re: openoffice on woody

George Georgalis georgw at galis.org
Sat Jan 4 18:30:08 PST 2003
Previous message: [svlug] Re: openoffice on woody
Next message: [svlug] Re: openoffice on woody
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Jan 05, 2003 at 12:46:51AM +0200, Ira Abramov wrote:
>Quoting George Georgalis, from the post of Fri, 03 Jan:

>> What happened to http://www.openoffice.org/ it's not responding...
>
>let me guess, neither does pbs.org? :)
>
>try (as root): sysctl -w net.ipv4.tcp_ecn=0

BINGO! indeed that fixes it. I've heard of ECN before but it didn't
occur to me that this was the problem. It's a kernel compile time
option that can be adjusted (usually) on the fly. I've done something
of a meta-study to remind me next time :) I'm going to keep mine enabled
and only turn it off when I get stuck, cause that seems like the right
thing to do ;-)

Here's how to check/adjust:

http://cvs.debian.org/*checkout*/ddp/manuals.sgml/quick-reference/README?rev=1.6&cvsroot=debian-doc

      To check ECN:
      # cat /proc/sys/net/ipv4/tcp_ecn
      or
      # sysctl net.ipv4.tcp_ecn
      To turn it off, use:
      # echo "0" > /proc/sys/net/ipv4/tcp_ecn
      or
      # sysctl -w net.ipv4.tcp_ecn=0
      To disable TCP ECN on every boot, edit /etc/sysctl.conf and add:
      net.ipv4.tcp_ecn = 0


> At 10:49 PM 8/15/02, Sean Millichamp wrote:
> 
>> On Thu, 2002-08-15 at 21:27, Jonathon M. Robison wrote:
>> > The kernel is the default kernel done from the Mandrake update site.
>>
>> There is a relatively new feature in TCP called ECN (explicit congestion
>> notification) and relies on a certain combination of the TCP flags.
>> Some corporate firewalls incorrectly discard these ECN packets.  More
>> recent Linux kernels have full ECN support and, I believe, it is enabled
>> by default.  I encountered this problem when compiling a custom kernel
>> (about a year ago I think) and it confused the heck out of me for a
>> while.
>>
>> If you are seeing perfect functionality to a most, but not all, sites
>> this is a likely culprit.
>>
>> # cat /proc/sys/net/ipv4/tcp_ecn
>> If you see 1 then you have ECN enabled, if so do:
>> # echo "0" > /proc/sys/net/ipv4/tcp_ecn
>> and try it again.
>>
>> Red Hat has this default to off due to the wide number of broken
>> firewalls but other distributions and custom compiled kernels may have
>> other defaults.  I believe that the stock Linux kernel defaults to it
>> being on.
>>
>> Hope this helps...
>>
>> Sean



Here are some notes from the kernel Documentation:

./Documentation/filesystems/proc.txt

tcp_ecn
-------

This file controls the use of the ECN bit in the IPv4 headers, this is a new
feature about Explicit Congestion Notification, but some routers and firewalls
block trafic that has this bit set, so it could be necessary to echo 0 to
/proc/sys/net/ipv4/tcp_ecn, if you want to talk to this sites. For more info
you could read RFC2481.



./Documentation/Configure.hel

ECN match support
CONFIG_IP_NF_MATCH_ECN
  This option adds a `ECN' match, which allows you to match against
  the IPv4 and TCP header ECN fields.



ECN target support
CONFIG_IP_NF_TARGET_ECN
  This option adds a `ECN' target, which can be used in the iptables mangle
  table.

  You can use this target to remove the ECN bits from the IPv4 header of
  an IP packet.  This is particularly useful, if you need to work around
  existing ECN blackholes on the internet, but don't want to disable
  ECN support in general.



TCP Explicit Congestion Notification support
CONFIG_INET_ECN
  Explicit Congestion Notification (ECN) allows routers to notify
  clients about network congestion, resulting in fewer dropped packets
  and increased network performance.  This option adds ECN support to
  the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn)
  which allows ECN support to be disabled at runtime.

  Note that, on the Internet, there are many broken firewalls which
  refuse connections from ECN-enabled machines, and it may be a while
  before these firewalls are fixed.  Until then, to access a site
  behind such a firewall (some of which are major sites, at the time
  of this writing) you will have to disable this option, either by
  saying N now or by using the sysctl.



This post contained just what I needed to find the following 3 links
http://www.nylug.org/mlist/nylug-talk_mhonarc/2001-08/msg00604.html
    * To: nylug-talk at nylug.org
    * Subject: [nylug-talk] Explicit Congestion Notification
    * From: Michael Sims <jellicle at inch.com>
    * Date: Thu, 16 Aug 2001 11:19:48 -0400


http://www.tux.org/lkml/#s14-2
Why does the 2.4 kernel report Connection refused when connecting to
sites which work fine with earlier kernels?  
there are bugs in some firewall products which cause them to reject
incoming packets with ECN enabled.

This is the 40 page RFC that defines it, the intro is pretty to the point.
http://www.ietf.org/rfc/rfc3168.txt
The Addition of Explicit Congestion Notification (ECN) to IP

This is the RFC that's being violated by sites (routers) that are affected.
http://www.ietf.org/rfc/rfc793.txt
TRANSMISSION CONTROL PROTOCOL


http://gtf.org/garzik/ecn/
ECN-under-Linux Unofficial Vendor Support Page


http://www.landfield.com/rfcs/rfc2481.html
A Proposal to add Explicit Congestion Notification (ECN) to IP

was linked from 
http://lwn.net/2001/0201/kernel.php3
February 1, 2001 lwn.net, Kernel development


I don't think there is much else accept rehash of the same issue
and maybe more  vendor specific (router) patches.

Cheers,
// George

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george
Previous message: [svlug] Re: openoffice on woody
Next message: [svlug] Re: openoffice on woody
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the svlug mailing list