From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: The following example, taken directly from the netfilter extensions HOWTO (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html) produces an error and doesn't work: iptables -t mangle -A OUTPUT -j TTL --ttl-set 126 Version-Release number of selected component (if applicable): iptables-1.2.7a How reproducible: Always Steps to Reproduce: 1. log in as root 2. do a 'iptables -t mangle -A OUTPUT -j TTL --ttl-set 126' 3. observe the error :-) Actual Results: The following error is displayed on screen: iptables: No chain/target/match by that name Additional info: I meant to use this on my firewall as a way to reduce the possibilities to do OS-fingerprinting on it.
Looks like an upstream bug. The netfilter TTL target requires the TTL.patch from netfilter patch-o-matic, which has not been integrated within the 2.4 Linux kernel yet. Upon building the netfilter userspace tools, it is not checked whether the TTL target is supported at kernel level. The TTL target is not in the manual page either. The fix for Red Hat's iptables package would be to remove the TTL userspace extension modules in the spec file: rm -f %{buildroot}/%{_lib}/iptables/libipt_TTL.so
Well, I'd rather see this option implemented properly than being removed altogether. But if it's removed, then deleting libipt_TTL.so wouldn't suffice, because it's mentioned in other places as well, for example in the command- line help of iptables: #iptables -j TTL --help <generic output removed> TTL target v1.2.7a options --ttl-set value Set TTL to <value> --ttl-dec value Decrement TTL by <value> --ttl-inc value Increment TTL by <value>
Remove /lib/iptables/libipt_TTL.so and try again. You won't see that help text again.
Fixed in rawhide: kernel 2.6 is supporting ipt_ttl.