- CONNMARK [CONNMARK.patch] [CONNMARK.patch.config.in] [CONNMARK.patch.configure.help] [CONNMARK.patch.help] [CONNMARK.patch.makefile]
-
Author: Henrik Nordstrom <hno@marasystems.com>
Status: working
This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.
Usage:
connmark
This module matches the netfilter mark field associated
with a connection (which can be set using the CONNMARK
target below).
--mark value[/mask]
Matches packets in connections with the given
unsigned mark value (if a mask is specified, this
is logically ANDed with the mark before the compar�
ison).
CONNMARK
This is used to set the netfilter mark value associated
with the connection
--set-mark mark
Set connection mark
--save-mark
Set connection mark to the same as the one on the
packet
--restore-mark
Set the netfilter packet mark value to the one
associated with the connection. This is only valid
in the mangle table.
- conntrack-tcp-nopickup [conntrack-tcp-nopickup.patch] [conntrack-tcp-nopickup.patch.config.in] [conntrack-tcp-nopickup.patch.configure.help] [conntrack-tcp-nopickup.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Highly Experimental
This patch affects the TCP state tracking machine.
It alters it in a way, that it will only track TCP connections which are
established _after_ loading ip_conntrack.o on the firewall.
This means, after reloading ip_conntrack.o or a firewall reboot, all TCP
connections are gone. No connection pickup is working anymore.
So what's the advantage of this patch? It can help in certain setups,
where you get ACK-flooded and the machine which is ACK-scanned is not
up or in some other way unable to send RST's.
Please give me feedback if you use this patch.
- ctnetlink [ctnetlink.patch] [ctnetlink.patch.config.in] [ctnetlink.patch.configure.help] [ctnetlink.patch.help] [ctnetlink.patch.makefile]
-
Author: Jay Schulist <jschlst@samba.org>
Status: Experimental
This adds CONFIG_IP_NF_CTNETLINK option, which enables connection
tracking via NETLINK. Netfilter has the ability to communicate connection
tracking information to user space. This feature allows the user to
receive connection tracking event notification and provides the
ability to change connection states from user space.
Please not that this is an experimental package which will break other
patch-o-matic patches
- eggdrop-conntrack [eggdrop-conntrack.patch] [eggdrop-conntrack.patch.config.in] [eggdrop-conntrack.patch.configure.help] [eggdrop-conntrack.patch.help] [eggdrop-conntrack.patch.makefile]
-
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development
This adds CONFIG_IP_NF_EGG:
Connection tracking for eggdrop bot networks.
It now also supports eggdrop v1.6.x
- ftp-fxp [ftp-fxp.patch] [ftp-fxp.patch.help]
-
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development
Attached patch adds FXP support to ftp connectiontracking. FXP'ing to NAT'ed
ftp daemons does not work yet.
Load ip_conntrack_ftp.o with modprobe ip_conntrack_ftp fxp=1 to enable FXP
functionality to connectiontracking of ftpsessions.
WARNING: Applying this patch and enabling the feature _WILL_ reduce security
offered by FTP connection tracking significantly. Use with extreme
care - and only if you know what you are doing.
- helper [helper.patch] [helper.patch.config.in] [helper.patch.configure.help] [helper.patch.help] [helper.patch.makefile]
-
Author: Martin Josefsson <gandalf@wlug.westbo.se>
Status: Works for me(tm)
This patch adds the ipt_helper module which is a new match
for iptables. This adds the capability to match packets in a
dynamically allocated connection that's related to a specific
conntrack helper.
If you want to match all packets belonging to ftp-sessions:
(both ftp-command and ftp-data connections)
iptables -A INPUT -m helper --helper ftp -j ACCEPT
use irc for irc-sessions.
It will currently only work with the ftp and irc conntrack-helpers
but it's easy to add support for other helpers (a one-line patch
to the conntrack-helper).
You'll also need the bidirectional irc patch for irc matching to work
properly.
This patch modifies the way helpers are looked up when iptable_nat is
loaded, the behaviour changes slightly, see comment in patch.
Please report any breakage caused by this.
