Individual Suite pages:

[summary] [combined] [base] [broken] [extra] [not-accepted] [obsolete] [oldnat] [optimizations] [pending] [submitted] [userspace]

ipv4 patches

[CONNMARK] [ROUTE] [amanda-conntrack-nat] [condition] [eggdrop-conntrack] [h323-conntrack-nat] [ip_conntrack-timeouts] [ip_tables-proc] [ipt_TARPIT] [mms-conntrack-nat] [nfnetlink-ctnetlink-0.11] [pptp-conntrack-nat] [quake3-conntrack] [recent] [rsh] [string] [talk-conntrack-nat] [tcp-window-tracking] [tftp-conntrack-nat]

ipv6 patches



extra depends on: submitted pending base

Patches which are working fine together + patches which might break each other

CONNMARK [CONNMARK.patch] [] [] [] [CONNMARK.patch.makefile]
Author: Henrik Nordstrom <>
Status: working

This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.


       This  module  matches  the netfilter mark field associated
       with a connection (which can be  set  using  the  CONNMARK
       target below).

       --mark value[/mask]
              Matches  packets  in  connections  with  the  given
              unsigned mark value (if a mask is  specified,  this
              is logically ANDed with the mark before the compar­

       This  is  used  to set the netfilter mark value associated
       with the connection

       --set-mark mark
              Set connection mark

              Set connection mark to the same as the one  on  the

              Set  the  netfilter  packet  mark  value to the one
              associated with the connection. This is only  valid
              in the mangle table.

ROUTE [ROUTE.patch] [] [] [] [ROUTE.patch.makefile]
Author: Cédric de Launois <>
Status: In Development/Works for me
  This option adds a `ROUTE' target, which allows you to directly route
  a received packet through a specified interface or towards a host, even
  if the regular destination of the packet is the router itself.
  This target never modifies packets but allows a different routing scheme
  than the one provided by the standard kernel routing table.
  This target is to be used inside the mangle table, in the PREROUTING,

  ROUTE target options:
    --iface name      Send the packet directly through this interface.
    --to    ip        Route the packet as if its destination address was ip.

  Examples :

  To redirect all outgoing icmp packet to the eth1 interface :
  # iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --iface eth1

  To tunnel all incoming http packets
  # iptables -A PREROUTING -t mangle -p tcp --dport 80 -j ROUTE --iface tunl1

  To force the next-hop used for ssh packets
  # iptables -A PREROUTING -t mangle -p tcp --dport 22 -j ROUTE --to w.x.y.z


amanda-conntrack-nat [amanda-conntrack-nat.patch] [] [] [] [amanda-conntrack-nat.patch.makefile]
Author: Brian J. Murrell <>
Status: Works for me

Connection tracking and NATting for the Amanda backup protocol.

condition [condition.patch] [] [] [] [condition.patch.makefile]
Author: Stephane Ouellette <>
Status: ItWorksForMe(tm)

This patch adds CONFIG_IP_NF_MATCH_CONDITION which allows you to
match firewall rules against condition variables stored in /proc files.

eggdrop-conntrack [eggdrop-conntrack.patch] [] [] [] [eggdrop-conntrack.patch.makefile]
Author: Magnus Sandin <>
Status: Development

Connection tracking for eggdrop bot networks.
It now also supports eggdrop v1.6.x

h323-conntrack-nat [h323-conntrack-nat.patch] [] [] [] [h323-conntrack-nat.patch.makefile]
Author: Jozsef Kadlecsik <>
Status: Alpha

This adds CONFIG_IP_NF_H323: H.323/netmeeting support module for netfilter
connection tracking and NAT. H.323 uses/relies on the following data streams:

	Port		Description
	389 		Internet Locator Server (TCP)
	522		User Location Server (TCP)
	1503 		T.120 Protocol (TCP)
	1720		H.323 (H.225 call setup, TCP)
	1731		Audio call control (TCP)
	Dynamic		H.245 call control (TCP)
	Dynamic		RTCP/RTP streaming (UDP)

The H.323 conntrack/NAT modules support the connection tracking/NATing of 
the data streams requested on the dynamic ports. The helpers use the
search/replace hack from the ip_masq_h323.c module for the 2.2 kernel

At the very minimum, H.323/netmeeting (video/audio) is functional by letting 
trough the 1720 port and loading these H.323 module(s).

The H.323 conntrack/NAT modules do not support

- H.245 tunnelling
- H.225 RAS (gatekeepers)

ip_conntrack-timeouts [ip_conntrack-timeouts.patch] []
Author: Jay Schulist <>
Status: New

Here is a patch which allows the user to set the connection tracking
timeout values on a per state basis via sysctl.

