submitted patch listing

Individual Suite pages:

[Combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]

ipv4 patches

[2.4.14] [2.4.18] [2.4.4] [ah-esp] [arptables] [config-cleanup] [conntrack+nat-helper-unregister] [ip6tables-export-symbols] [ip_conntrack_protocol_destroy] [ip_conntrack_protocol_unregister] [ip_nat_irc-srcaddr-fix] [ipt_mac-fix] [ipt_MIRROR-ttl] [ipt_REJECT-checkentry] [ipt_unclean-ecn] [irc-dcc-mask] [local-nat] [macro-trailing-semicolon-fix] [mangle5hooks] [module-license] [nat-export_symbols] [netfilter-arp] [netlink-tcpdiag] [REJECT-dont_fragment] [sackperm] [skb_clone_copy] [tcp-MSS] [TOS-oops-fix] [ulog-module-unload] [ulog]

ipv6 patches

[ip6t_mac-fix] [ipqueue]

submitted

Patches already submitted to latest kernel


2.4.14 [2.4.14.patch] [2.4.14.patch.help]
Author: Harald Welte <laforge@gnumonks.org> and others.
Status: Recommended (Already in 2.4.14 and above).

This contains numerous fixes and new features:

1) new IPv6 port of owner match 
2) fixes for IPv6 limit, mac and multiport matches
3) new IRC (DCC) connection tracking and NAT support
4) new SNMP NAT (ALG) support
5) new TTL match
6) new length match
7) new LOG target for IPv6
8) fix logging of ECN bits in LOG target


2.4.18 [2.4.18.patch] [2.4.18.patch.help]
Author: Various Artists 
Status: Included in final 2.4.18 kernel

- fixes a memory leak inside the ipchains backwards compatibility layer,
  which mostly occurs in combination with the ipchains redirect support.
- increases the module usage count of the ipchains backwards compatibility
  module as soon as you start adding rules.  
- increases the module usage count of the ipfwadm backwards compatibility
  module as soon as you start adding rules.  
- increases the module usage count of an ip table as soon as you start
  adding rules.  
- fixes the LOG target when attempting to print the inner ip packet in
  icmp error messages.
- fixes nf_sockopt unregister race condition
- fixes a bug in the debugging code for ip_fw_compat.
- fixes the printout to an error message inside ip_conntrack_standalone.c
- fixes the printout of an error message the ip6 MARK target
- fixes a bug in the REDIRECT code when the incoming interface doesn't have an
  IP address assigned.
- fixes bug when NAT used in OUTPUT leads to a change in the output device,
  and the new output device has a smaller hardware header length 
- ip_conntrack header changes so certain information is accessible to
  userspace

2.4.4 [2.4.4.patch] [2.4.4.patch.help]
Author: Rusty Russell <rusty@rustcorp.com.au> and others.
Status: Recommended (Already in 2.4.4 and above).

This contains numerous fixes:

1) FTP cleanup:
	o Fixes for bugtraq-announced FTP security problems.
	o Understanding of EPSV and EPRT FTP extensions.
	o Servers with unusual PASV responses are supported.
	o FTP connection tracking and NAT on unusual ports.
	o Core "helper" code moved to ip_nat_helper.c.
2) NAT now doesn't drop untracked packets (eg. multicast, nmap, etc).
3) SMP race with connection tracking is fixed.
4) NAT now spreads more evenly, if given a range of IP addresses.
5) Masquerading now cooperates with diald better.
6) DNAT and SNAT rules can only be inserted in the "nat" table.
7) mtr through a connection tracking box will no longer drop 90% of packets.
8) Reloading the iptable_nat module won't get old, stale NAT information.
9) First packet of a connection is seen by the helper functions.
10) "hashsize" parameter to ip_conntrack module.

ah-esp [ah-esp.patch] [ah-esp.patch.config.in] [ah-esp.patch.configure.help] [ah-esp.patch.help] [ah-esp.patch.makefile]
Author: Yon Uriarte <yon@astaro.de>
Status: Included in 2.4.18-pre7

This adds CONFIG_IP_NF_MATCH_AH_ESP, which supplies two match
extensions (`ah' and `esp') allow you to match a range of SPIs inside
AH or ESP headers of IPSec packets.

arptables [arptables.patch] [arptables.patch.help]
Author: David Miller <davem@redhat.com>
Status: Included in kernel 2.4.19-pre4

This adds generic arptables as well as arptable_filter support into the kernel.
The patch needs netfilter-arp.patch to work...


config-cleanup [config-cleanup.patch] [config-cleanup.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-

This patch is a cleanup to some header files and Config.in 


conntrack+nat-helper-unregister [conntrack+nat-helper-unregister.patch] [conntrack+nat-helper-unregister.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-pre3 time

This is a patch fixing some minor problems when
ip_{conntrack,nat}_{irc,ftp}.o are compiled as a module, and
registration of the helper fails.

