oldnat patch listing

Individual Suite pages:

[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [pending] [submitted]

ipv4 patches

[CONNMARK] [conntrack-tcp-nopickup] [ctnetlink] [eggdrop-conntrack] [ftp-fxp] [helper] [nat-sack] [pptp-conntrack-nat] [pptp-gre-ct-nat-0.83] [record-rpc] [talk-conntrack-nat] [tcp-window-tracking] [tftp]

ipv6 patches



Patches for the old NAT framework (outdated)

CONNMARK [CONNMARK.patch] [CONNMARK.patch.config.in] [CONNMARK.patch.configure.help] [CONNMARK.patch.help] [CONNMARK.patch.makefile]
Author: Henrik Nordstrom <hno@marasystems.com>
Status: working

This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.


       This  module  matches  the netfilter mark field associated
       with a connection (which can be  set  using  the  CONNMARK
       target below).

       --mark value[/mask]
              Matches  packets  in  connections  with  the  given
              unsigned mark value (if a mask is  specified,  this
              is logically ANDed with the mark before the compar­

       This  is  used  to set the netfilter mark value associated
       with the connection

       --set-mark mark
              Set connection mark

              Set connection mark to the same as the one  on  the

              Set  the  netfilter  packet  mark  value to the one
              associated with the connection. This is only  valid
              in the mangle table.

conntrack-tcp-nopickup [conntrack-tcp-nopickup.patch] [conntrack-tcp-nopickup.patch.config.in] [conntrack-tcp-nopickup.patch.configure.help] [conntrack-tcp-nopickup.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Highly Experimental

This patch affects the TCP state tracking machine.

It alters it in a way, that it will only track TCP connections which are
established _after_ loading ip_conntrack.o on the firewall.

This means, after reloading ip_conntrack.o or a firewall reboot, all TCP 
connections are gone.  No connection pickup is working anymore.

So what's the advantage of this patch?  It can help in certain setups,
where you get ACK-flooded and the machine which is ACK-scanned is not
up or in some other way unable to send RST's.

Please give me feedback if you use this patch.

ctnetlink [ctnetlink.patch] [ctnetlink.patch.config.in] [ctnetlink.patch.configure.help] [ctnetlink.patch.help] [ctnetlink.patch.makefile]
Author: Jay Schulist <jschlst@samba.org>
Status: Experimental

This adds CONFIG_IP_NF_CTNETLINK option, which enables connection
tracking via NETLINK. Netfilter has the ability to communicate connection 
tracking information to user space. This feature allows the user to
receive connection tracking event notification and provides the
ability to change connection states from user space.

Please not that this is an experimental package which will break other 
patch-o-matic patches

eggdrop-conntrack [eggdrop-conntrack.patch] [eggdrop-conntrack.patch.config.in] [eggdrop-conntrack.patch.configure.help] [eggdrop-conntrack.patch.help] [eggdrop-conntrack.patch.makefile]
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development

Connection tracking for eggdrop bot networks.
It now also supports eggdrop v1.6.x

ftp-fxp [ftp-fxp.patch] [ftp-fxp.patch.help]
Author: Magnus Sandin <magnus@sandin.cx>
Status: Development

Attached patch adds FXP support to ftp connectiontracking. FXP'ing to NAT'ed 
ftp daemons does not work yet. 

Load ip_conntrack_ftp.o with modprobe ip_conntrack_ftp fxp=1 to enable FXP
functionality to connectiontracking of ftpsessions.

WARNING: Applying this patch and enabling the feature _WILL_ reduce security
	 offered by FTP connection tracking significantly.  Use with extreme
	 care - and only if you know what you are doing.

helper [helper.patch] [helper.patch.config.in] [helper.patch.configure.help] [helper.patch.help] [helper.patch.makefile]
Author: Martin Josefsson <gandalf@wlug.westbo.se>
Status: Works for me(tm)

This patch adds the ipt_helper module which is a new match
for iptables. This adds the capability to match packets in a
dynamically allocated connection that's related to a specific 
conntrack helper.

If you want to match all packets belonging to ftp-sessions:
(both ftp-command and ftp-data connections)

iptables -A INPUT -m helper --helper ftp -j ACCEPT

use irc for irc-sessions.

It will currently only work with the ftp and irc conntrack-helpers
but it's easy to add support for other helpers (a one-line patch
to the conntrack-helper).

