Individual Suite pages:[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]
Patches for the old NAT framework (outdated)
Author: Henrik Nordstrom <firstname.lastname@example.org> Status: working This patch adds per connection marks, and a target (CONNMARK) respective a match (connmark) for using these. Usage: connmark This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below). --mark value[/mask] Matches packets in connections with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mark before the compar ison). CONNMARK This is used to set the netfilter mark value associated with the connection --set-mark mark Set connection mark --save-mark Set connection mark to the same as the one on the packet --restore-mark Set the netfilter packet mark value to the one associated with the connection. This is only valid in the mangle table.
Author: Harald Welte <email@example.com> Status: Highly Experimental This patch affects the TCP state tracking machine. It alters it in a way, that it will only track TCP connections which are established _after_ loading ip_conntrack.o on the firewall. This means, after reloading ip_conntrack.o or a firewall reboot, all TCP connections are gone. No connection pickup is working anymore. So what's the advantage of this patch? It can help in certain setups, where you get ACK-flooded and the machine which is ACK-scanned is not up or in some other way unable to send RST's. Please give me feedback if you use this patch.
Author: Jay Schulist <firstname.lastname@example.org> Status: Experimental This adds CONFIG_IP_NF_CTNETLINK option, which enables connection tracking via NETLINK. Netfilter has the ability to communicate connection tracking information to user space. This feature allows the user to receive connection tracking event notification and provides the ability to change connection states from user space. Please not that this is an experimental package which will break other patch-o-matic patches
Author: Magnus Sandin <email@example.com> Status: Development This adds CONFIG_IP_NF_EGG: Connection tracking for eggdrop bot networks. It now also supports eggdrop v1.6.x
Author: Magnus Sandin <firstname.lastname@example.org> Status: Development Attached patch adds FXP support to ftp connectiontracking. FXP'ing to NAT'ed ftp daemons does not work yet. Load ip_conntrack_ftp.o with modprobe ip_conntrack_ftp fxp=1 to enable FXP functionality to connectiontracking of ftpsessions. WARNING: Applying this patch and enabling the feature _WILL_ reduce security offered by FTP connection tracking significantly. Use with extreme care - and only if you know what you are doing.
Author: Martin Josefsson <email@example.com> Status: Works for me(tm) This patch adds the ipt_helper module which is a new match for iptables. This adds the capability to match packets in a dynamically allocated connection that's related to a specific conntrack helper. If you want to match all packets belonging to ftp-sessions: (both ftp-command and ftp-data connections) iptables -A INPUT -m helper --helper ftp -j ACCEPT use irc for irc-sessions. It will currently only work with the ftp and irc conntrack-helpers but it's easy to add support for other helpers (a one-line patch to the conntrack-helper). You'll also need the bidirectional irc patch for irc matching to work properly. This patch modifies the way helpers are looked up when iptable_nat is loaded, the behaviour changes slightly, see comment in patch. Please report any breakage caused by this.
Author: Harald Welte
- pptp-conntrack-nat [pptp-conntrack-nat.patch] [pptp-conntrack-nat.patch.config.in] [pptp-conntrack-nat.patch.configure.help] [pptp-conntrack-nat.patch.help]
- Author: ... Status: Development This adds CONFIG_IP_NF_PPTP: Connection tracking and NAT support for PPTP.
- pptp-gre-ct-nat-0.83 [pptp-gre-ct-nat-0.83.patch] [pptp-gre-ct-nat-0.83.patch.help]
- Author: Harald Welte <firstname.lastname@example.org> Status: Beta This patch adds support for real connection tracking and NAT of GRE and PPTP connecitons. However, there are some limitations on what this patch can do in the current netfilter framework: - can't track multiple calls within one control session - can't DNAT incoming PAC connections - only covers the common case, where PNS->PAC connection is SNAT'ed - GRE version 0 checksum mangling not tested yet - incoming call conntrack+NAT testing not supported yet - assumes all connections are made from PNS->PAC
- record-rpc [record-rpc.patch] [record-rpc.patch.config.in] [record-rpc.patch.configure.help] [record-rpc.patch.help] [record-rpc.patch.makefile]
- Author: "Marcelo Barbosa Lima" <email@example.com> Status: This works now :-) Status: Ported to 2.4.0-test9-pre2 by Rusty. May be broken. Status: Fixed by Marc for 2.4.0. This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules, ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper requests using UDP and TCP respectively. It also adds the record_rpc match for iptables, which matches if the source of the packet has requested that port through the portmapper before, or it is a new GET request to the portmapper, allowing effective RPC filtering.
- talk-conntrack-nat [talk-conntrack-nat.patch] [talk-conntrack-nat.patch.config.in] [talk-conntrack-nat.patch.configure.help] [talk-conntrack-nat.patch.help] [talk-conntrack-nat.patch.makefile]
- Author: Jozsef Kadlecsik <firstname.lastname@example.org> Status: Alpha This adds CONFIG_IP_NF_TALK: talk support module for netfilter connection tracking and NAT. This allows both the callee client - caller server and callee client - caller client connections to work through connection tracking and NAT. Default talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled by the module parameters of the ip_conntrack_talk and ip_nat_talk modules: talk=0|1 disable|enable talk support ntalk=0|1 disable|enable ntalk support ntalk2=0|1 disable|enable ntalk2 support The default is talk=1 ntalk=1 ntalk2=1 i.e. support all talk protocols.
- tcp-window-tracking [tcp-window-tracking.patch] [tcp-window-tracking.patch.help] [tcp-window-tracking.patch.makefile]
- Author: Jozsef Kadlecsik Status: proven to be quite stable, but still experimental This patch is an implementation of TCP connection tracking according to the article 'Real Stateful TCP Packet Filtering in IP Filter' by Guido van Rooij . It contains the new TCP connection tracking with support to handle already established connections. It supports TCP window scaling.  http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz - the default timeout value for the CLOSE_WAIT state is raised to 12 hours - sysctl support added (/proc/sys/net/ipv4/netfilter/), which means: - all conntrack timeout values can be adjusted via sysctl - logging of out of window packets and packets with invalid window scale value can be disabled/enabled via sysctl - a new flag ip_ct_tcp_be_liberal added: when ip_ct_tcp_be_liberal is set to 0, all out of window packets are marked as INVALID, while if it's set to 1, only out of window *RST* segments are marked as INVALID. - Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is renamed as /proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts which uses this parameter!!! - logging of out of window packets are made more verbose
- tftp [tftp.patch] [tftp.patch.config.in] [tftp.patch.configure.help] [tftp.patch.help]
- Author: Magnus Boden <email@example.com> TFTP connections will not work with NAT and this module makes that work. modprobe ip_conntrack_tftp ports=69,70 has the effect of helping tftp connections on port 69 and 70. If the ports argument is not supplied to modprobe it defaults to 69. If you have trouble please drop me a mail and I will help you.
Generated Fri Apr 26 15:00:51 EDT 2002 by pomlist version 0.2.1.