Individual Suite pages:
[Combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]base depends on: submitted pending
Patches which are working fine together
Author: Andras Kis-Szabo <kisza@sch.bme.hu> Status: It works 4 me! These two match extensions (`ah' and `esp') allow you to match a range of SPIs inside AH or ESP headers of IPv6 packets. AH options: --ahspi [!] spi[:spi] match spi (range) --ahlen [!] length total length of this header --ahres check the reserved filed, too ESP option: --espspi [!] spi[:spi] match spi (range)
Author: Andras Kis-Szabo <kisza@sch.bme.hu> Status: It works 4 me! This match extension (`frag') allow you to select the packet based on the fileds of the fragmentation header of the IPv6 packets. FRAG options: --fragid [!] id[:id] match the id (range) --fraglen [!] length total length of this header --fragres check the reserved filed, too --fragfirst matches on the frst fragment [--fragmore|--fraglast] there are more fragments or this is the last one
Author: Gerd Knorr <kraxel@bytesex.org> Status: ItWorksForMe[tm] This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 \ --iplimit-mask 24 -j REJECT
Author: Fabrice MARIE <fabrice@celestix.com> Status: experimental This option adds CONFIG_IP_NF_MATCH_IPV4OPTIONS, which supplies ip options match. Suppported options are: --ssrr To match packets with the flag strict source routing. --lsrr To match packets with the flag loose source routing. --no-srr To match packets with no flag for source routing. [!] --rr To match packets with the RR flag. [!] --ts To match packets with the TS flag. [!] --ra To match packets with the router-alert option. [!] --any-opt To match a packet with at least one IP option, or no IP option at all if ! is chosen. Example: $ iptables -A input -m ipv4options --rr -j DROP will drop packets with the record-route flag. $ iptables -A input -m ipv4options --ts -j DROP will drop packets with the timestamp flag. Bug ? I tested --ts and --rr, but not source routing issues, nor the router-alert since I don't know enough about them. So please let me know if it works or doesn't work :)
Author: Fabrice MARIE <fabrice@celestix.com> Status: Works For Me. This option adds CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP, which supplies a target module that will allow you to strip all the IP options from a packet. The target doesn't take any option, and therefore is extremly easy to use : # iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP # iptables -t mangle --list -n Chain PREROUTING (policy ACCEPT) target prot opt source destination IPV4OPTSSTRIP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination
Author: Brad Chapman (kakadu_croc@yahoo.com)
Andras Kis-Szabo
Status: Under development, please test it!
This match allows you to match the specialty headers of an IPv6
packet. The list can be found from the help message of the match
module.
The usage of the module is as follows (e.g.):
ip6tables -t filter -A INPUT -m ipv6header --header frag -j ACCEPT
ip6tables -t filter -A INPUT -m ipv6header --header 44 -j ACCEPT
ip6tables -t filter -A INPUT -m ipv6header --header route --soft -j ACCEPT
syntax:
--header [!] headers
--soft
Supported formats:
hop,dst,route,frag,auth,esp,none,prot
hop-by-hop,ipv6-opts,ipv6-route,ipv6-frag,ah,esp,ipv6-nonxt,protocol
0,60,43,44,51,50,59
proto means that the packet has got a protocol payload.
The soft mode means that the packet contains the header.
Warning: there is a problem with the fragmented packets!
If there is an extension-header after the fragmentation header, we can match
them only in the first fragment!
Author: Andreas Ferber <af@devcon.net> Status: It works for me. This module is an enhanced multiport match. It has support for byte ranges as well as for single ports. Examples: # iptables -A FORWARD -p tcp -m mport --ports 23:42,65 Up to 15 ports are allowed. Note that a portrange uses up 2 port values.
Author: Gianni Tedesco <gianni@ecsc.co.uk> Status: Working, will not go into main kernel This patch adds CONFIG_IP_NF_TARGET_NETLINK, which adds a NETLINK target that sends dropped packets to userspace via a netlink socket. It replaces the old ipchains -o option.
