Bug 89565 - iptables TTL target does not work
iptables TTL target does not work
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
http://www.netfilter.org
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-04-24 09:15 EDT by Derkjan de Haan
Modified: 2007-04-18 12:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-22 08:27:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Derkjan de Haan 2003-04-24 09:15:23 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
The following example, taken directly from the netfilter extensions HOWTO 
(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html) 
produces an error and doesn't work:

iptables -t mangle -A OUTPUT -j TTL --ttl-set 126


Version-Release number of selected component (if applicable):
iptables-1.2.7a

How reproducible:
Always

Steps to Reproduce:
1. log in as root
2. do a 'iptables -t mangle -A OUTPUT -j TTL --ttl-set 126'
3. observe the error :-)


Actual Results:  The following error is displayed on screen:
iptables: No chain/target/match by that name


Additional info:

I meant to use this on my firewall as a way to reduce the possibilities to do 
OS-fingerprinting on it.
Comment 1 Michael Schwendt 2003-04-30 11:17:54 EDT
Looks like an upstream bug. The netfilter TTL target requires the TTL.patch from
netfilter patch-o-matic, which has not been integrated within the 2.4 Linux
kernel yet. Upon building the netfilter userspace tools, it is not checked
whether the TTL target is supported at kernel level. The TTL target is not in
the manual page either.

The fix for Red Hat's iptables package would be to remove the TTL userspace
extension modules in the spec file:  rm -f
%{buildroot}/%{_lib}/iptables/libipt_TTL.so
Comment 2 Derkjan de Haan 2003-04-30 14:27:08 EDT
Well, I'd rather see this option implemented properly than being removed 
altogether. But if it's removed, then deleting libipt_TTL.so wouldn't suffice, 
because it's mentioned in other places as well, for example in the command-
line help of iptables:

#iptables -j TTL --help
<generic output removed>
TTL target v1.2.7a options
  --ttl-set value               Set TTL to <value>
  --ttl-dec value               Decrement TTL by <value>
  --ttl-inc value               Increment TTL by <value>

Comment 3 Michael Schwendt 2003-04-30 15:04:33 EDT
Remove /lib/iptables/libipt_TTL.so and try again. You won't see that help text
again.
Comment 4 Thomas Woerner 2004-04-22 08:27:20 EDT
Fixed in rawhide: kernel 2.6 is supporting ipt_ttl.

Note You need to log in before you can comment on or make changes to this bug.