The sysctl files and their format is described below:

The timeout values are based on connection tracking states and are in
cat /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
300 600 120 60 120 120 10 60 30 120
NONE = 300 (5 minutes)
ESTABLISHED = 600 (10 minutes)
SYN_SENT = 120 (2 minutes)
SYN_RECV =  60 (60 seconds)
FIN_WAIT = 120 (2 minutes)
TIME_WAIT = 120 (2 minutes)
CLOSE = 10 (10 seconds)
CLOSE_WAIT = 60 (60 seconds)
LAST_ACK = 30 (30 seconds)
LISTEN = 120 (2 minutes)
To change the settings for this file example root level syntax would be:
sysctl -w net.ipv4.ip_conntrack_tcp_timeouts="300 600 120 60 120 120 10
60 30 120"
cat /proc/sys/net/ipv4/ip_conntrack_udp_timeouts
60 180
UNREPLIED = 60 (60 seconds)
ASSURED = 180 (3 minutes)
sysctl -w net.ipv4.ip_conntrack_udp_timeouts="60 180"
When any values are changed in these files they only have immediate effect
on new flows, old flows will use the old value until the flow has been

This patch does not work in combination with tcp-window-tracking.patch
(that patch already has this functionality and a lot of other things)

ip_tables-proc [ip_tables-proc.patch] []
Author: Patrick McHardy
Status: Working

This patch creates two new files in /proc/net, "ip_tables_matches" and 
"iptables_targets" which contain the names of all loaded matches/targets
like the file ip_tables_names already does with loaded tables.

ipt_TARPIT [ipt_TARPIT.patch] [] [] [ipt_TARPIT.patch.makefile]
Author: "Aaron Hopkins" <>
Status: Works for me

Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources.  Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds.  Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.

This offers similar functionality to LaBrea
<> but doesn't require dedicated hardware
or IPs.  Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.

To tarpit connections to TCP port 80 destined for the current machine:

  iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. "ip route" on a Cisco), enable IP
forwarding on the Linux box, and add:

  iptables -A FORWARD -p tcp -j TARPIT
  iptables -A FORWARD -j DROP

You probably don't want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.

mms-conntrack-nat [mms-conntrack-nat.patch] [] [] [] [mms-conntrack-nat.patch.makefile]
Author: Filip Sneppe <>
Status: WorksForMe(tm)

This adds CONFIG_IP_NF_MMS: support for Microsoft Streaming Media 
Services. This allows client (Windows Media Player) and server
to negotiate protocol (UDP, TCP) and port for the media stream.

A partially reverse engineered protocol analysis is available 
from, together with a link to a Linux client.

By default, the helper module tracks TCP traffic over port 1755
and adds the necessary UPD or TCP expectation. It is recommended 
to also open UDP port 1755 to the server, as this port is used 
for retransmission requests.

This helper has been tested in SNAT and DNAT setups.

Note that this helper has *nothing* to do with ip_masq_mms for 
2.2 kernels!

nfnetlink-ctnetlink-0.11 [nfnetlink-ctnetlink-0.11.patch] [] [] [nfnetlink-ctnetlink-0.11.patch.makefile]
Author: Harald Welte , Jay Schulist <>
Status: Under development, but stabilizing now.

I've finally managed to get the redesign of nfnetlink/ctnetlink done.
There is now the testing version 0.11 in patch-o-matic, it can be found
at patch-o-matic/extra/nfnetlink-ctnetlink.patch. 
										The next step will be the new iptables kernel<->userspace interface based on
nfnetlink, I'll be concentrating on this during the next week(s).

pptp-conntrack-nat [pptp-conntrack-nat.patch] [] [] [] [pptp-conntrack-nat.patch.makefile]
Author: Harald Welte <>
Status: Beta

Connection tracking and NAT support for PPTP.

Note that this code currently has limitations
- can only NAT connections from PNS to PAC
- doesnt' support multiple calls within one session

quake3-conntrack [quake3-conntrack.patch] [] [] [] [quake3-conntrack.patch.makefile]
Author: Filip Sneppe <>
Status: WorksForMe (tm)

This adds CONFIG_IP_NF_QUAKE3: a Quake III Arena support module for
netfilter connection tracking/NAT. 

Quake III Arena Internet multiplayer works by querying an Internet
master server on UDP port 27950 for specific Quake III servers. The
master server responds with the IP addresses and UDP ports of
registered game servers. Those UDP ports can be randomly chosen
(although 27960 is often used).

This connection tracking module will listen for UDP replies
from a master server, and will add the necessary expectations
for connections from client to game servers.

