base patch listing

Individual Suite pages:

[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]

ipv4 patches

[iplimit] [ipv4options] [IPV4OPTSSTRIP] [mport] [NETLINK] [NETMAP] [nth] [pool] [psd] [quota] [random] [realm] [SAME] [time] [TTL]

ipv6 patches

[ahesp6] [frag6] [ipv6header] [REJECT] [route6]

base

base depends on: submitted pending

Patches which are working fine together


ahesp6 [ahesp6.patch.ipv6] [ahesp6.patch.ipv6.config.in] [ahesp6.patch.ipv6.configure.help] [ahesp6.patch.ipv6.help] [ahesp6.patch.ipv6.makefile]
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!

  These two match extensions (`ah' and `esp') allow you to match a
  range of SPIs inside AH or ESP headers of IPv6 packets.

  AH options:
 --ahspi [!] spi[:spi]         match spi (range)
 --ahlen [!] length            total length of this header
 --ahres                       check the reserved filed, too

 ESP option:
 --espspi [!] spi[:spi]        match spi (range)


frag6 [frag6.patch.ipv6] [frag6.patch.ipv6.config.in] [frag6.patch.ipv6.configure.help] [frag6.patch.ipv6.help] [frag6.patch.ipv6.makefile]
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!

  This match extension (`frag') allow you to select the packet based on the
  fileds of the fragmentation header of the IPv6 packets.

  FRAG options:
 --fragid [!] id[:id]          match the id (range)
 --fraglen [!] length          total length of this header
 --fragres                     check the reserved filed, too
 --fragfirst                   matches on the frst fragment
 [--fragmore|--fraglast]       there are more fragments or this
                               is the last one 


iplimit [iplimit.patch] [iplimit.patch.config.in] [iplimit.patch.configure.help] [iplimit.patch.help] [iplimit.patch.makefile]
Author: Gerd Knorr <kraxel@bytesex.org>
Status: ItWorksForMe[tm]

This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16		\
	--iplimit-mask 24 -j REJECT

ipv4options [ipv4options.patch] [ipv4options.patch.config.in] [ipv4options.patch.configure.help] [ipv4options.patch.help] [ipv4options.patch.makefile]
Author: Fabrice MARIE <fabrice@celestix.com>
Status: experimental

This option adds CONFIG_IP_NF_MATCH_IPV4OPTIONS, 
which supplies ip options match.

Suppported options are:
--ssrr
  To match packets with the flag strict source routing.
--lsrr
  To match packets with the flag loose source routing.
--no-srr
  To match packets with no flag for source routing.
[!] --rr
  To match packets with the RR flag.
[!] --ts
  To match packets with the TS flag.
[!] --ra
  To match packets with the router-alert option.
[!] --any-opt
  To match a packet with at least one IP option, or no IP option
  at all if ! is chosen.

Example:
  $ iptables -A input -m ipv4options --rr -j DROP
  will drop packets with the record-route flag.

  $ iptables -A input -m ipv4options --ts -j DROP
  will drop packets with the timestamp flag.

Bug ?
  I tested --ts and --rr, but not source routing issues, nor the router-alert
  since I don't know enough about them. So please let me know if it works or
  doesn't work :)

IPV4OPTSSTRIP [IPV4OPTSSTRIP.patch] [IPV4OPTSSTRIP.patch.config.in] [IPV4OPTSSTRIP.patch.configure.help] [IPV4OPTSSTRIP.patch.help] [IPV4OPTSSTRIP.patch.makefile]
Author: Fabrice MARIE <fabrice@celestix.com>
Status: Works For Me.

This option adds CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP, which supplies a target
module that will allow you to strip all the IP options from a packet.

The target doesn't take any option, and therefore is extremly easy to use :

# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
# iptables -t mangle --list -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
IPV4OPTSSTRIP  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ipv6header [ipv6header.patch.ipv6] [ipv6header.patch.ipv6.config.in] [ipv6header.patch.ipv6.configure.help] [ipv6header.patch.ipv6.help] [ipv6header.patch.ipv6.makefile]
Author: Brad Chapman (kakadu_croc@yahoo.com)
        Andras Kis-Szabo 
Status: Under development, please test it!

This match allows you to match the specialty headers of an IPv6
packet. The list can be found from the help message of the match
module.

The usage of the module is as follows (e.g.):

ip6tables -t filter -A INPUT -m ipv6header --header frag -j ACCEPT
ip6tables -t filter -A INPUT -m ipv6header --header 44 -j ACCEPT
ip6tables -t filter -A INPUT -m ipv6header --header route --soft -j ACCEPT

syntax:
--header [!] headers
--soft

Supported formats:
	hop,dst,route,frag,auth,esp,none,prot
	hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
	0,60,43,44,51,50,59
proto means that the packet has got a protocol payload.

The soft mode means that the packet contains the header.

