- 2.4.14 [2.4.14.patch] [2.4.14.patch.help]
-
Author: Harald Welte <[email protected]> and others.
Status: Recommended (Already in 2.4.14 and above).
This contains numerous fixes and new features:
1) new IPv6 port of owner match
2) fixes for IPv6 limit, mac and multiport matches
3) new IRC (DCC) connection tracking and NAT support
4) new SNMP NAT (ALG) support
5) new TTL match
6) new length match
7) new LOG target for IPv6
8) fix logging of ECN bits in LOG target
- 2.4.18 [2.4.18.patch] [2.4.18.patch.help]
-
Author: Various Artists
Status: Included in final 2.4.18 kernel
- fixes a memory leak inside the ipchains backwards compatibility layer,
which mostly occurs in combination with the ipchains redirect support.
- increases the module usage count of the ipchains backwards compatibility
module as soon as you start adding rules.
- increases the module usage count of the ipfwadm backwards compatibility
module as soon as you start adding rules.
- increases the module usage count of an ip table as soon as you start
adding rules.
- fixes the LOG target when attempting to print the inner ip packet in
icmp error messages.
- fixes nf_sockopt unregister race condition
- fixes a bug in the debugging code for ip_fw_compat.
- fixes the printout to an error message inside ip_conntrack_standalone.c
- fixes the printout of an error message the ip6 MARK target
- fixes a bug in the REDIRECT code when the incoming interface doesn't have an
IP address assigned.
- fixes bug when NAT used in OUTPUT leads to a change in the output device,
and the new output device has a smaller hardware header length
- ip_conntrack header changes so certain information is accessible to
userspace
- 2.4.4 [2.4.4.patch] [2.4.4.patch.help]
-
Author: Rusty Russell <[email protected]> and others.
Status: Recommended (Already in 2.4.4 and above).
This contains numerous fixes:
1) FTP cleanup:
o Fixes for bugtraq-announced FTP security problems.
o Understanding of EPSV and EPRT FTP extensions.
o Servers with unusual PASV responses are supported.
o FTP connection tracking and NAT on unusual ports.
o Core "helper" code moved to ip_nat_helper.c.
2) NAT now doesn't drop untracked packets (eg. multicast, nmap, etc).
3) SMP race with connection tracking is fixed.
4) NAT now spreads more evenly, if given a range of IP addresses.
5) Masquerading now cooperates with diald better.
6) DNAT and SNAT rules can only be inserted in the "nat" table.
7) mtr through a connection tracking box will no longer drop 90% of packets.
8) Reloading the iptable_nat module won't get old, stale NAT information.
9) First packet of a connection is seen by the helper functions.
10) "hashsize" parameter to ip_conntrack module.
- ah-esp [ah-esp.patch] [ah-esp.patch.config.in] [ah-esp.patch.configure.help] [ah-esp.patch.help] [ah-esp.patch.makefile]
-
Author: Yon Uriarte <[email protected]>
Status: Included in 2.4.18-pre7
This adds CONFIG_IP_NF_MATCH_AH_ESP, which supplies two match
extensions (`ah' and `esp') allow you to match a range of SPIs inside
AH or ESP headers of IPSec packets.
- arptables [arptables.patch] [arptables.patch.help]
-
Author: David Miller <[email protected]>
Status: Included in kernel 2.4.19-pre4
This adds generic arptables as well as arptable_filter support into the kernel.
The patch needs netfilter-arp.patch to work...
- config-cleanup [config-cleanup.patch] [config-cleanup.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Submitted to the kernel at 2.4.18-
This patch is a cleanup to some header files and Config.in
- conntrack+nat-helper-unregister [conntrack+nat-helper-unregister.patch] [conntrack+nat-helper-unregister.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Submitted to the kernel at 2.4.18-pre3 time
This is a patch fixing some minor problems when
ip_{conntrack,nat}_{irc,ftp}.o are compiled as a module, and
registration of the helper fails.
This is a very rare occasion (somebody would have to try to
register two different helpers for the same port number).
- ip6tables-export-symbols [ip6tables-export-symbols.patch] [ip6tables-export-symbols.patch.help]
-
Author: Brad Chapman <[email protected]>
Status: Submitted for kernel inclusion
This is a bugfix for the ip6_tables code in the current ( <= 2.4.8-pre3 )
kernel source. It fixes the situation, where ip6_tables.o is statically
linked into the kernel, but some modules (matches/targets/...) want to
register with ip6_tables.
