- DSCP [DSCP.patch] [DSCP.patch.config.in] [DSCP.patch.configure.help] [DSCP.patch.help] [DSCP.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>,
Matthew G. Marsh
Status: Pending for kernel inclusion.
This adds CONFIG_IP_NF_TARGET_DSCP option, which allows setting the
DSCP (formerly called TOS) field within the packet to any value between
0x0 and 0x4f.
- ECN [ECN.patch] [ECN.patch.config.in] [ECN.patch.configure.help] [ECN.patch.help] [ECN.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.
This option adds a `ECN' target, which can be used in the iptables mangle
table.
You can use this target to set the ECN bits from the IPv4 and TCP header
an IP packet. This is particularly useful, if you need to work around
existing ECN blackholes on the internet, but don't want to disable
ECN support in general.
- REJECT-dont_fragment [REJECT-dont_fragment.patch] [REJECT-dont_fragment.patch.help]
-
Author: David Miller <davem@redhat.com>
Status: Submitted to the kernel at 2.4.19-pre time
This patch fixes a bug in ipt_REJECT where we set the IP header's
don't fragment bit for the REJECT-generated ICMP message.
However, there is no PMTU discovery with ICMP - and we should just send
the ICMP error message wit DF cleared, so intermediate routers are allowed
to fragment.
- REJECT_mark [REJECT_mark.patch] [REJECT_mark.patch.help]
-
Author: Henrik Nordstrom <hno@marasystems.com>
Status: working
Don't copy the nfmark value of the old packet into the new RST
packet when rejecting with TCP resets.
ip_route_output is not smart enough to know about nfmark routing,
and having the mark value set from start prevents mangle OUTPUT
from rerouting the packet later..
- TOS-oops-fix [TOS-oops-fix.patch] [TOS-oops-fix.patch.help]
-
Author: Edward Killips <etkillips@hotmail.com>
Status: Submitted for kernel inclusion
This patch fixes an Oops regarded to the TOS manipulation target.
- ahesp-static [ahesp-static.patch] [ahesp-static.patch.help]
-
Author: Paul P Komkoff Jr <i@stingr.net>
Status: working
Make the init and fini functions of ipt_ah.c static.
- arptables [arptables.patch] [arptables.patch.help]
-
Author: David Miller <davem@redhat.com>
Status: Included in kernel 2.4.19-pre4
This adds generic arptables as well as arptable_filter support into the kernel.
The patch needs netfilter-arp.patch to work...
- config-cleanup [config-cleanup.patch] [config-cleanup.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-
This patch is a cleanup to some header files and Config.in
- conntrack+nat-helper-unregister [conntrack+nat-helper-unregister.patch] [conntrack+nat-helper-unregister.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-pre3 time
This is a patch fixing some minor problems when
ip_{conntrack,nat}_{irc,ftp}.o are compiled as a module, and
registration of the helper fails.
This is a very rare occasion (somebody would have to try to
register two different helpers for the same port number).
- conntrack [conntrack.patch] [conntrack.patch.config.in] [conntrack.patch.configure.help] [conntrack.patch.help] [conntrack.patch.makefile]
-
Author: Marc Boucher <marc+nf@mbsi.ca>
Status: Works For Me.
This is a general conntrack match module, a superset of the state match.
(Kernel 2.4.18-pre4 or higher is required)
It allows matching on additional conntrack information, which is
useful in complex configurations, such as NAT gateways with multiple
internet links or tunnels.
It presently supports the following options:
conntrack match v1.2.4 options:
[!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT][,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, eg. `tcp'
--ctorigsrc [!] address[/mask]
Original source specification
--ctorigdst [!] address[/mask]
Original destination specification
--ctreplsrc [!] address[/mask]
Reply source specification
--ctrepldst [!] address[/mask]
Reply destination specification
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)
The "new" SNAT and DNAT states are virtual ones, matching if the original
source address is differs from the reply destination, or if the original
destination differs from the reply source..
- dscp [dscp.patch] [dscp.patch.config.in] [dscp.patch.configure.help] [dscp.patch.help] [dscp.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.
This adds CONFIG_IP_NF_MATCH_DSCP option, which allows matching against
the DSCP (formerly called TOS) field within the IPv4 packet.
