Netfilter/iptables feature history

2.6.21

• a0ca215a730b2c4d5024143e64b0d80d50858667 - add MH (mobility header) match for IPv6
• SNAT --random - optionally randomizes source ports to avoid prediction attacks - breaks some NAT traversal algorithms, including that of Skype
• xt_TCPMSS - move from ipt_TCPMSS to add IPv6 support

2.6.20

• nf_nat - IPv4 NAT and IPv6 conntrack
• remove physdev-out for non-bridged packets - part of the feature removal schedule
• xt_NFLOG - add a clean way to use nfnetlink_log rather than needing wierd hacks with LOG and ULOG
• xt_hashlimit - move from ipt_hashlimit for IPv6 support

2.6.19

• remove matchsize argument - breaks pom. The removed field has been verified by checking the .matchsize field in struct xt_match since 2.6.17
• remove userinfo argument - breaks pom. The removed field was not used
• xt_DSCP (and xt_dscp) - add IPv6 support
• xt_quota - new packet counter match for bandwidth quotas

2.6.18

• xt_statistic - replaces the nth and random matches in POM, adding more precision to random and IPv6 support

2.6.17

• xt_multiport - unify IPv4/IPv6 multiport match
• xt_esp - unify IPv4/IPv6 esp match
• xt_{match,target} - add a const struct xt_match* or const struct xt_target* to the match, checkentry, and target functions - breaks pom
• Add .matchsize field to struct xt_match - breaks pom

2.6.16

• x_tables - unify several IPv4 and IPv6 matches, change module names from ipt_* to xt_*. Full list: CLASSIFY CONNMARK MARK NFQUEUE NOTRACK comment connbytes connmark conntrack dccp length limit mac mark physdev pkttype realm sctp state string tcpmss tcpudp
• Add protoff argument to match and target functions, breaks pom

2.6.15

• nf_conntrack - IPv6 conntrack

2.6.14

• --goto (instead of --jump) for targets
• ipt_string - string matching
• delete pid/sid/cmd parts of the owner match - they were always broken in SMP, and were in the way of other functionality
• ipt_connbytes - connection byte counter match
• ipt_dccp - dccp header match
• nfnetlink - netlink subsystem for libnfnetlink which allows userspace control of netfilter internals

• Home

  Daniel De Graaf

  ---

  My website, which I've developed in XHTML and CSS
• Links

  Links of programs/websites

  ---

  I visit these websites once in a while, so I decided to put them all on a page so I could find them easily. It's not updated that often.
• Linux

  Linux develoment

  ---

  The programs or patches I have made that relate to linux
• Networking
  • iptables

    Firewalling for Linux

    ---

    All firewalls for linux are based on iptables. Instead of using a frontend, I have example scripts and some useful programs to work with them.
  • IPv6

    Next-generation internet protocol

    ---

    IPv6, is an improved version of IPv4 with far more address space
• About Me

  About Me

  ---

  I'm a junior at Iowa State university. I'm interested in mathematics, physics, computer networking and security.
• Email Me

  Contact Me

  ---

  Email, Instant Message, Skype, file upload form...

Last modified Mon May 7 18:49:22 2007. ©2005-2007 Daniel De Graaf