Bug 89565 - iptables TTL target does not work
Summary: iptables TTL target does not work
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables   
(Show other bugs)
Version: 9
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL: http://www.netfilter.org
Depends On:
TreeView+ depends on / blocked
Reported: 2003-04-24 13:15 UTC by Derkjan de Haan
Modified: 2007-04-18 16:53 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-22 12:27:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Derkjan de Haan 2003-04-24 13:15:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
The following example, taken directly from the netfilter extensions HOWTO 
produces an error and doesn't work:

iptables -t mangle -A OUTPUT -j TTL --ttl-set 126

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. log in as root
2. do a 'iptables -t mangle -A OUTPUT -j TTL --ttl-set 126'
3. observe the error :-)

Actual Results:  The following error is displayed on screen:
iptables: No chain/target/match by that name

Additional info:

I meant to use this on my firewall as a way to reduce the possibilities to do 
OS-fingerprinting on it.

Comment 1 Michael Schwendt 2003-04-30 15:17:54 UTC
Looks like an upstream bug. The netfilter TTL target requires the TTL.patch from
netfilter patch-o-matic, which has not been integrated within the 2.4 Linux
kernel yet. Upon building the netfilter userspace tools, it is not checked
whether the TTL target is supported at kernel level. The TTL target is not in
the manual page either.

The fix for Red Hat's iptables package would be to remove the TTL userspace
extension modules in the spec file:  rm -f

Comment 2 Derkjan de Haan 2003-04-30 18:27:08 UTC
Well, I'd rather see this option implemented properly than being removed 
altogether. But if it's removed, then deleting libipt_TTL.so wouldn't suffice, 
because it's mentioned in other places as well, for example in the command-
line help of iptables:

#iptables -j TTL --help
<generic output removed>
TTL target v1.2.7a options
  --ttl-set value               Set TTL to <value>
  --ttl-dec value               Decrement TTL by <value>
  --ttl-inc value               Increment TTL by <value>

Comment 3 Michael Schwendt 2003-04-30 19:04:33 UTC
Remove /lib/iptables/libipt_TTL.so and try again. You won't see that help text

Comment 4 Thomas Woerner 2004-04-22 12:27:20 UTC
Fixed in rawhide: kernel 2.6 is supporting ipt_ttl.

Note You need to log in before you can comment on or make changes to this bug.