- ecn [ecn.patch] [ecn.patch.config.in] [ecn.patch.configure.help] [ecn.patch.help] [ecn.patch.makefile]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion.
This option adds a `ECN' match, which can be used to match against the
IPv4 and TCP header's ECN bits.
- helper [helper.patch] [helper.patch.config.in] [helper.patch.configure.help] [helper.patch.help] [helper.patch.makefile]
-
Author: Martin Josefsson <gandalf@wlug.westbo.se>,
Harald Welte
Status: Pending for inclusion after newnat
This patch adds the ipt_helper module which is a new match
for iptables. This adds the capability to match packets in a
dynamically allocated connection that's related to a specific
conntrack helper.
If you want to match all packets belonging to ftp data sessions:
(only data connections, no control connections)
iptables -A INPUT -m helper --helper ftp -j ACCEPT
use irc for irc-dcc-sessions.
- ip6tables-export-symbols [ip6tables-export-symbols.patch] [ip6tables-export-symbols.patch.help]
-
Author: Brad Chapman <kakadu@earthlink.net>
Status: Submitted for kernel inclusion
This is a bugfix for the ip6_tables code in the current ( <= 2.4.8-pre3 )
kernel source. It fixes the situation, where ip6_tables.o is statically
linked into the kernel, but some modules (matches/targets/...) want to
register with ip6_tables.
- ip6tables-exthdr-bug [ip6tables-exthdr-bug.patch.ipv6] [ip6tables-exthdr-bug.patch.ipv6.help]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: Included in kernel 2.4.19
The bad extension-header parsing code caused kernel-ops with special packets.
This patch removes the old parser code and replaces with a new one. The new
parser has passed the tests.
- ip_conntrack_protocol_destroy [ip_conntrack_protocol_destroy.patch] [ip_conntrack_protocol_destroy.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Pending for kernel inclusion
This adds support for ip_conntrack_protocol_unregister(), needed if
layer four protocol helpers (GRE, ...) are implemented as modules.
- ip_conntrack_protocol_unregister [ip_conntrack_protocol_unregister.patch] [ip_conntrack_protocol_unregister.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds support for ip_conntrack_protocol_unregister(), needed if
layer four protocol helpers (GRE, ...) are implemented as modules.
- ip_nat_irc-srcaddr-fix [ip_nat_irc-srcaddr-fix.patch] [ip_nat_irc-srcaddr-fix.patch.help]
-
Author: Bob Hockney <bhockney@ix.netcom.com>
Status: Submitted for kernel inclusion
The IRC nat helper module has a small bug where it NAT's the source address
of a DCC connection to the address of the IRC server instead of the other
client. While this doesn't hurt functionality, it is nonetheless a bug and
it might confuse users who do a netstat on their IRC client machine.
- ipt_MIRROR-ttl [ipt_MIRROR-ttl.patch] [ipt_MIRROR-ttl.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Compiles, yet untested
This adds TTL decrementing (and checking/dropping) in case the MIRROR
target is used in INPUT or PREROUTING chains/hooks. This is to avoid
endless packet loops.
- ipt_REJECT-checkentry [ipt_REJECT-checkentry.patch] [ipt_REJECT-checkentry.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Included in kernel 2.4.11
Minor correction to the REJECT target's checkentry function, which had a
long-term undiscovered bug which was undiscovered because of cacheline
alignment only.
- ipt_unclean-ecn [ipt_unclean-ecn.patch] [ipt_unclean-ecn.patch.help]
-
Author: Guillaume Morin <guillaume@morinfr.org>
Status: Submitted for kernel inclusion
This fixes the unclean match to consider ECN bits in tcp header as clean,
rather than unclean (as it was before).