- ip6t_mac-fix [ip6t_mac-fix.patch.ipv6] [ip6t_mac-fix.patch.ipv6.help]
-
Author: Harald Welte <[email protected]>
Status: Included in kernel 2.4.13
Fix a potentially exploitable bug with mac address matching
in IPv6 and very small packets
- ip_conntrack_protocol_destroy [ip_conntrack_protocol_destroy.patch] [ip_conntrack_protocol_destroy.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Pending for kernel inclusion
This adds support for ip_conntrack_protocol_unregister(), needed if
layer four protocol helpers (GRE, ...) are implemented as modules.
- ip_conntrack_protocol_unregister [ip_conntrack_protocol_unregister.patch] [ip_conntrack_protocol_unregister.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds support for ip_conntrack_protocol_unregister(), needed if
layer four protocol helpers (GRE, ...) are implemented as modules.
- ip_nat_irc-srcaddr-fix [ip_nat_irc-srcaddr-fix.patch] [ip_nat_irc-srcaddr-fix.patch.help]
-
Author: Bob Hockney <[email protected]>
Status: Submitted for kernel inclusion
The IRC nat helper module has a small bug where it NAT's the source address
of a DCC connection to the address of the IRC server instead of the other
client. While this doesn't hurt functionality, it is nonetheless a bug and
it might confuse users who do a netstat on their IRC client machine.
- ipqueue [ipqueue.patch.ipv6] [ipqueue.patch.ipv6.configure.help] [ipqueue.patch.ipv6.help] [ipqueue.patch.ipv6.makefile]
-
This is a patch needed to queue IPv6 packets via
NETLINK to user space with the QUEUE target.
(C) Fernando Anton 2001
IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
Universidad Carlos III de Madrid
Universidad Politecnica de Alcala de Henares
email: [email protected]
Status: experimental, pending
- ipt_mac-fix [ipt_mac-fix.patch] [ipt_mac-fix.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Included in kernel 2.4.11
Fix a potentially exploitable bug with mac address matching
and very small packets
- ipt_MIRROR-ttl [ipt_MIRROR-ttl.patch] [ipt_MIRROR-ttl.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Compiles, yet untested
This adds TTL decrementing (and checking/dropping) in case the MIRROR
target is used in INPUT or PREROUTING chains/hooks. This is to avoid
endless packet loops.
- ipt_REJECT-checkentry [ipt_REJECT-checkentry.patch] [ipt_REJECT-checkentry.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Included in kernel 2.4.11
Minor correction to the REJECT target's checkentry function, which had a
long-term undiscovered bug which was undiscovered because of cacheline
alignment only.
- ipt_unclean-ecn [ipt_unclean-ecn.patch] [ipt_unclean-ecn.patch.help]
-
Author: Guillaume Morin <[email protected]>
Status: Submitted for kernel inclusion
This fixes the unclean match to consider ECN bits in tcp header as clean,
rather than unclean (as it was before).
- irc-dcc-mask [irc-dcc-mask.patch] [irc-dcc-mask.patch.help]
-
Author: Harald Welte <[email protected]>,
Jozsef Kadlecsik
Status: Included in linux kernel >= 2.4.18-pre9
This patch fixes an important security issue present in all linux kernel
versions from 2.4.14 to 2.4.18-pre8.
Details of this security issue can be found at
http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
- local-nat [local-nat.patch] [local-nat.patch.config.in] [local-nat.patch.configure.help] [local-nat.patch.help]
-
Author: Henrrik Nordstrom <[email protected]>,
Harald Welte
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds CONFIG_IP_NF_NAT_LOCAL, which enables the user to do destination
NAT on locally-originated connections.
Locally-originating means originating on the nat box itself.
- macro-trailing-semicolon-fix [macro-trailing-semicolon-fix.patch] [macro-trailing-semicolon-fix.patch.help]
-
Author: David Miller <[email protected]>
Status: Included in 2.4.19-pre3
Some macros erroneously contained a trailing semicolon. This patch removes
the trailing semicolons.
- mangle5hooks [mangle5hooks.patch] [mangle5hooks.patch.help]
-
Author: Brad Chapman ([email protected])
Status: pending for kernel inclusion
This patch expands the number of registered hooks for
both the IPv4 and IPv6 versions of the iptables mangle
table.
Also, like the filter table, the table will accept a module
parameter to change the verdict of the FORWARD chain upon
module load.
