Bug 89565

Summary: iptables TTL target does not work
Product: [Retired] Red Hat Linux Reporter: Derkjan de Haan <haanjdj>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: bugs.michael
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://www.netfilter.org
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-22 12:27:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derkjan de Haan 2003-04-24 13:15:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
The following example, taken directly from the netfilter extensions HOWTO 
(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html) 
produces an error and doesn't work:

iptables -t mangle -A OUTPUT -j TTL --ttl-set 126


Version-Release number of selected component (if applicable):
iptables-1.2.7a

How reproducible:
Always

Steps to Reproduce:
1. log in as root
2. do a 'iptables -t mangle -A OUTPUT -j TTL --ttl-set 126'
3. observe the error :-)


Actual Results:  The following error is displayed on screen:
iptables: No chain/target/match by that name


Additional info:

I meant to use this on my firewall as a way to reduce the possibilities to do 
OS-fingerprinting on it.

Comment 1 Michael Schwendt 2003-04-30 15:17:54 UTC
Looks like an upstream bug. The netfilter TTL target requires the TTL.patch from
netfilter patch-o-matic, which has not been integrated within the 2.4 Linux
kernel yet. Upon building the netfilter userspace tools, it is not checked
whether the TTL target is supported at kernel level. The TTL target is not in
the manual page either.

The fix for Red Hat's iptables package would be to remove the TTL userspace
extension modules in the spec file:  rm -f
%{buildroot}/%{_lib}/iptables/libipt_TTL.so


Comment 2 Derkjan de Haan 2003-04-30 18:27:08 UTC
Well, I'd rather see this option implemented properly than being removed 
altogether. But if it's removed, then deleting libipt_TTL.so wouldn't suffice, 
because it's mentioned in other places as well, for example in the command-
line help of iptables:

#iptables -j TTL --help
<generic output removed>
TTL target v1.2.7a options
  --ttl-set value               Set TTL to <value>
  --ttl-dec value               Decrement TTL by <value>
  --ttl-inc value               Increment TTL by <value>



Comment 3 Michael Schwendt 2003-04-30 19:04:33 UTC
Remove /lib/iptables/libipt_TTL.so and try again. You won't see that help text
again.


Comment 4 Thomas Woerner 2004-04-22 12:27:20 UTC
Fixed in rawhide: kernel 2.6 is supporting ipt_ttl.