- ipv6-agr [ipv6-agr.patch.ipv6] [ipv6-agr.patch.ipv6.config.in] [ipv6-agr.patch.ipv6.configure.help] [ipv6-agr.patch.ipv6.help] [ipv6-agr.patch.ipv6.makefile]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: It worked w/o problems
This module is perform checking on the IPv6 source address
Compares the last 64 bits with the EUI64 (delivered
from the MAC address) address
Example:
ip6tables -N ipv6ok
ip6tables -A INPUT -m eui64 -j ipv6ok
ip6tables -A INPUT -s ! 3FFE:2F00:A0::/64 -j ipv6ok
ip6tables -A INPUT -j LOG
ip6tables -A ipv6ok -j ACCEPT
- irc-dcc-mask [irc-dcc-mask.patch] [irc-dcc-mask.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>,
Jozsef Kadlecsik
Status: Included in linux kernel >= 2.4.18-pre9
This patch fixes an important security issue present in all linux kernel
versions from 2.4.14 to 2.4.18-pre8.
Details of this security issue can be found at
http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
- length [length.patch.ipv6] [length.patch.ipv6.config.in] [length.patch.ipv6.configure.help] [length.patch.ipv6.help] [length.patch.ipv6.makefile]
-
Author: Imran Patel <ipatel@crosswinds.net>, shameless adaption from the
IPv4 match written by James Morris
Status: Should Work.
This module is used for matching the total length of an IPv6
datagram (including the IPv6 header + extension headers, if any)
against a specific value or inclusive range of values. To specify
a single value, use the following form:
--length followed by an optional `!', then the
value, ranging from 0 to 65535 (may also be specified in hex
format).
When specifying a range of values, the first value is taken as the
minimum length and the second value is taken as the maximum length:
--length followed by an optional `!', then the
values in the form of min:max. Values may range from 0 to 65535
but the minimum value cannot be greater than the maximum value.
Examples:
# ip6tables -A FORWARD -p udp -m length --length 85:0xffff -j DROP
# iptables -A FORWARD -p udp -m length --length ! :84 -j DROP
(both do exactly the same thing)
If a range value is missing, its value
is implied: zero for minimum and 0xffff for maximum.
- local-nat [local-nat.patch] [local-nat.patch.config.in] [local-nat.patch.configure.help] [local-nat.patch.help]
-
Author: Henrrik Nordstrom <hno@marasystems.com>,
Harald Welte
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds CONFIG_IP_NF_NAT_LOCAL, which enables the user to do destination
NAT on locally-originated connections.
Locally-originating means originating on the nat box itself.
- log-tunnel-fix [log-tunnel-fix.patch.ipv6] [log-tunnel-fix.patch.ipv6.help]
-
Author: Andras Kis-Szabo <kisza@sch.bme.hu>
Status: Pending for kernel inclusion
When the LOG target used with a tunnel device, it prints out the encapsulator
header instead of the MAC addresses.
This patch is a quick workaround for the SIT-class devices. It prints out the
MAC addresses and the tunnel information. The offsets are hardcoded in this
patch!
- macro-trailing-semicolon-fix [macro-trailing-semicolon-fix.patch] [macro-trailing-semicolon-fix.patch.help]
-
Author: David Miller <davem@redhat.com>
Status: Included in 2.4.19-pre3
Some macros erroneously contained a trailing semicolon. This patch removes
the trailing semicolons.
- mangle5hooks [mangle5hooks.patch] [mangle5hooks.patch.help]
-
Author: Brad Chapman (kakadu_croc@yahoo.com)
Status: pending for kernel inclusion
This patch expands the number of registered hooks for
both the IPv4 and IPv6 versions of the iptables mangle
table.
Also, like the filter table, the table will accept a module
parameter to change the verdict of the FORWARD chain upon
module load.
- nat-export_symbols [nat-export_symbols.patch] [nat-export_symbols.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted to the kernel at 2.4.18-
This patch fixes some missed, unexported symbols in ip_nat_standalone.c
- nat-memoryleak-fix [nat-memoryleak-fix.patch] [nat-memoryleak-fix.patch.help]
-
Author: zhongyu <zhongyu@ecfounder.com>
Status: Submitted for kernel inclusion at 2.4.19-pre10 time
This fixes a memory leak in the iptable_nat load/unload code,
which causes a certain memory chunk not being free'd at module
unload time.
- netfilter-arp [netfilter-arp.patch] [netfilter-arp.patch.help]
-
Author: Rusty Russel <rusty@rustcorp.com.au>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds netfilter hooks to the ARP sender and receiver code.
