add hint about local-nat.patch to KNOWN_BUGS, make libipt_ecn work

diff --git a/KNOWN_BUGS b/KNOWN_BUGS
index 8d0b547a0d079645a801f44ad02e4d99e711b31d..96009f6c123d9ea705f3308455990955f92a8d44 100644 (file)
--- a/KNOWN_BUGS
+++ b/KNOWN_BUGS
@@ -1,10 +1,14 @@
 Known bugs:
 
-1) NAT in the OUTPUT chain does not work in stock kernels.  However,
-   there is a patch in patch-o-matic, called the 'local-nat.patch'. 
-   This patch adds a CONFIG_NF_IP_NAT_LOCAL kernel config option.
+1) NAT in the OUTPUT chain only works since kernel 2.4.18.  However,
+   there is a patch for previous kernels in patch-o-matic, called the
+   'local-nat.patch'.  This patch adds a CONFIG_NF_IP_NAT_LOCAL kernel config
+   option.
 
 2) tcpdump traffic is corrupted by OUTPUT NAT.
 
 3) Connection tracking doesn't wait very long for reply FIN, meaning
    that half-closed pipes can time out early (seen frequently with squid).
+
+4) When you use ip6tables packet mangling on IPv6 packets, the packet will
+   not be re-routed in case e.g. you insert a routing header.

diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
index 7dcee2c86f32775c31a3922ff50e5d46bcd227b1..92bdbf06fd38bf3195f30a3f16cb53a3f52d8730 100644 (file)
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_ecn.c
@@ -83,7 +83,7 @@ parse(int c, char **argv, int invert, unsigned int *flags,
                if (string_to_number(optarg, 0, 3, &result))
                        exit_error(PARAMETER_PROBLEM,
                                   "ECN match: Value out of range");
-               einfo->ip_ect = result;
+               einfo->ip_ect = (result << IPT_ECN_SHIFT);
                break;
        default:
                return 0;