Author: Svenning Soerensen <svenning@post5.tele.dk> Status: Experimental This adds CONFIG_IP_NF_TARGET_NETMAP option, which provides a target for the nat table. It creates a static 1:1 mapping of the network address, while keeping host addresses intact. It can be applied to the PREROUTING chain to alter the destination of incoming connections, to the POSTROUTING chain to alter the source of outgoing connections, or both (with separate rules). Examples: iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24 iptables -t nat -A POSTROUTING -s 5.6.7.0/24 -j NETMAP --to 1.2.3.0/24
Author: Fabrice MARIE <fabrice@celestix.com> Status: Works For Me. This option adds CONFIG_IP_NF_MATCH_NTH, which supplies a match module that will allow you to match every Nth packet encountered. By default there are 16 different counters that can be used. This match functions in one of two ways 1) Match ever Nth packet, and only the Nth packet. example: iptables -t mangle -A PREROUTING -m nth --every 10 -j DROP This rule will drop every 10th packet. 2) Unique rule for every packet. This is an easy and quick method to produce load-balancing for both inbound and outbound. example: iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 0 -j SNAT --to-source 10.0.0.5 iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 1 -j SNAT --to-source 10.0.0.6 iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 2 -j SNAT --to-source 10.0.0.7 This example evenly splits connections between the three SNAT addresses. By using the mangle table and iproute2, you can setup complex load-balanced routing. There's lot of other uses. Be creative! Suppported options are: --every Nth Match every Nth packet [--counter] num Use counter 0-15 (default:0) [--start] num Initialize the counter at the number 'num' instead of 0. Must be between 0 and Nth-1 [--packet] num Match on 'num' packet. Must be between 0 and Nth-1. If --packet is used for a counter than there must be Nth number of --packet rules, covering all values between 0 and Nth-1 inclusively.
Author: Patrick <bof@bof.de> Status: Development: please tell me if and where I fucked up on the locks. This adds CONFIG_IP_NF_POOL, which provides a match which lets you use bitmaps with one bit per address from some range of IP addresses; the match depends on whether a checked source or destination address has its bit set in the pool. It also provides a POOL target, which can be used to add or remove the addresses of a packet to/from a pool. The userspace program ippool(8) is also compiled (in the ippool/ directory), and is used to define the pools and their bounds.
Author: Dennis Koslowski <dkoslowski@astaro.de> Status: Experimental This option adds CONFIG_IP_NF_MATCH_PSD, which supplies portscan detection match (psd). This match will attempt to detect TCP and UDP port scans. This match was derived from Solar Designer's scanlogd. Suppported options are: --psd-weight-thresholdTotal weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence. --psd-delay-threshold Delay (in hundredths of second) for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence. --psd-lo-ports-weight Weight of the packet with privileged (<=1024) destination port. --psd-hi-ports-weight Weight of the packet with non-priviliged destination port.
Author: Sam Johnston <samj@samj.net> Status: worksforme This option adds CONFIG_IP_NF_MATCH_QUOTA, which implements network quotas by decrementing a byte counter with each packet. Supported options are: --quotaThe quota in bytes.
