Individual Suite pages:

[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]

ipv4 patches

[0-newnat13] [conntrack] [dscp] [DSCP] [ownercmd] [pkttype]

ipv6 patches

[ipv6-agr] [length]

pending

pending depends on: submitted

Patches pending for kernel inclusion (about to be submitted)


0-newnat13 [0-newnat13.patch] [0-newnat13.patch.help]
Author: Harald Welte <laforge@gnumonks.org>, 
	Jozsef Kadlecsik 
Status: Pending for kernel inclusion

Implementation of the new nat API for kernel 2.4.18 and above.

- enables us to have multiple related expectations
  (necessarry for H.323, real IRC and PPTP tracking, ...)
- allows expectations to have timeouts
- adds full SACK support to the NAT code (we no longer strip
  SACKPERM option out of all SYN patckes for ftp/irc connections)


conntrack [conntrack.patch] [conntrack.patch.config.in] [conntrack.patch.configure.help] [conntrack.patch.help] [conntrack.patch.makefile]
Author: Marc Boucher <marc+nf@mbsi.ca>
Status: Works For Me.

This is a general conntrack match module, a superset of the state match.
(Kernel 2.4.18-pre4 or higher is required)

It allows matching on additional conntrack information, which is
useful in complex configurations, such as NAT gateways with multiple
internet links or tunnels.

It presently supports the following options:


conntrack match v1.2.4 options:
 [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT][,...]
                                State(s) to match
 [!] --ctproto  proto           Protocol to match; by number or name, eg. `tcp'
     --ctorigsrc  [!] address[/mask]
                                Original source specification
     --ctorigdst  [!] address[/mask]
                                Original destination specification
     --ctreplsrc  [!] address[/mask]
                                Reply source specification
     --ctrepldst  [!] address[/mask]
                                Reply destination specification
 [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
                                Status(es) to match
 [!] --ctexpire  time[:time]    Match remaining lifetime in seconds against
                                value or range of values (inclusive)


The "new" SNAT and DNAT states are virtual ones, matching if the original
source address is differs from the reply destination, or if the original
destination differs from the reply source..  

dscp [dscp.patch] [dscp.patch.config.in] [dscp.patch.configure.help] [dscp.patch.help] [dscp.patch.makefile]
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.

This adds CONFIG_IP_NF_MATCH_DSCP option, which allows matching against
the DSCP (formerly called TOS) field within the IPv4 packet.


DSCP [DSCP.patch] [DSCP.patch.config.in] [DSCP.patch.configure.help] [DSCP.patch.help] [DSCP.patch.makefile]
Author: Harald Welte <laforge@gnumonks.org>,
        Matthew G. Marsh 
Status: Pending for kernel inclusion.

This adds CONFIG_IP_NF_TARGET_DSCP option, which allows setting the
DSCP (formerly called TOS) field within the packet to any value between 
0x0 and 0x4f.


ipv6-agr [ipv6-agr.patch.ipv6] [ipv6-agr.patch.ipv6.config.in] [ipv6-agr.patch.ipv6.configure.help] [ipv6-agr.patch.ipv6.help] [ipv6-agr.patch.ipv6.makefile]
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It worked w/o problems

  This module is perform checking on the IPv6 source address
  Compares the last 64 bits with the EUI64 (delivered
  from the MAC address) address

 Example:
  ip6tables -N ipv6ok
  ip6tables -A INPUT -m eui64 -j ipv6ok
  ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
  ip6tables -A INPUT -j LOG
  ip6tables -A ipv6ok -j ACCEPT


length [length.patch.ipv6] [length.patch.ipv6.config.in] [length.patch.ipv6.configure.help] [length.patch.ipv6.help] [length.patch.ipv6.makefile]
Author: Imran Patel <ipatel@crosswinds.net>, shameless adaption from the 
	IPv4 match written by James Morris 
Status: Should Work.

This module is used for matching the total length of an IPv6  
datagram (including the IPv6 header + extension headers, if any) 
against a specific value or inclusive range of values.  To specify
a single value, use the following form:

 --length   followed by an optional `!', then the
            value, ranging from 0 to 65535 (may also be specified in hex
            format).

When specifying a range of values, the first value is taken as the
minimum length and the second value is taken as the maximum length:

 --length  followed by an optional `!', then the
           values in the form of min:max.  Values may range from 0 to 65535
           but the minimum value cannot be greater than the maximum value.

Examples:

# ip6tables -A FORWARD -p udp -m length --length 85:0xffff -j DROP
# iptables -A FORWARD -p udp -m length --length ! :84 -j DROP
(both do exactly the same thing)

If a range value is missing, its value
is implied: zero for minimum and 0xffff for maximum.

ownercmd [ownercmd.patch] [ownercmd.patch.help]
Author: Marc Boucher <marc+nf@mbsi.ca>
Status: Works For Me.

This patch adds support for local process name matching
to the owner match (--cmd-owner option).

You can use this feature to filter connections forwarded by
your ssh daemon with rules like:

iptables -N CheckSSHSyns
# allow forwarded connections to rsync port on 192.168.1.1
iptables -A CheckSSHSyns -p tcp -d 192.168.1.1 --dport 873 -j RETURN
# refuse everything else
iptables -A CheckSSHSyns -j REJECT --reject-with tcp-reset

iptables -I OUTPUT -p tcp --syn -m owner --cmd-owner sshd -j CheckSSHSyns


pkttype [pkttype.patch] [pkttype.patch.config.in] [pkttype.patch.configure.help] [pkttype.patch.help] [pkttype.patch.makefile]
Author: Michal Ludvig <michal@logix.cz>
Status: It works

This patch allows you to match packet in accrodance 
to its "class", eg. BROADCAST, MULTICAST, ...

iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG


Generated Thu May 9 13:18:21 EDT 2002 by pomlist version 0.2.2.