Individual Suite pages:
[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [optimizations] [pending] [submitted] [userspace]userspace depends on: submitted pending base extra
Patches which need to patch userspace iptables. Use with caution
Author: Fabrice MARIE <[email protected]>
Status: It Works For Me.
Adds the possibility to send icmp-unreachable messages
from a fake source IP address. The original destination of the packet will be
used as the source of the icmp-unreach.
To make it so that the icmp-unreach seems to come from the destination host :
# iptables -A FORWARD -p tcp -d 202.156.58.0/24 --dport domain -j REJECT --fake-source
# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere 202.156.58.0/24 tcp dpt:domain reject-with icmp-port-unreachable source-faked
***** WARNING ***** This patch also patch the userspace directory which means that you
you have to recompile and reinstall the iptables package after that.
Author: Fabrice MARIE <[email protected]>
Status: Works For Me.
This patch adds support for matching the nfmark bitwise (and & or).
For example, to test if the second bit of nfmark is set :
# iptables -t mangle -A PREROUTING -p icmp -m mark --markand 0x2/0x2 -j ACCEPT
I'm sure you will find a use for the OR bitwise operation as well :)
# iptables -t mangle -A PREROUTING -p icmp -m mark --markor 0x7/0x1 -j ACCEPT
***** WARNING ***** This patch also patch the userspace directory which means that
you have to recompile and reinstall the iptables package after that.
Author: Jozsef Kadlecsik <[email protected]>
Status: Testing.
This patch adds a new table called 'raw' with two new targets
'NOTRACK' and 'TRACE' to netfilter/iptables (plus some modifications).
The raw table is the very first in netfilter (it even precedes
the conntrack subsystem) and uses the PREROUTING and OUTPUT
built-in chains.
The TRACE target can be used to trace how the packet "flows trough"
your tables and rules. When a packet marked with the TRACE target
matches any rule, the system logs the packet with the following
prefix:
TRACE: tablename/chainname/rulenum packet
The internal logging functionality relies on the available
"backend" logging modules (ipt_LOG or ipt_ULOG). You must load
at least one of the logging modules in. If both modules are
loaded, then default ipt_LOG generates the internal loggings,
which can be overridden by the module parameter 'takeover' of
the ipt_ULOG module:
modprobe ipt_ULOG takeover=1
The NOTRACK target can be used to select which packets *not*
to enter the conntrack/NAT subsystems. Please keep in mind:
if you mark a packet with NOTRACK, then
- all the conntrack functionalities are lost for the packet
(ICMP error tracking, protocol helpers, etc)
- all the NAT functionalities are also lost.
Packets marked with NOTRACK can be matched by the 'UNTRACKED'
state. Example
# Very busy webserver
iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j NOTRACK
iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 80 -j NOTRACK
...
# filter rules
iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT
Author: Jozsef Kadlecsik <[email protected]>
Status: Testing.
This patch adds a new table called 'raw' with a new target
called 'TRACE' to netfilter/iptables (plus some modifications).
The raw table is the very first in netfilter and uses the
PREROUTING and OUTPUT built-in chains.
The TRACE target can be used to trace how the packet "flows trough"
your tables and rules. When a packet marked with the TRACE target
matches any rule, the system logs the packet with the following
prefix:
TRACE: tablename/chainname/rulenum packet
The internal logging functionality relies on the available
"backend" logging module (ip6t_LOG). You must load the logging
module in, otherwise no log will be generated.
Generated Mon Jan 13 19:42:34 EST 2003 by pomlist version 0.2.2.