This is a very rare occasion (somebody would have to try to 
register two different helpers for the same port number).


ip6tables-export-symbols [ip6tables-export-symbols.patch] [ip6tables-export-symbols.patch.help]
Author: Brad Chapman <kakadu@earthlink.net>
Status: Submitted for kernel inclusion

This is a bugfix for the ip6_tables code in the current ( <= 2.4.8-pre3 )
kernel source.  It fixes the situation, where ip6_tables.o is statically
linked into the kernel, but some modules (matches/targets/...) want to 
register with ip6_tables.


ip6t_mac-fix [ip6t_mac-fix.patch.ipv6] [ip6t_mac-fix.patch.ipv6.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Included in kernel 2.4.13

Fix a potentially exploitable bug with mac address matching
in IPv6 and very small packets

ip_conntrack_protocol_destroy [ip_conntrack_protocol_destroy.patch] [ip_conntrack_protocol_destroy.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion

This adds support for ip_conntrack_protocol_unregister(), needed if 
layer four protocol helpers (GRE, ...) are implemented as modules.


ip_conntrack_protocol_unregister [ip_conntrack_protocol_unregister.patch] [ip_conntrack_protocol_unregister.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time

This adds support for ip_conntrack_protocol_unregister(), needed if 
layer four protocol helpers (GRE, ...) are implemented as modules.


ip_nat_irc-srcaddr-fix [ip_nat_irc-srcaddr-fix.patch] [ip_nat_irc-srcaddr-fix.patch.help]
Author: Bob Hockney <bhockney@ix.netcom.com>
Status: Submitted for kernel inclusion

The IRC nat helper module has a small bug where it NAT's the source address
of a DCC connection to the address of the IRC server instead of the other
client.  While this doesn't hurt functionality, it is nonetheless a bug and
it might confuse users who do a netstat on their IRC client machine.


ipqueue [ipqueue.patch.ipv6] [ipqueue.patch.ipv6.configure.help] [ipqueue.patch.ipv6.help] [ipqueue.patch.ipv6.makefile]
This is a patch needed to queue IPv6 packets via
NETLINK to user space with the QUEUE target.

(C) Fernando Anton 2001
IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
Universidad Carlos III de Madrid
Universidad Politecnica de Alcala de Henares
email: fanton@it.uc3m.es

Status: experimental, pending



ipt_mac-fix [ipt_mac-fix.patch] [ipt_mac-fix.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Included in kernel 2.4.11

Fix a potentially exploitable bug with mac address matching
and very small packets

ipt_MIRROR-ttl [ipt_MIRROR-ttl.patch] [ipt_MIRROR-ttl.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Compiles, yet untested

This adds TTL decrementing (and checking/dropping) in case the MIRROR
target is used in INPUT or PREROUTING chains/hooks.  This is to avoid 
endless packet loops.

ipt_REJECT-checkentry [ipt_REJECT-checkentry.patch] [ipt_REJECT-checkentry.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Included in kernel 2.4.11

Minor correction to the REJECT target's checkentry function, which had a 
long-term undiscovered bug which was undiscovered because of cacheline 
alignment only.


ipt_unclean-ecn [ipt_unclean-ecn.patch] [ipt_unclean-ecn.patch.help]
Author: Guillaume Morin <guillaume@morinfr.org>
Status: Submitted for kernel inclusion

This fixes the unclean match to consider ECN bits in tcp header as clean,
rather than unclean (as it was before).

irc-dcc-mask [irc-dcc-mask.patch] [irc-dcc-mask.patch.help]
Author: Harald Welte <laforge@gnumonks.org>,
 	Jozsef Kadlecsik 
Status: Included in linux kernel >= 2.4.18-pre9

This patch fixes an important security issue present in all linux kernel
versions from 2.4.14 to 2.4.18-pre8.  

Details of this security issue can be found at
http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html


local-nat [local-nat.patch] [local-nat.patch.config.in] [local-nat.patch.configure.help] [local-nat.patch.help]
Author: Henrrik Nordstrom <hno@marasystems.com>, 
 	Harald Welte 
Status: Submitted for kernel inclusion at 2.4.19-pre3 time

This adds CONFIG_IP_NF_NAT_LOCAL, which enables the user to do destination
NAT on locally-originated connections.

