Individual Suite pages:
[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [optimizations] [pending] [submitted] [userspace]userspace depends on: submitted pending base extra
Patches which need to patch userspace iptables. Use with caution
Author: Fabrice MARIE <fabrice@netfilter.org> Status: It Works For Me. Adds the possibility to send icmp-unreachable messages from a fake source IP address. The original destination of the packet will be used as the source of the icmp-unreach. To make it so that the icmp-unreach seems to come from the destination host : # iptables -A FORWARD -p tcp -d 202.156.58.0/24 --dport domain -j REJECT --fake-source # iptables --list Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere 202.156.58.0/24 tcp dpt:domain reject-with icmp-port-unreachable source-faked ***** WARNING ***** This patch also patch the userspace directory which means that you you have to recompile and reinstall the iptables package after that.
Author: Fabrice MARIE <fabrice@netfilter.org> Status: Works For Me. This patch adds support for matching the nfmark bitwise (and & or). For example, to test if the second bit of nfmark is set : # iptables -t mangle -A PREROUTING -p icmp -m mark --markand 0x2/0x2 -j ACCEPT I'm sure you will find a use for the OR bitwise operation as well :) # iptables -t mangle -A PREROUTING -p icmp -m mark --markor 0x7/0x1 -j ACCEPT ***** WARNING ***** This patch also patch the userspace directory which means that you have to recompile and reinstall the iptables package after that.
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Status: Testing. This patch adds a new table called 'raw' with two new targets 'NOTRACK' and 'TRACE' to netfilter/iptables (plus some modifications). The raw table is the very first in netfilter (it even precedes the conntrack subsystem) and uses the PREROUTING and OUTPUT built-in chains. The TRACE target can be used to trace how the packet "flows trough" your tables and rules. When a packet marked with the TRACE target matches any rule, the system logs the packet with the following prefix: TRACE: tablename/chainname/rulenum packet The internal logging functionality relies on the available "backend" logging modules (ipt_LOG or ipt_ULOG). You must load at least one of the logging modules in. If both modules are loaded, then default ipt_LOG generates the internal loggings, which can be overridden by the module parameter 'takeover' of the ipt_ULOG module: modprobe ipt_ULOG takeover=1 The NOTRACK target can be used to select which packets *not* to enter the conntrack/NAT subsystems. Please keep in mind: if you mark a packet with NOTRACK, then - all the conntrack functionalities are lost for the packet (ICMP error tracking, protocol helpers, etc) - all the NAT functionalities are also lost. Packets marked with NOTRACK can be matched by the 'UNTRACKED' state. Example # Very busy webserver iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j NOTRACK iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 80 -j NOTRACK ... # filter rules iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Status: Testing. This patch adds a new table called 'raw' with a new target called 'TRACE' to netfilter/iptables (plus some modifications). The raw table is the very first in netfilter and uses the PREROUTING and OUTPUT built-in chains. The TRACE target can be used to trace how the packet "flows trough" your tables and rules. When a packet marked with the TRACE target matches any rule, the system logs the packet with the following prefix: TRACE: tablename/chainname/rulenum packet The internal logging functionality relies on the available "backend" logging module (ip6t_LOG). You must load the logging module in, otherwise no log will be generated.
Generated Mon Jan 13 19:42:34 EST 2003 by pomlist version 0.2.2.