An ARP tables kernel module will be published soon
- ownercmd [ownercmd.patch] [ownercmd.patch.help]
-
Author: Marc Boucher <marc+nf@mbsi.ca>
Status: Works For Me.
This patch adds support for local process name matching
to the owner match (--cmd-owner option).
You can use this feature to filter connections forwarded by
your ssh daemon with rules like:
iptables -N CheckSSHSyns
# allow forwarded connections to rsync port on 192.168.1.1
iptables -A CheckSSHSyns -p tcp -d 192.168.1.1 --dport 873 -j RETURN
# refuse everything else
iptables -A CheckSSHSyns -j REJECT --reject-with tcp-reset
iptables -I OUTPUT -p tcp --syn -m owner --cmd-owner sshd -j CheckSSHSyns
- pkttype [pkttype.patch] [pkttype.patch.config.in] [pkttype.patch.configure.help] [pkttype.patch.help] [pkttype.patch.makefile]
-
Author: Michal Ludvig <michal@logix.cz>
Status: It works
This patch allows you to match packet in accrodance
to its "class", eg. BROADCAST, MULTICAST, ...
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
- remove_no_version [remove_no_version.patch] [remove_no_version.patch.help]
-
Author: Rusty Russell and Keith Owens
Status: Trivial
D: This removes __NO_VERSION__ from 2.5, obsolete since 2.3 days.
- skb_clone_copy [skb_clone_copy.patch] [skb_clone_copy.patch.help]
-
Author: Rusty Russell <rusty@rustcorp.com.au>
Status: Included in 2.4.18-pre7
There are some problems when a raw socket has a cloned skb of a packet
where some netfilter code is doing packet payload modification.
In this case, we have to use skb_copy to unshare the skb. This patch
fixes the problem.
- ulog-module-unload [ulog-module-unload.patch] [ulog-module-unload.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.19-pre6 time
This fixes a bug which can potentially cause a kernel Oops to happen when
you unload the ipt_ULOG module.
- ulog-nlgroup-shift-fix [ulog-nlgroup-shift-fix.patch] [ulog-nlgroup-shift-fix.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Submitted for kernel inclusion at 2.4.20-pre4 time
There is another bugfix for the ipt_ULOG.c module. Without this fix, the
module causes an oops if an iptables rule is using the --ulog-nlgroup option
with a value > 4.
It also removes a memory leak when somebody starts throwing packets at
the ulog netlink socket (which is not a normal operation), since the bogus
netlink_rcv() function in ipt_ULOG.c didn't free the received skb().
you unload the ipt_ULOG module.
- unclean-udpchecksum [unclean-udpchecksum.patch] [unclean-udpchecksum.patch.help]
-
Author: Guillaume Morin
Status: Pending for kernel inclusion
This patch fixes the 'unclean' match. Prior to this fix, the unclean
match drops UDP packets with no checksum - but UDP checksums are not
mandatory by the RFC's!
It also fixes the assumption that UDP SPORT cannot be 0 (according to
RFC768, udp sport==0 is correct!)
- z-newnat16 [z-newnat16.patch] [z-newnat16.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>,
Jozsef Kadlecsik
Status: Submitted for 2.4.20-pre1
Implementation of the new nat API for kernel 2.4.19-pre4 and above.
- enables us to have multiple related expectations
(necessarry for H.323, real IRC and PPTP tracking, ...)
- allows expectations to have timeouts
- adds full SACK support to the NAT code (we no longer strip
SACKPERM option out of all SYN patckes for ftp/irc connections)
- z-newnat_assertfix [z-newnat_assertfix.patch] [z-newnat_assertfix.patch.help]
-
Author: Martin Josefsson
Status: Submitted to the kernel at 2.4.20-pre10 time
This patch fixes some erroneously-printed ASSERT statements when
netfilter debugging was switched on. Please note that the running code
was never wrong, just the debug macros ;)
- z-newnat_changeexpect-lockfix [z-newnat_changeexpect-lockfix.patch] [z-newnat_changeexpect-lockfix.patch.help]
-
Author: Martin Josefsson
Status: Submitted to the kernel at 2.4.20-pre10 time
This patch fixes a locking bug in ip_conntrack_change_expect() of newnat.