Warning: there is a problem with the fragmented packets!
 If there is an extension-header after the fragmentation header, we can match 
 them only in the first fragment!


mport [mport.patch] [mport.patch.config.in] [mport.patch.configure.help] [mport.patch.help] [mport.patch.makefile]
Author: Andreas Ferber <af@devcon.net>
Status: It works for me.

This module is an enhanced multiport match. It has support for byte
ranges as well as for single ports.

Examples:

# iptables -A FORWARD -p tcp -m mport --ports 23:42,65

Up to 15 ports are allowed. Note that a portrange uses up 2 port values.

NETLINK [NETLINK.patch] [NETLINK.patch.config.in] [NETLINK.patch.configure.help] [NETLINK.patch.help] [NETLINK.patch.makefile]
Author: Gianni Tedesco <gianni@ecsc.co.uk>
Status: Working, will not go into main kernel

This patch adds CONFIG_IP_NF_TARGET_NETLINK, which adds a NETLINK
target that sends dropped packets to userspace via a netlink socket.
It replaces the old ipchains -o option.

NETMAP [NETMAP.patch] [NETMAP.patch.config.in] [NETMAP.patch.configure.help] [NETMAP.patch.help] [NETMAP.patch.makefile]
Author: Svenning Soerensen <svenning@post5.tele.dk>
Status: Experimental

This adds CONFIG_IP_NF_TARGET_NETMAP option, which provides a target for
the nat table. It creates a static 1:1 mapping of the network address,
while keeping host addresses intact. It can be applied to the
PREROUTING chain to alter the destination of incoming connections,
to the POSTROUTING chain to alter the source of outgoing connections,
or both (with separate rules).

Examples:

iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24

iptables -t nat -A POSTROUTING -s 5.6.7.0/24 -j NETMAP --to 1.2.3.0/24


nth [nth.patch] [nth.patch.config.in] [nth.patch.configure.help] [nth.patch.help] [nth.patch.makefile]
Author: Fabrice MARIE <fabrice@celestix.com>
Status: Works For Me.

This option adds CONFIG_IP_NF_MATCH_NTH, which supplies a match
module that will allow you to match every Nth packet encountered.
By default there are 16 different counters that can be used.

This match functions in one of two ways
1) Match ever Nth packet, and only the Nth packet.
   example:
    iptables -t mangle -A PREROUTING -m nth --every 10 -j DROP
   This rule will drop every 10th packet.
2) Unique rule for every packet.  This is an easy and quick
   method to produce load-balancing for both inbound and outbound.
   example:
    iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
             --every 3 --packet 0 -j SNAT --to-source 10.0.0.5
    iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
             --every 3 --packet 1 -j SNAT --to-source 10.0.0.6
    iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \
             --every 3 --packet 2 -j SNAT --to-source 10.0.0.7
   This example evenly splits connections between the three SNAT
   addresses.

   By using the mangle table and iproute2, you can setup complex
   load-balanced routing.  There's lot of other uses.  Be creative!

Suppported options are:
   --every     Nth         Match every Nth packet
  [--counter]  num         Use counter 0-15 (default:0)
  [--start]    num         Initialize the counter at the number 'num'
                           instead of 0. Must be between 0 and Nth-1
  [--packet]   num         Match on 'num' packet. Must be between 0
                           and Nth-1.
                           If --packet is used for a counter than
                           there must be Nth number of --packet
                           rules, covering all values between 0 and
                           Nth-1 inclusively.


pool [pool.patch] [pool.patch.config.in] [pool.patch.configure.help] [pool.patch.help] [pool.patch.makefile]
Author: Patrick <bof@bof.de>
Status: Development: please tell me if and where I fucked up on the locks.

This adds CONFIG_IP_NF_POOL, which provides a match which lets you use
bitmaps with one bit per address from some range of IP addresses; the
match depends on whether a checked source or destination address has
its bit set in the pool.  It also provides a POOL target, which can be
used to add or remove the addresses of a packet to/from a pool.

The userspace program ippool(8) is also compiled (in the ippool/
directory), and is used to define the pools and their bounds.

psd [psd.patch] [psd.patch.config.in] [psd.patch.configure.help] [psd.patch.help] [psd.patch.makefile]
Author: Dennis Koslowski <dkoslowski@astaro.de>
Status: Experimental

This option adds CONFIG_IP_NF_MATCH_PSD, which supplies portscan
detection match (psd). This match will attempt to detect TCP and UDP
port scans. This match was derived from Solar Designer's scanlogd.

Suppported options are:

--psd-weight-threshold 

  Total weight of the latest TCP/UDP packets with different
  destination ports coming from the same host to be treated as port
  scan sequence.

--psd-delay-threshold 

  Delay (in hundredths of second) for the packets with different
  destination ports coming from the same host to be treated as
  possible port scan subsequence.

--psd-lo-ports-weight 

  Weight of the packet with privileged (<=1024) destination port.

--psd-hi-ports-weight 

  Weight of the packet with non-priviliged destination port.


quota [quota.patch] [quota.patch.config.in] [quota.patch.configure.help] [quota.patch.help] [quota.patch.makefile]
Author: Sam Johnston <samj@samj.net>
Status: worksforme

This option adds CONFIG_IP_NF_MATCH_QUOTA, which implements network
quotas by decrementing a byte counter with each packet.