Note: Requires newnat !

recent [recent.patch] [] [] [] [recent.patch.makefile]
Author: Stephen Frost <>
Status: Tested locally, no problems so far.

This module is used for creating one or many list(s) of recently seen IP 
addresses and then matching against that/those list(s).

 --name     Specify the list to use for the commands.  If no name is given
            then 'DEFAULT' will be used.

 --set      followed by an optional `!'
	    This will add the source address of the packet to the list.
	    If the source address is already in the list, this will update
	    the existing entry.  This will always return success.

 --rcheck   followed by an optional `!'
	    This will check if the source address of the packet is currently
	    in the list and return true if it is, and false otherwise.

 --update   followed by an optional `!'
            This will check if the source address of the packet is currently
	    in the list.  If it is then that entry will be updated and the
	    rule will return true.  If the source address is not in the list
	    then the rule will return false.

 --remove   followed by an optional `!'
	    This will check if the source address of the packet is currently
	    in the list and if so that address will be removed from the list.

 --seconds  followed by an optional `!', then the value
	    This option must be used in conjunction with one of 'rcheck' or
	    'update'.  When used, this will narrow the match to only happen
	    when the address is in the list and was seen within the last
	    given number of seconds.

 --hitcount followed by an optional `!', then the value
	    This option must be used in conjunction with one of 'rcheck' or
	    'update'.  When used, this will narrow the match to only happen
	    when the address is in the list and packets had been received
	    greater than or equal to the given value.  This option may be
	    used along with 'seconds' to create an even narrower match 
	    requiring a certain number of hits within a specific time frame.

 --rttl     This option must be used in conjunction with one of 'rcheck' or
	    'update'.  When used, this will narrow the match to only happen
	    when the address is in the list and the TTL of the current packet
	    matches that of the packet which hit the --set rule.  This may be
	    useful if you have problems with people faking their source 
	    address in order to DoS you via this module by disallowing others
	    access to your site by sending bogus packets to you.

  --rsource Save the source address of each packet in the recent list 
            table (default).\n",

  --rdest   Save the destination address of each packet in the recent list 

/proc/net/ipt_recent is a directory which contains the currently active lists.

/proc/net/ipt_recent/* are the current lists of addresses and information 
about each entry of each list.

Each file in /proc/net/ipt_recent/ can be read from to see the current list
or written two using the following commands to modify the list:
'echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' to Add to the DEFAULT list
or 'echo +xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' for the same result.
'echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT' to Remove from the DEFAULT list
'echo clear > /proc/net/ipt_recent/DEFAULT' to empty the DEFAULT list.

The module itself accepts two parameters:

Shown are the defaults.
ip_list_tot is the total number of addresses which will be remembered, note
that the list is searched in-order for every attempted match and so you do
not want to increase this value too much or alot of time will be spent
traversing the list.

ip_pkt_list_tot is the total number of packets which will be remembered for
each address.  This list is only used by '--hitcount' and so the default
will probably suffice unless you make extensive use of that option.

ip_list_hash_size is the size of the hash table (positions in the table,
not bytes).  If it's '0' then it will be calculated as ip_list_tot*3 and
then rounded up to the next power of 2.  So, by default, it's rounded up
to 512 entries or 1k of memory on your normal 4-byte-int machine.

debug is a setting to display debugging messages.  No levels yet, just 0
for nothing and 1 for everything.  Don't use 1 on production machines,
you'll end up with very full logs before long.  Aside from that it
doesn't actually change any way the code works, just adds printk's.

Example #1:

# iptables -A FORWARD -m recent --rcheck --seconds 60 -j DROP
# iptables -A FORWARD -i eth0 -d -m recent --set -j DROP

Here we are making a 'bad guy' out of anyone who tries to send data to on our eth0 interface (which should never legitimately
happen).  The first packet will make it past the first rule and then
be caught by the second rule and that address will be put into the
recent list and the packet dropped.

Any subsequent packets for the next 60 seconds that show up from that 
address will be dropped, regardless of destination address, destiation
port, etc.

Example #2:

# iptables -A FORWARD -m recent --update --seconds 60 -j DROP
# iptables -A FORWARD -i eth0 -d -m recent --set -j DROP

(The author's favorite method)

This is identical to example #1 except that for every subsequent packet
received from this source address the 'last seen' status will be updated
in the table.  Therefore there must be a 'quiet time' of 60 seconds
before another packet from this address will even be considered.

