Subject: | |
From: | |
Reply To: | |
Date: | Tue, 11 Apr 2006 03:40:27 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 6 Apr 2006, Angel Tsankov wrote:
>> > > > > > I downloaded the kernel sources and I'm going to patch and
>> > > > > > recompile them to fix the bug with "iptables -t mangle -j TTL"
>> > > > > > producing
>> > > > > > "No chain/target/match by that name".
>
>> Try modprobe ipt_ttl
>
> This seems OK:
> [root@VM2 sysconfig]# modprobe ipt_ttl
Note that there there are 2 ttl netfilter extensions providing unrelated
pieces of functionality (well sort of).
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.20
This patch by Harald Welte <[log in to unmask]> adds a new match that
allows you to match a packet based on its TTL.
For example if you want to log any packet that have a TTL less than 5,
you can do as follows :
# iptables -A INPUT -m ttl --ttl-lt 5 -j LOG
...
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.8
This patch by Harald Welte <[log in to unmask]> adds a new target that
enables the user to set the TTL value of an IP packet or to
increment/decrement it by a given value.
For example, if you want to set the TTL of all outgoing connections to
126, you can do as follows :
# iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
...
The ttl match code is pretty standard (ipt_ttl is there in SL kernels
etc), but the ttl target one is (apparently) still not in the standard
kernels (or were not a year ago).
Therefore if you need ipt_TTL you *will* need to apply a kernel patch,
then turn on the CONFIG_IP_NF_TARGET_TTL option (as compared to
CONFIG_IP_NF_MATCH_TTL), and re-compile, install, reboot, and modprobe
ipt_TTL etc etc.
Confusingly the iptables *command* does know about '-j TTL' already which
is why it can give help messages etc, but it won't work without the
ipt_TTL module building (the maintainers of that can just add new stuff,
while getting things into the kernel takes much longer...)
I do wonder under what circumstances changing the TTL is a *good* thing to
do. Perhaps there is another way to avoid needing to do this. IMHO using
the iptables mangle table is best avoided in most cases :-)
-- Jon
|
|
|