Supported options are:
--quota 
  The quota in bytes.


random [random.patch] [random.patch.config.in] [random.patch.configure.help] [random.patch.help] [random.patch.makefile]
Author: Fabrice MARIE <fabrice@celestix.com>
Status: Works For Me.

This option adds CONFIG_IP_NF_MATCH_RANDOM,
which allow you to match packets randomly
following a given probability. 

Suppported options are:

[--average] 	percent	will match randomly packets with a probability of 'percent'
		default is 50%

realm [realm.patch] [realm.patch.config.in] [realm.patch.configure.help] [realm.patch.help] [realm.patch.makefile]
Author: Sampsa Ranta <sampsa@netsonic.fi>
Status: Experimental

realm match: uses realm key from routing as match criteria similiar to
             one in packet classifier

/** snip from packet classifier documentation */
Routing tables based classifier
CONFIG_NET_CLS_ROUTE4
  If you say Y here, you will be able to classify outgoing packets
  according to the route table entry they matched. If unsure, say Y.
/** end snip **/


# Example
# add route
/sbin/ip route add 194.29.194.0/24 via 194.29.192.1 realm 10

# source realm is in realm with mask 0xFFFF0000,
# destination is in realm with mask 0x0000FFFF

# match destination realm
/usr/local/sbin/iptables -A OUTPUT -m realm --realm 10 -j LOG

# match realm of source, this is also determinated by routing,
/usr/local/sbin/iptables -A INPUT -m realm --realm 655360 -j LOG

THIS PATCH REQUIRES CONFIG_NET_CLS_ROUTE TO BE SET

REJECT [REJECT.patch.ipv6] [REJECT.patch.ipv6.config.in] [REJECT.patch.ipv6.configure.help] [REJECT.patch.ipv6.help] [REJECT.patch.ipv6.makefile]
Author: Harald Welte <laforge@gnumonks.org>
Status: In Development, REQUIRES ipv6-fixes.patch

This adds CONFIG_IP6_NF_TARGET_REJECT option, which adds a REJECT target
to ip6tables. Please keep in mind that the icmp-types are different from
the icmpv6 types (see ip6tables -j REJECT -h for more info)

route6 [route6.patch.ipv6] [route6.patch.ipv6.config.in] [route6.patch.ipv6.configure.help] [route6.patch.ipv6.help] [route6.patch.ipv6.makefile]
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It works 4 me!

  This match extension (`rt') allow you to select the packet based on the
  fileds of the routing header of the IPv6 packets.

 RT options:
 --rt-type [!] type            match the type
 --rt-segsleft [!] num[:num]   match the Segments Left field (range)
 --rt-len [!] length           total length of this header
 --rt-0-res                    check the reserved filed, too (type 0)
 --rt-0-addrs                  Type=0 addresses (list) - NOT SUPPORTED, yet


SAME [SAME.patch] [SAME.patch.config.in] [SAME.patch.configure.help] [SAME.patch.help] [SAME.patch.makefile]
Author: Martin Josefsson <gandalf@wlug.westbo.se>
Status: In Development/Works For Me

This adds CONFIG_IP_NF_TARGET_SAME option, which is similar to
SNAT: it takes a range of addresses (`--to 1.2.3.4-1.2.3.7') and
gives a client the same address for each connection.

It has a --nodst option to make it not use the
destination-ip in the calculations when selecting
the new source-ip

Now it has support for multiple ranges, including 1-address ranges.

THIS PATCH IS INCOMPATIBLE WITH dropped-table.patch

time [time.patch] [time.patch.config.in] [time.patch.configure.help] [time.patch.help] [time.patch.makefile]
Author: Fabrice MARIE <fabrice@celestix.com>
Status: It Works For Me.

This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
This match allows you to filter based on the packet arrival time
(arrival time at the machine which the netfilter is running on) or
departure time (for locally generated packets).

Supported options are:
--timestart HH:MM
  The starting point of the time match frame.

--timestop HH:MM
  The stopping point of the time match frame

--days Tue,Mon...
  Days of the week to match separated by a coma, no space
  (one of Sun,Mon,Tue,Wed,Thu,Fri,Sat)

Example:
  -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  to Friday.

  -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon
  will match the packets (locally generated) that have a departure timestamp
  in the range 8:00->18:00 on Monday only.

TTL [TTL.patch] [TTL.patch.config.in] [TTL.patch.configure.help] [TTL.patch.help] [TTL.patch.makefile]
Author: Harald Welte <laforge@gnumonks.org>
Status: Stable, needs new checksum handling

This adds CONFIG_IP_NF_TARGET_TTL option, which enables the user
to set the TTL value of an IP packet or to increment / decrement it 
by a given value.


Generated Fri Apr 26 15:00:50 EDT 2002 by pomlist version 0.2.1.