It is the author's intent that all 'DROP' rules be replaced by:

'-m recent --set -j DROP'

and that a:

'-m recent --update --seconds 60 -j DROP'

rule be added very early on in the rule set, though following any:

'--match state --state ! NEW,INVALID -j ACCEPT'

rules.  If the '--update' rule is before this check for ! NEW,INVALID
packets then ESTABLISHED connection or those in the process of becoming
ESTABLISHED could be disrupted by a malicious person who can modify
his/her source address.

rsh [rsh.patch] [] [] [] [rsh.patch.makefile]
Author: Ian (Larry) Latter <>
Status: request for inclusion

This adds the CONFIG_IP_NF_RSH option, which is the RSH connection

An RSH connection tracker is required if the dynamic stderr "Server
to Client" connection is to occur during a normal RSH session.  This
typically operates as follows;

    Client 0:1023 --> Server 514    (stream 1 - stdin/stdout)
    Client 0:1023 <-- Server 0:1023 (stream 2 - stderr)

This connection tracker will identify new RSH sessions, extract the
outbound session details, and notify netfilter of pending "related"


The intended usage of this modules would be with a ruleset such as;

    # New session from client to server (stream 1)
    -A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client}
           --sport 0:1023 -d ${server} --dport 514 --state 

    # Continued session from server to client (stream 1)
    -A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server}
           --sport 514 -d ${client} --dport 0:1023 ! --syn
           --state ESTABLISHED -j ACCEPT

    # New session from server to client (stream 2)
    -A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server}
           --sport 0:1023 -d ${client} --dport 0:1023 --state

    # Continued session from client to server (stream 2)
    -A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client}
           --sport 0:1023 -d ${server} --dport 0:1023 ! --syn
           --state ESTABLISHED -j ACCEPT


  This module could be dangerous. It is not "best practice" to use
RSH, use SSH in all instances.  (rfc1244, rfc1948, rfc2179, etc

string [string.patch] [] [] [] [string.patch.makefile]
Author: Emmanuel Roger <>
Status: Working, not with kernel 2.4.9

This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.


talk-conntrack-nat [talk-conntrack-nat.patch] [] [] [] [talk-conntrack-nat.patch.makefile]
Author: Jozsef Kadlecsik <>
Status: Alpha

This adds CONFIG_IP_NF_TALK: talk support module for netfilter
connection tracking and NAT.  This allows both the callee client -
caller server and callee client - caller client connections to work
through connection tracking and NAT.

Default both talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are
supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled 
by the module parameters of the ip_conntrack_talk and ip_nat_talk


where '0' means 'don't support' while '1' means 'do support'
the given protocol flavour.

tcp-window-tracking [tcp-window-tracking.patch] [] [tcp-window-tracking.patch.makefile]
Author: Jozsef Kadlecsik
Status: proven to be quite stable, but still experimental
Status: ported to newnat, needs testing.

This patch is an implementation of TCP connection tracking according
to the article 'Real Stateful TCP Packet Filtering in IP Filter' by
Guido van Rooij [1]. It contains the new TCP connection tracking code 
with support to handle already established connections.  It supports 
TCP window scaling too.

Other differences compared to the vanilla TCP connection tracking in

- the default timeout value for the CLOSE_WAIT state is raised to 3 days
- the engine can be fine-tuned by a lot of parameters in 

		conntrack timeout parameters in seconds
		the maximal number of conntrack entries
		when enabled, only out of window reset (RST) segments 
		are marked as INVALID; when disabled (default), all 
		out of window packets are marked as INVALID.
		log packets with invalid window scaling value (default 
		log out of window packets (default enabled)
		when a connection is picked up from the middle, how many 
		packets are required to pass in each direction when the 
		system may assume to be in sync and window tracking can be
		started (default 3).
   		If it is set to zero, picking up already esteblished 
		connections is disabled.
		The number of the retransmitted packets without receiving
		an ACK from the destination. If this number is reached
		(default 3), the ip_conntrack_timeout_max_retrans.
		The timeout value when we have been seeing only 
		retransmissions. Default value is 5 minutes.		

- Beware!!! /proc/sys/net/ipv4/ip_conntrack_max is moved to
  /proc/sys/net/ipv4/netfilter/ip_conntrack_max. Update your scripts
  which uses this parameter!!!


tftp-conntrack-nat [tftp-conntrack-nat.patch] [] [] []
Author: Magnus Boden <>

TFTP connections will not work with NAT and this module makes
that work.

modprobe ip_conntrack_tftp ports=69,70 has the effect of
helping tftp connections on port 69 and 70.
If the ports argument is not supplied to modprobe it defaults
to 69.

If you have trouble please drop me a mail and I will help you.

Generated Mon Jan 13 19:42:33 EST 2003 by pomlist version 0.2.2.