Locally-originating means originating on the nat box itself. 

macro-trailing-semicolon-fix [macro-trailing-semicolon-fix.patch] [macro-trailing-semicolon-fix.patch.help]
Author: David Miller <davem@redhat.com>
Status: Included in 2.4.19-pre3

Some macros erroneously contained a trailing semicolon. This patch removes
the trailing semicolons.


mangle5hooks [mangle5hooks.patch] [mangle5hooks.patch.help]
Author: Brad Chapman (kakadu_croc@yahoo.com)
Status: pending for kernel inclusion

This patch expands the number of registered hooks for
both the IPv4 and IPv6 versions of the iptables mangle
table.
Also, like the filter table, the table will accept a module
parameter to change the verdict of the FORWARD chain upon
module load.

module-license [module-license.patch] [module-license.patch.help]
Author: The core linux hackers
Status: Included in kernel 2.4.10

This patch adds a new macro called MODULE_LICENSE to the kernel.

You will need this patch if you have a kernel < 2.4.10 and want to use
any of the patches of patch-o-matic.

Please say yes, it won't hurt anything :)


nat-export_symbols [nat-export_symbols.patch] [nat-export_symbols.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-

This patch fixes some missed, unexported symbols in ip_nat_standalone.c


netfilter-arp [netfilter-arp.patch] [netfilter-arp.patch.help]
Author: Rusty Russel <rusty@rustcorp.com.au>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time

This adds netfilter hooks to the ARP sender and receiver code.
An ARP tables kernel module will be published soon


netlink-tcpdiag [netlink-tcpdiag.patch] [netlink-tcpdiag.patch.help]
Author: unknown
Status: In kernel since 2.4.17

This patch is not really a netfilter patch, but updates your netlink.h file
in order to comply with the ulog patch.  It's safe to apply this patch all
the time - and it's needed by ulog.patch

NOTE: this patch is not needed (and will not apply) on kernels >= 2.4.18 


REJECT-dont_fragment [REJECT-dont_fragment.patch] [REJECT-dont_fragment.patch.help]
Author: David Miller <davem@redhat.com>
Status: Submitted to the kernel at 2.4.19-pre time

This patch fixes a bug in ipt_REJECT where we set the IP header's 
don't fragment bit for the REJECT-generated ICMP message.  

However, there is no PMTU discovery with ICMP - and we should just send
the ICMP error message wit DF cleared, so intermediate routers are allowed
to fragment.


sackperm [sackperm.patch] [sackperm.patch.help]
Author: Guillaume Morin <guillaume@morinfr.org>
Status: Included in kernel 2.4.10

Attached patch fixes a bug in the SACKPERM delete function of netfilter.

The previous code replaced SACKPERM with 00 (== end of options) instead of
01 (== NOOP).

Yes, as discussed on netdev, the right thing is to make netfilter deal with
SACK correctly.  But until the code for this is in place and tested, we still
need to delete the SACKPERM option... and we should do it correctly.



skb_clone_copy [skb_clone_copy.patch] [skb_clone_copy.patch.help]
Author: Rusty Russell <rusty@rustcorp.com.au>
Status: Included in 2.4.18-pre7

There are some problems when a raw socket has a cloned skb of a packet
where some netfilter code is doing packet payload modification.

In this case, we have to use skb_copy to unshare the skb. This patch
fixes the problem.


tcp-MSS [tcp-MSS.patch] [tcp-MSS.patch.config.in] [tcp-MSS.patch.configure.help] [tcp-MSS.patch.help] [tcp-MSS.patch.makefile]
Author: Marc Boucher
Status: Included in kernel 2.4.4

This patch adds the CONFIG_IP_NF_TARGET_TCPMSS and
CONFIG_IP_NF_MATCH_TCPMSS options, which allow you to examine and
alter the MSS value of TCP SYN packets, to control the maximum size
for that connection.  THIS IS A HACK, used to overcome criminally
braindead ISPs or servers which block ICMP Fragmentation Needed
packets.

Typical usage:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


TOS-oops-fix [TOS-oops-fix.patch] [TOS-oops-fix.patch.help]
Author: Edward Killips <etkillips@hotmail.com>
Status: Submitted for kernel inclusion

This patch fixes an Oops regarded to the TOS manipulation target.


ulog-module-unload [ulog-module-unload.patch] [ulog-module-unload.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.19-pre6 time

This fixes a bug which can potentially cause a kernel Oops to happen when
you unload the ipt_ULOG module.


ulog [ulog.patch] [ulog.patch.config.in] [ulog.patch.configure.help] [ulog.patch.help] [ulog.patch.makefile]
Author: Harald Welte <laforge@gnumonks.org>
Status: Quite stable, as I didn't receive a single bug report for months

This adds CONFIG_IP_NF_TARGET_ULOG option, which supplies a more
advanced packet logging mechanism than the standard LOG target.  The
libiptulog/ directory contains a library for receiving the ULOG
messages.
See http://www.gnumonks.org/projects/ulogd for more information


Generated Sun Apr 21 15:31:14 EDT 2002 by pomlist version 0.2.