Author: Fabrice MARIE <fabrice@celestix.com> Status: Works For Me. This option adds CONFIG_IP_NF_MATCH_RANDOM, which allow you to match packets randomly following a given probability. Suppported options are: [--average] percent will match randomly packets with a probability of 'percent' default is 50%
Author: Sampsa Ranta <sampsa@netsonic.fi> Status: Experimental realm match: uses realm key from routing as match criteria similiar to one in packet classifier /** snip from packet classifier documentation */ Routing tables based classifier CONFIG_NET_CLS_ROUTE4 If you say Y here, you will be able to classify outgoing packets according to the route table entry they matched. If unsure, say Y. /** end snip **/ # Example # add route /sbin/ip route add 194.29.194.0/24 via 194.29.192.1 realm 10 # source realm is in realm with mask 0xFFFF0000, # destination is in realm with mask 0x0000FFFF # match destination realm /usr/local/sbin/iptables -A OUTPUT -m realm --realm 10 -j LOG # match realm of source, this is also determinated by routing, /usr/local/sbin/iptables -A INPUT -m realm --realm 655360 -j LOG THIS PATCH REQUIRES CONFIG_NET_CLS_ROUTE TO BE SET
Author: Harald Welte <laforge@gnumonks.org> Status: In Development, REQUIRES ipv6-fixes.patch This adds CONFIG_IP6_NF_TARGET_REJECT option, which adds a REJECT target to ip6tables. Please keep in mind that the icmp-types are different from the icmpv6 types (see ip6tables -j REJECT -h for more info)
Author: Martin Josefsson <gandalf@wlug.westbo.se> Status: In Development/Works For Me This adds CONFIG_IP_NF_TARGET_SAME option, which is similar to SNAT: it takes a range of addresses (`--to 1.2.3.4-1.2.3.7') and gives a client the same address for each connection. It has a --nodst option to make it not use the destination-ip in the calculations when selecting the new source-ip Now it has support for multiple ranges, including 1-address ranges. THIS PATCH IS INCOMPATIBLE WITH dropped-table.patch
Author: Fabrice MARIE <fabrice@celestix.com> Status: It Works For Me. This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module. This match allows you to filter based on the packet arrival time (arrival time at the machine which the netfilter is running on) or departure time (for locally generated packets). Supported options are: --timestart HH:MM The starting point of the time match frame. --timestop HH:MM The stopping point of the time match frame --days Tue,Mon... Days of the week to match separated by a coma, no space (one of Sun,Mon,Tue,Wed,Thu,Fri,Sat) Example: -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday to Friday. -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon will match the packets (locally generated) that have a departure timestamp in the range 8:00->18:00 on Monday only.
Author: Harald Welte <laforge@gnumonks.org> Status: Stable, needs new checksum handling This adds CONFIG_IP_NF_TARGET_TTL option, which enables the user to set the TTL value of an IP packet or to increment / decrement it by a given value.
Author: Rusty Russell <rusty@rustcorp.com.au> Status: Beta, redesign underway, applies now to 2.4.4-final This patch adds a `drop' table to iptables, adding a CONFIG_IP_NF_DROPTABLE option. Packets which are going to be dropped by the NAT or routing code (among others) will traverse this table, allowing them to be logged. THIS PATCH WILL BREAK OTHER PATCHES (irc-conntrack-nat,talk,NETMAP,SAME,...)
Author: Fabrice MARIE <fabrice@celestix.com> Status: Works For Me. This patch adds support for setting the nfmark bitwise (and & or). # iptables -t mangle -A PREROUTING -p icmp -j MARK --or-mark 0x15 # iptables -t mangle -A PREROUTING -p icmp -j MARK --and-mark 0x15 ***** WARNING ***** This patch also patch the userspace directory which means that you you have to recompile and reinstall the iptables package after that.
