add hint about local-nat.patch to KNOWN_BUGS, make libipt_ecn work

2 files changed, 8 insertions, 4 deletions

diff --git a/KNOWN_BUGS b/KNOWN_BUGS
index 8d0b547..96009f6 100644
--- a/KNOWN_BUGS
+++ b/KNOWN_BUGS
@@ -1,10 +1,14 @@
 Known bugs:
 
-1) NAT in the OUTPUT chain does not work in stock kernels.  However,
-   there is a patch in patch-o-matic, called the 'local-nat.patch'. 
-   This patch adds a CONFIG_NF_IP_NAT_LOCAL kernel config option.
+1) NAT in the OUTPUT chain only works since kernel 2.4.18.  However,
+   there is a patch for previous kernels in patch-o-matic, called the
+   'local-nat.patch'.  This patch adds a CONFIG_NF_IP_NAT_LOCAL kernel config
+   option.
 
 2) tcpdump traffic is corrupted by OUTPUT NAT.
 
 3) Connection tracking doesn't wait very long for reply FIN, meaning
    that half-closed pipes can time out early (seen frequently with squid).
+
+4) When you use ip6tables packet mangling on IPv6 packets, the packet will
+   not be re-routed in case e.g. you insert a routing header.
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
index 7dcee2c..92bdbf0 100644
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_ecn.c
@@ -83,7 +83,7 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 		if (string_to_number(optarg, 0, 3, &result))
 			exit_error(PARAMETER_PROBLEM,
 				   "ECN match: Value out of range");
-		einfo->ip_ect = result;
+		einfo->ip_ect = (result << IPT_ECN_SHIFT);
 		break;
 	default:
 		return 0;