You'll also need the bidirectional irc patch for irc matching to work

This patch modifies the way helpers are looked up when iptable_nat is
loaded, the behaviour changes slightly, see comment in patch.
Please report any breakage caused by this.

nat-sack [nat-sack.patch] [nat-sack.patch.help]
Author: Harald Welte 

pptp-conntrack-nat [pptp-conntrack-nat.patch] [pptp-conntrack-nat.patch.config.in] [pptp-conntrack-nat.patch.configure.help] [pptp-conntrack-nat.patch.help]
Author: ...
Status: Development

Connection tracking and NAT support for PPTP.

pptp-gre-ct-nat-0.83 [pptp-gre-ct-nat-0.83.patch] [pptp-gre-ct-nat-0.83.patch.help]
Author: Harald Welte <laforge@gnumonks.org>
Status: Beta

This patch adds support for real connection tracking
and NAT of GRE and PPTP connecitons.

However, there are some limitations on what this patch
can do in the current netfilter framework:

- can't track multiple calls within one control session
- can't DNAT incoming PAC connections
- only covers the common case, where PNS->PAC connection
  is SNAT'ed
- GRE version 0 checksum mangling not tested yet
- incoming call conntrack+NAT testing not supported yet
- assumes all connections are made from PNS->PAC

record-rpc [record-rpc.patch] [record-rpc.patch.config.in] [record-rpc.patch.configure.help] [record-rpc.patch.help] [record-rpc.patch.makefile]
Author: "Marcelo Barbosa Lima" <marcelo.lima@dcc.unicamp.br>
Status: This works now :-)
Status: Ported to 2.4.0-test9-pre2 by Rusty.  May be broken.
Status: Fixed by Marc for 2.4.0.

This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules,
ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
requests using UDP and TCP respectively.  It also adds the record_rpc
match for iptables, which matches if the source of the packet has
requested that port through the portmapper before, or it is a new GET
request to the portmapper, allowing effective RPC filtering.

talk-conntrack-nat [talk-conntrack-nat.patch] [talk-conntrack-nat.patch.config.in] [talk-conntrack-nat.patch.configure.help] [talk-conntrack-nat.patch.help] [talk-conntrack-nat.patch.makefile]
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Status: Alpha

This adds CONFIG_IP_NF_TALK: talk support module for netfilter
connection tracking and NAT.  This allows both the callee client -
caller server and callee client - caller client connections to work
through connection tracking and NAT.

Default talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are
supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled 
by the module parameters of the ip_conntrack_talk and ip_nat_talk

talk=0|1	disable|enable talk support
ntalk=0|1	disable|enable ntalk support
ntalk2=0|1	disable|enable ntalk2 support

The default is talk=1 ntalk=1 ntalk2=1 i.e. support all talk protocols.

tcp-window-tracking [tcp-window-tracking.patch] [tcp-window-tracking.patch.help] [tcp-window-tracking.patch.makefile]
Author: Jozsef Kadlecsik
Status: proven to be quite stable, but still experimental

This patch is an implementation of TCP connection tracking according
to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
Guido van Rooij [1].  It contains the new TCP connection tracking with
support to handle already established connections.  It supports TCP 
window scaling.

[1] http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz

- the default timeout value for the CLOSE_WAIT state is raised to 12 hours
- sysctl support added (/proc/sys/net/ipv4/netfilter/), which means:
        - all conntrack timeout values can be adjusted via sysctl
        - logging of out of window packets and packets with invalid
          window scale value can be disabled/enabled via sysctl
        - a new flag ip_ct_tcp_be_liberal added: when ip_ct_tcp_be_liberal 
	  is set to 0, all out of window packets are marked as INVALID, 
	  while if it's set to 1, only out of window *RST* segments are 
	  marked as INVALID.
- Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is renamed as 
  /proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts
  which uses this parameter!!!
- logging of out of window packets are made more verbose

tftp [tftp.patch] [tftp.patch.config.in] [tftp.patch.configure.help] [tftp.patch.help]
Author: Magnus Boden <mb@ozaba.mine.nu>

TFTP connections will not work with NAT and this module makes
that work.

modprobe ip_conntrack_tftp ports=69,70 has the effect of
helping tftp connections on port 69 and 70.
If the ports argument is not supplied to modprobe it defaults
to 69.

If you have trouble please drop me a mail and I will help you.

Generated Fri Apr 26 15:00:51 EDT 2002 by pomlist version 0.2.1.