extra depends on: submitted pending base
Patches which are working fine together + patches which might break each other
Author: Magnus Sandin <magnus@sandin.cx> Status: Development This adds CONFIG_IP_NF_EGG: Connection tracking for eggdrop bot networks. It now also supports eggdrop v1.6.x
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Status: Alpha This adds CONFIG_IP_NF_H323: H.323/netmeeting support module for netfilter connection tracking and NAT. H.323 uses/relies on the following data streams: Port Description 389 Internet Locator Server (TCP) 522 User Location Server (TCP) 1503 T.120 Protocol (TCP) 1720 H.323 (H.225 call setup, TCP) 1731 Audio call control (TCP) Dynamic H.245 call control (TCP) Dynamic RTCP/RTP streaming (UDP) The H.323 conntrack/NAT modules support the connection tracking/NATing of the data streams requested on the dynamic ports. The helpers use the search/replace hack from the ip_masq_h323.c module for the 2.2 kernel series. At the very minimum, H.323/netmeeting (video/audio) is functional by letting trough the 1720 port and loading these H.323 module(s). The H.323 conntrack/NAT modules do not support - H.245 tunnelling - H.225 RAS (gatekeepers)
Author: Martin Josefsson <gandalf@wlug.westbo.se> Status: Works for me(tm) This patch adds the ipt_helper module which is a new match for iptables. This adds the capability to match packets in a dynamically allocated connection that's related to a specific conntrack helper. If you want to match all packets belonging to ftp-sessions: (both ftp-command and ftp-data connections) iptables -A INPUT -m helper --helper ftp -j ACCEPT use irc for irc-sessions. It will currently only work with the ftp and irc conntrack-helpers but it's easy to add support for other helpers (a one-line patch to the conntrack-helper). You'll also need the bidirectional irc patch for irc matching to work properly. This patch modifies the way helpers are looked up when iptable_nat is loaded, the behaviour changes slightly, see comment in patch. Please report any breakage caused by this.
Author: Fabrice MARIE <fabrice@celestix.com> Status: It Works For Me. Adds the possibility to send icmp-unreachable messages from a fake source IP address. Example : # iptables -A INPUT -p tcp -d 202.156.58.79 --dport http -j REJECT --fake-source 10.1.1.1 # iptables --list -n Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 0.0.0.0/0 202.156.58.79 tcp dpt:80 reject-with icmp-port-unreachable faked from 10.1.1.1 ***** WARNING ***** This patch also patch the userspace directory which means that you you have to recompile and reinstall the iptables package after that.
Author: Fabrice MARIE <fabrice@celestix.com> Status: Works For Me. This patch adds support for matching the nfmark bitwise (and & or). For example, to test if the second bit of nfmark is set : # iptables -t mangle -A PREROUTING -p icmp -m mark --markand 0x2/0x2 -j ACCEPT I'm sure you will find a use for the OR bitwise operation as well :) # iptables -t mangle -A PREROUTING -p icmp -m mark --markor 0x7/0x1 -j ACCEPT ***** WARNING ***** This patch also patch the userspace directory which means that you have to recompile and reinstall the iptables package after that.
Author: ... Status: Development This adds CONFIG_IP_NF_PPTP: Connection tracking and NAT support for PPTP.
Author: Stephen Frost <sfrost@snowman.net> Status: Tested locally, no problems so far. This module is used for creating one or many list(s) of recently seen IP addresses and then matching against that/those list(s). --name Specify the list to use for the commands. If no name is given then 'DEFAULT' will be used. --set followed by an optional `!' This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry. This will always return success. --rcheck followed by an optional `!' This will check if the source address of the packet is currently in the list and return true if it is, and false otherwise. --update followed by an optional `!' This will check if the source address of the packet is currently in the list. If it is then that entry will be updated and the rule will return true. If the source address is not in the list then the rule will return false. --remove followed by an optional `!' This will check if the source address of the packet is currently in the list and if so that address will be removed from the list. --seconds followed by an optional `!', then the value This option must be used in conjunction with one of 'rcheck' or 'update'. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. --hitcount followed by an optional `!', then the value This option must be used in conjunction with one of 'rcheck' or 'update'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with 'seconds' to create an even narrower match requiring a certain number of hits within a specific time frame. --rttl This option must be used in conjunction with one of 'rcheck' or 'update'. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the --set rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. /proc/net/ipt_recent is a directory which contains the currently active lists. /proc/net/ipt_recent/* are the current lists of addresses and information about each entry of each list. Each file in /proc/net/ipt_recent/ can be read from to see the current list or written two using the following commands to modify the list: 'echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' to Add to the DEFAULT list or 'echo +xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' for the same result. 'echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' to Remove from the DEFAULT list 'echo -0.0.0.0 > /proc/net/ipt_recent/DEFAULT' to empty the DEFAULT list. The module itself accepts two parameters: ip_list_tot=40 ip_pkt_list_tot=10 Shown are the defaults. ip_list_tot is the total number of addresses which will be remembered, note that the list is searched in-order for every attempted match and so you do not want to increase this value too much or alot of time will be spent traversing the list. ip_pkt_list_tot is the total number of packets which will be remembered for each address. This list is only used by '--hitcount' and so the default will probably suffice unless you make extensive use of that option. Example #1: # iptables -A FORWARD -m recent --rcheck --seconds 60 -j DROP # iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP Here we are making a 'bad guy' out of anyone who tries to send data to 127.0.0.0/8 on our eth0 interface (which should never legitimately happen). The first packet will make it past the first rule and then be caught by the second rule and that address will be put into the recent list and the packet dropped. Any subsequent packets for the next 60 seconds that show up from that address will be dropped, regardless of destination address, destiation port, etc. Example #2: # iptables -A FORWARD -m recent --update --seconds 60 -j DROP # iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP (The author's favorite method) This is identical to example #1 except that for every subsequent packet received from this source address the 'last seen' status will be updated in the table. Therefore there must be a 'quiet time' of 60 seconds before another packet from this address will even be considered. It is the author's intent that all 'DROP' rules be replaced by: '-m recent --set -j DROP' and that a: '-m recent --update --seconds 60 -j DROP' rule be added very early on in the rule set, though following any: '--match state --state ! NEW,INVALID -j ACCEPT' rules. If the '--update' rule is before this check for ! NEW,INVALID packets then ESTABLISHED connection or those in the process of becoming ESTABLISHED could be disrupted by a malicious person who can modify his/her source address.
Author: "Marcelo Barbosa Lima" <marcelo.lima@dcc.unicamp.br> Status: This works now :-) Status: Ported to 2.4.0-test9-pre2 by Rusty. May be broken. Status: Fixed by Marc for 2.4.0. Status: Ported to newnat by Harald. May still be broken. This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules, ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper requests using UDP and TCP respectively. It also adds the record_rpc match for iptables, which matches if the source of the packet has requested that port through the portmapper before, or it is a new GET request to the portmapper, allowing effective RPC filtering.
Author: Emmanuel Roger <winfield@freegates.be> Status: Working, not with kernel 2.4.9 This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to match a string in a whole packet. THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 !!!
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Status: Alpha This adds CONFIG_IP_NF_TALK: talk support module for netfilter connection tracking and NAT. This allows both the callee client - caller server and callee client - caller client connections to work through connection tracking and NAT. Default both talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled by the module parameters of the ip_conntrack_talk and ip_nat_talk modules: talk=0|1 ntalk=0|1 ntalk2=0|1 where '0' means 'don't support' while '1' means 'do support' the given protocol flavour.
Author: Jozsef Kadlecsik Status: proven to be quite stable, but still experimental Status: ported to newnat, needs testing. This patch is an implementation of TCP connection tracking according to the article 'Real Stateful TCP Packet Filtering in IP Filter' by Guido van Rooij [1]. It contains the new TCP connection tracking with support to handle already established connections. It supports TCP window scaling. [1] http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz - the default timeout value for the CLOSE_WAIT state is raised to 12 hours - sysctl support added (/proc/sys/net/ipv4/netfilter/), which means: - all conntrack timeout values can be adjusted via sysctl - logging of out of window packets and packets with invalid window scale value can be disabled/enabled via sysctl - a new flag ip_ct_tcp_be_liberal added: when ip_ct_tcp_be_liberal is set to 0, all out of window packets are marked as INVALID, while if it's set to 1, only out of window *RST* segments are marked as INVALID. - Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is renamed as /proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts which uses this parameter!!! - logging of out of window packets are made more verbose
Author: Magnus Boden <mb@ozaba.mine.nu> TFTP connections will not work with NAT and this module makes that work. modprobe ip_conntrack_tftp ports=69,70 has the effect of helping tftp connections on port 69 and 70. If the ports argument is not supplied to modprobe it defaults to 69. If you have trouble please drop me a mail and I will help you.
