Individual Suite pages:
[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]Patches already submitted to latest kernel
Author: Harald Welte <laforge@gnumonks.org> and others. Status: Recommended (Already in 2.4.14 and above). This contains numerous fixes and new features: 1) new IPv6 port of owner match 2) fixes for IPv6 limit, mac and multiport matches 3) new IRC (DCC) connection tracking and NAT support 4) new SNMP NAT (ALG) support 5) new TTL match 6) new length match 7) new LOG target for IPv6 8) fix logging of ECN bits in LOG target
Author: Various Artists Status: Included in final 2.4.18 kernel - fixes a memory leak inside the ipchains backwards compatibility layer, which mostly occurs in combination with the ipchains redirect support. - increases the module usage count of the ipchains backwards compatibility module as soon as you start adding rules. - increases the module usage count of the ipfwadm backwards compatibility module as soon as you start adding rules. - increases the module usage count of an ip table as soon as you start adding rules. - fixes the LOG target when attempting to print the inner ip packet in icmp error messages. - fixes nf_sockopt unregister race condition - fixes a bug in the debugging code for ip_fw_compat. - fixes the printout to an error message inside ip_conntrack_standalone.c - fixes the printout of an error message the ip6 MARK target - fixes a bug in the REDIRECT code when the incoming interface doesn't have an IP address assigned. - fixes bug when NAT used in OUTPUT leads to a change in the output device, and the new output device has a smaller hardware header length - ip_conntrack header changes so certain information is accessible to userspace
Author: Rusty Russell <rusty@rustcorp.com.au> and others. Status: Recommended (Already in 2.4.4 and above). This contains numerous fixes: 1) FTP cleanup: o Fixes for bugtraq-announced FTP security problems. o Understanding of EPSV and EPRT FTP extensions. o Servers with unusual PASV responses are supported. o FTP connection tracking and NAT on unusual ports. o Core "helper" code moved to ip_nat_helper.c. 2) NAT now doesn't drop untracked packets (eg. multicast, nmap, etc). 3) SMP race with connection tracking is fixed. 4) NAT now spreads more evenly, if given a range of IP addresses. 5) Masquerading now cooperates with diald better. 6) DNAT and SNAT rules can only be inserted in the "nat" table. 7) mtr through a connection tracking box will no longer drop 90% of packets. 8) Reloading the iptable_nat module won't get old, stale NAT information. 9) First packet of a connection is seen by the helper functions. 10) "hashsize" parameter to ip_conntrack module.
Author: Yon Uriarte <yon@astaro.de> Status: Included in 2.4.18-pre7 This adds CONFIG_IP_NF_MATCH_AH_ESP, which supplies two match extensions (`ah' and `esp') allow you to match a range of SPIs inside AH or ESP headers of IPSec packets.
Author: David Miller <davem@redhat.com> Status: Included in kernel 2.4.19-pre4 This adds generic arptables as well as arptable_filter support into the kernel. The patch needs netfilter-arp.patch to work...
Author: Harald Welte <laforge@gnumonks.org> Status: Submitted to the kernel at 2.4.18- This patch is a cleanup to some header files and Config.in
Author: Harald Welte <laforge@gnumonks.org> Status: Submitted to the kernel at 2.4.18-pre3 time This is a patch fixing some minor problems when ip_{conntrack,nat}_{irc,ftp}.o are compiled as a module, and registration of the helper fails. This is a very rare occasion (somebody would have to try to register two different helpers for the same port number).
Author: Brad Chapman <kakadu@earthlink.net> Status: Submitted for kernel inclusion This is a bugfix for the ip6_tables code in the current ( <= 2.4.8-pre3 ) kernel source. It fixes the situation, where ip6_tables.o is statically linked into the kernel, but some modules (matches/targets/...) want to register with ip6_tables.
Author: Harald Welte <laforge@gnumonks.org> Status: Included in kernel 2.4.13 Fix a potentially exploitable bug with mac address matching in IPv6 and very small packets
Author: Harald Welte <laforge@gnumonks.org> Status: Pending for kernel inclusion This adds support for ip_conntrack_protocol_unregister(), needed if layer four protocol helpers (GRE, ...) are implemented as modules.
Author: Harald Welte <laforge@gnumonks.org> Status: Submitted for kernel inclusion at 2.4.19-pre3 time This adds support for ip_conntrack_protocol_unregister(), needed if layer four protocol helpers (GRE, ...) are implemented as modules.
Author: Bob Hockney <bhockney@ix.netcom.com> Status: Submitted for kernel inclusion The IRC nat helper module has a small bug where it NAT's the source address of a DCC connection to the address of the IRC server instead of the other client. While this doesn't hurt functionality, it is nonetheless a bug and it might confuse users who do a netstat on their IRC client machine.