- module-license [module-license.patch] [module-license.patch.help]
-
Author: The core linux hackers
Status: Included in kernel 2.4.10
This patch adds a new macro called MODULE_LICENSE to the kernel.
You will need this patch if you have a kernel < 2.4.10 and want to use
any of the patches of patch-o-matic.
Please say yes, it won't hurt anything :)
- nat-export_symbols [nat-export_symbols.patch] [nat-export_symbols.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Submitted to the kernel at 2.4.18-
This patch fixes some missed, unexported symbols in ip_nat_standalone.c
- netfilter-arp [netfilter-arp.patch] [netfilter-arp.patch.help]
-
Author: Rusty Russel <[email protected]>
Status: Submitted for kernel inclusion at 2.4.19-pre3 time
This adds netfilter hooks to the ARP sender and receiver code.
An ARP tables kernel module will be published soon
- netlink-tcpdiag [netlink-tcpdiag.patch] [netlink-tcpdiag.patch.help]
-
Author: unknown
Status: In kernel since 2.4.17
This patch is not really a netfilter patch, but updates your netlink.h file
in order to comply with the ulog patch. It's safe to apply this patch all
the time - and it's needed by ulog.patch
NOTE: this patch is not needed (and will not apply) on kernels >= 2.4.18
- REJECT-dont_fragment [REJECT-dont_fragment.patch] [REJECT-dont_fragment.patch.help]
-
Author: David Miller <[email protected]>
Status: Submitted to the kernel at 2.4.19-pre time
This patch fixes a bug in ipt_REJECT where we set the IP header's
don't fragment bit for the REJECT-generated ICMP message.
However, there is no PMTU discovery with ICMP - and we should just send
the ICMP error message wit DF cleared, so intermediate routers are allowed
to fragment.
- sackperm [sackperm.patch] [sackperm.patch.help]
-
Author: Guillaume Morin <[email protected]>
Status: Included in kernel 2.4.10
Attached patch fixes a bug in the SACKPERM delete function of netfilter.
The previous code replaced SACKPERM with 00 (== end of options) instead of
01 (== NOOP).
Yes, as discussed on netdev, the right thing is to make netfilter deal with
SACK correctly. But until the code for this is in place and tested, we still
need to delete the SACKPERM option... and we should do it correctly.
- skb_clone_copy [skb_clone_copy.patch] [skb_clone_copy.patch.help]
-
Author: Rusty Russell <[email protected]>
Status: Included in 2.4.18-pre7
There are some problems when a raw socket has a cloned skb of a packet
where some netfilter code is doing packet payload modification.
In this case, we have to use skb_copy to unshare the skb. This patch
fixes the problem.
- tcp-MSS [tcp-MSS.patch] [tcp-MSS.patch.config.in] [tcp-MSS.patch.configure.help] [tcp-MSS.patch.help] [tcp-MSS.patch.makefile]
-
Author: Marc Boucher
Status: Included in kernel 2.4.4
This patch adds the CONFIG_IP_NF_TARGET_TCPMSS and
CONFIG_IP_NF_MATCH_TCPMSS options, which allow you to examine and
alter the MSS value of TCP SYN packets, to control the maximum size
for that connection. THIS IS A HACK, used to overcome criminally
braindead ISPs or servers which block ICMP Fragmentation Needed
packets.
Typical usage:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- TOS-oops-fix [TOS-oops-fix.patch] [TOS-oops-fix.patch.help]
-
Author: Edward Killips <[email protected]>
Status: Submitted for kernel inclusion
This patch fixes an Oops regarded to the TOS manipulation target.
- ulog-module-unload [ulog-module-unload.patch] [ulog-module-unload.patch.help]
-
Author: Harald Welte <[email protected]>
Status: Submitted for kernel inclusion at 2.4.19-pre6 time
This fixes a bug which can potentially cause a kernel Oops to happen when
you unload the ipt_ULOG module.
- ulog [ulog.patch] [ulog.patch.config.in] [ulog.patch.configure.help] [ulog.patch.help] [ulog.patch.makefile]
-
Author: Harald Welte <[email protected]>
Status: Quite stable, as I didn't receive a single bug report for months
This adds CONFIG_IP_NF_TARGET_ULOG option, which supplies a more
advanced packet logging mechanism than the standard LOG target. The
libiptulog/ directory contains a library for receiving the ULOG
messages.
See http://www.gnumonks.org/projects/ulogd for more information