not-accepted depends on: submitted pending
Patches which have not been accepted by the kernel maintainers
Author: Jamal Hadi Selim <drj@cyberus.ca> Status: Submitted at 2.4.18-pre9 time, REJECTED Have nf_register_hook() return an error in case somebody registers the same function at the same hook twice. Reason for reject: Nobody is allowed to register twice.
obsolete depends on: submitted pending
Patches which have been obsoleted by other (new) patches
Author: Matthew G. Marsh <mgm@paktronix.com> Status: Obsoleted by new DSCP and ECN targets This adds CONFIG_IP_NF_TARGET_FTOS option, which allows setting the TOS field within the packet to any value between 0x0 and 0xff. This includes all legal TOS values. It does not take account of the DiffServ split of the field nor does it account for the ECN bit states. Basically you can set the TOS field to whatever value you want.
Patches for the old NAT framework (outdated)
Author: Henrik Nordstrom <hno@marasystems.com> Status: working This patch adds per connection marks, and a target (CONNMARK) respective a match (connmark) for using these. Usage: connmark This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below). --mark value[/mask] Matches packets in connections with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mark before the compar� ison). CONNMARK This is used to set the netfilter mark value associated with the connection --set-mark mark Set connection mark --save-mark Set connection mark to the same as the one on the packet --restore-mark Set the netfilter packet mark value to the one associated with the connection. This is only valid in the mangle table.
Author: Harald Welte <laforge@gnumonks.org> Status: Highly Experimental This patch affects the TCP state tracking machine. It alters it in a way, that it will only track TCP connections which are established _after_ loading ip_conntrack.o on the firewall. This means, after reloading ip_conntrack.o or a firewall reboot, all TCP connections are gone. No connection pickup is working anymore. So what's the advantage of this patch? It can help in certain setups, where you get ACK-flooded and the machine which is ACK-scanned is not up or in some other way unable to send RST's. Please give me feedback if you use this patch.
Author: Jay Schulist <jschlst@samba.org> Status: Experimental This adds CONFIG_IP_NF_CTNETLINK option, which enables connection tracking via NETLINK. Netfilter has the ability to communicate connection tracking information to user space. This feature allows the user to receive connection tracking event notification and provides the ability to change connection states from user space. Please not that this is an experimental package which will break other patch-o-matic patches
Author: Magnus Sandin <magnus@sandin.cx> Status: Development This adds CONFIG_IP_NF_EGG: Connection tracking for eggdrop bot networks. It now also supports eggdrop v1.6.x
Author: Magnus Sandin <magnus@sandin.cx> Status: Development Attached patch adds FXP support to ftp connectiontracking. FXP'ing to NAT'ed ftp daemons does not work yet. Load ip_conntrack_ftp.o with modprobe ip_conntrack_ftp fxp=1 to enable FXP functionality to connectiontracking of ftpsessions. WARNING: Applying this patch and enabling the feature _WILL_ reduce security offered by FTP connection tracking significantly. Use with extreme care - and only if you know what you are doing.
Author: Martin Josefsson <gandalf@wlug.westbo.se> Status: Works for me(tm) This patch adds the ipt_helper module which is a new match for iptables. This adds the capability to match packets in a dynamically allocated connection that's related to a specific conntrack helper. If you want to match all packets belonging to ftp-sessions: (both ftp-command and ftp-data connections) iptables -A INPUT -m helper --helper ftp -j ACCEPT use irc for irc-sessions. It will currently only work with the ftp and irc conntrack-helpers but it's easy to add support for other helpers (a one-line patch to the conntrack-helper). You'll also need the bidirectional irc patch for irc matching to work properly. This patch modifies the way helpers are looked up when iptable_nat is loaded, the behaviour changes slightly, see comment in patch. Please report any breakage caused by this.