This is a patch needed to queue IPv6 packets via NETLINK to user space with the QUEUE target. (C) Fernando Anton 2001 IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. Universidad Carlos III de Madrid Universidad Politecnica de Alcala de Henares email: fanton@it.uc3m.es Status: experimental, pending
Author: Harald Welte <laforge@gnumonks.org> Status: Included in kernel 2.4.11 Fix a potentially exploitable bug with mac address matching and very small packets
Author: Harald Welte <laforge@gnumonks.org> Status: Compiles, yet untested This adds TTL decrementing (and checking/dropping) in case the MIRROR target is used in INPUT or PREROUTING chains/hooks. This is to avoid endless packet loops.
Author: Harald Welte <laforge@gnumonks.org> Status: Included in kernel 2.4.11 Minor correction to the REJECT target's checkentry function, which had a long-term undiscovered bug which was undiscovered because of cacheline alignment only.
Author: Guillaume Morin <guillaume@morinfr.org> Status: Submitted for kernel inclusion This fixes the unclean match to consider ECN bits in tcp header as clean, rather than unclean (as it was before).
Author: Harald Welte <laforge@gnumonks.org>, Jozsef KadlecsikStatus: Included in linux kernel >= 2.4.18-pre9 This patch fixes an important security issue present in all linux kernel versions from 2.4.14 to 2.4.18-pre8. Details of this security issue can be found at http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
Author: Henrrik Nordstrom <hno@marasystems.com>, Harald WelteStatus: Submitted for kernel inclusion at 2.4.19-pre3 time This adds CONFIG_IP_NF_NAT_LOCAL, which enables the user to do destination NAT on locally-originated connections. Locally-originating means originating on the nat box itself.
Author: David Miller <davem@redhat.com> Status: Included in 2.4.19-pre3 Some macros erroneously contained a trailing semicolon. This patch removes the trailing semicolons.
Author: Brad Chapman (kakadu_croc@yahoo.com) Status: pending for kernel inclusion This patch expands the number of registered hooks for both the IPv4 and IPv6 versions of the iptables mangle table. Also, like the filter table, the table will accept a module parameter to change the verdict of the FORWARD chain upon module load.
Author: The core linux hackers Status: Included in kernel 2.4.10 This patch adds a new macro called MODULE_LICENSE to the kernel. You will need this patch if you have a kernel < 2.4.10 and want to use any of the patches of patch-o-matic. Please say yes, it won't hurt anything :)
Author: Harald Welte <laforge@gnumonks.org> Status: Submitted to the kernel at 2.4.18- This patch fixes some missed, unexported symbols in ip_nat_standalone.c
Author: Rusty Russel <rusty@rustcorp.com.au> Status: Submitted for kernel inclusion at 2.4.19-pre3 time This adds netfilter hooks to the ARP sender and receiver code. An ARP tables kernel module will be published soon
Author: unknown Status: In kernel since 2.4.17 This patch is not really a netfilter patch, but updates your netlink.h file in order to comply with the ulog patch. It's safe to apply this patch all the time - and it's needed by ulog.patch NOTE: this patch is not needed (and will not apply) on kernels >= 2.4.18
Author: David Miller <davem@redhat.com> Status: Submitted to the kernel at 2.4.19-pre time This patch fixes a bug in ipt_REJECT where we set the IP header's don't fragment bit for the REJECT-generated ICMP message. However, there is no PMTU discovery with ICMP - and we should just send the ICMP error message wit DF cleared, so intermediate routers are allowed to fragment.
Author: Guillaume Morin <guillaume@morinfr.org> Status: Included in kernel 2.4.10 Attached patch fixes a bug in the SACKPERM delete function of netfilter. The previous code replaced SACKPERM with 00 (== end of options) instead of 01 (== NOOP). Yes, as discussed on netdev, the right thing is to make netfilter deal with SACK correctly. But until the code for this is in place and tested, we still need to delete the SACKPERM option... and we should do it correctly.
Author: Rusty Russell <rusty@rustcorp.com.au> Status: Included in 2.4.18-pre7 There are some problems when a raw socket has a cloned skb of a packet where some netfilter code is doing packet payload modification. In this case, we have to use skb_copy to unshare the skb. This patch fixes the problem.
Author: Marc Boucher Status: Included in kernel 2.4.4 This patch adds the CONFIG_IP_NF_TARGET_TCPMSS and CONFIG_IP_NF_MATCH_TCPMSS options, which allow you to examine and alter the MSS value of TCP SYN packets, to control the maximum size for that connection. THIS IS A HACK, used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. Typical usage: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Author: Edward Killips <etkillips@hotmail.com> Status: Submitted for kernel inclusion This patch fixes an Oops regarded to the TOS manipulation target.
Author: Harald Welte <laforge@gnumonks.org> Status: Submitted for kernel inclusion at 2.4.19-pre6 time This fixes a bug which can potentially cause a kernel Oops to happen when you unload the ipt_ULOG module.
Author: Harald Welte <laforge@gnumonks.org> Status: Quite stable, as I didn't receive a single bug report for months This adds CONFIG_IP_NF_TARGET_ULOG option, which supplies a more advanced packet logging mechanism than the standard LOG target. The libiptulog/ directory contains a library for receiving the ULOG messages. See http://www.gnumonks.org/projects/ulogd for more information
Generated Thu May 9 13:18:22 EDT 2002 by pomlist version 0.2.2.