- nat-sack [nat-sack.patch] [nat-sack.patch.help]
-
Author: Harald Welte
- pptp-conntrack-nat [pptp-conntrack-nat.patch] [pptp-conntrack-nat.patch.config.in] [pptp-conntrack-nat.patch.configure.help] [pptp-conntrack-nat.patch.help]
-
Author: ...
Status: Development
This adds CONFIG_IP_NF_PPTP:
Connection tracking and NAT support for PPTP.
- pptp-gre-ct-nat-0.83 [pptp-gre-ct-nat-0.83.patch] [pptp-gre-ct-nat-0.83.patch.help]
-
Author: Harald Welte <laforge@gnumonks.org>
Status: Beta
This patch adds support for real connection tracking
and NAT of GRE and PPTP connecitons.
However, there are some limitations on what this patch
can do in the current netfilter framework:
- can't track multiple calls within one control session
- can't DNAT incoming PAC connections
- only covers the common case, where PNS->PAC connection
is SNAT'ed
- GRE version 0 checksum mangling not tested yet
- incoming call conntrack+NAT testing not supported yet
- assumes all connections are made from PNS->PAC
- record-rpc [record-rpc.patch] [record-rpc.patch.config.in] [record-rpc.patch.configure.help] [record-rpc.patch.help] [record-rpc.patch.makefile]
-
Author: "Marcelo Barbosa Lima" <marcelo.lima@dcc.unicamp.br>
Status: This works now :-)
Status: Ported to 2.4.0-test9-pre2 by Rusty. May be broken.
Status: Fixed by Marc for 2.4.0.
This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules,
ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
requests using UDP and TCP respectively. It also adds the record_rpc
match for iptables, which matches if the source of the packet has
requested that port through the portmapper before, or it is a new GET
request to the portmapper, allowing effective RPC filtering.
- talk-conntrack-nat [talk-conntrack-nat.patch] [talk-conntrack-nat.patch.config.in] [talk-conntrack-nat.patch.configure.help] [talk-conntrack-nat.patch.help] [talk-conntrack-nat.patch.makefile]
-
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Status: Alpha
This adds CONFIG_IP_NF_TALK: talk support module for netfilter
connection tracking and NAT. This allows both the callee client -
caller server and callee client - caller client connections to work
through connection tracking and NAT.
Default talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are
supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled
by the module parameters of the ip_conntrack_talk and ip_nat_talk
modules:
talk=0|1 disable|enable talk support
ntalk=0|1 disable|enable ntalk support
ntalk2=0|1 disable|enable ntalk2 support
The default is talk=1 ntalk=1 ntalk2=1 i.e. support all talk protocols.
- tcp-window-tracking [tcp-window-tracking.patch] [tcp-window-tracking.patch.help] [tcp-window-tracking.patch.makefile]
-
Author: Jozsef Kadlecsik
Status: proven to be quite stable, but still experimental
This patch is an implementation of TCP connection tracking according
to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
Guido van Rooij [1]. It contains the new TCP connection tracking with
support to handle already established connections. It supports TCP
window scaling.
[1] http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
- the default timeout value for the CLOSE_WAIT state is raised to 12 hours
- sysctl support added (/proc/sys/net/ipv4/netfilter/), which means:
- all conntrack timeout values can be adjusted via sysctl
- logging of out of window packets and packets with invalid
window scale value can be disabled/enabled via sysctl
- a new flag ip_ct_tcp_be_liberal added: when ip_ct_tcp_be_liberal
is set to 0, all out of window packets are marked as INVALID,
while if it's set to 1, only out of window *RST* segments are
marked as INVALID.
- Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is renamed as
/proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts
which uses this parameter!!!
- logging of out of window packets are made more verbose
- tftp [tftp.patch] [tftp.patch.config.in] [tftp.patch.configure.help] [tftp.patch.help]
-
Author: Magnus Boden <mb@ozaba.mine.nu>
TFTP connections will not work with NAT and this module makes
that work.
modprobe ip_conntrack_tftp ports=69,70 has the effect of
helping tftp connections on port 69 and 70.
If the ports argument is not supplied to modprobe it defaults
to 69.
If you have trouble please drop me a mail and I will help you.