Xtables-addons is a set of additional extensions for the Xtables packet filter that is present in the Linux kernel (which is loosely known by its administrative commands iptables/ip6tables/etc.).
Xtables-addons succeeds the older patch-o-matic and patch-o-matic-ng packages. Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages.
Xtables-addons is different from patch-o-matic in that the kernel need not be patched or recompiled, and usually, recompiling iptables is not necessary either. See the INSTALL file within the source package for the minimum requirements.
patch-o-matic had a number of properties I had found to be a bother:
- patch-o-matic (POM) was designed to patch and recompile kernel (using up valuable time)
- multiarch and endianess issues were often ignored, making the modules not work on x86_64, much less so on sparc64.
- some security issues — error handling was missing sometimes, and could lead to a kernel Oops/BUG.
- and from a purely maintenance point of view: POM modules replicated the glue to work with multiple kernels in their files.
Resources
- Latest release: 3.26 (2024-03-22)
- Source code release archive
- Git source code repository – https://codeberg.org/jengelh/xtables-addons
(Codeberg was chosen for reasons of EU data privacy laws.) - Git source code repository – https://git.inai.de/xtables-addons (clone only; no webview)
- Many distributions already have packages ready for installation. (Use them.)
- xt_geoip database: installation instructions
Support
Options include:
- The netfilter-devel mailing list that is handled through vger.kernel.org. Subscribing to the list is not necessary, just post to the address, which is netfilter-devel@vger.kernel.org.
- If you have an account on Codeberg, you can also open issues/pull requests there.
Additional material
- Slides for the presentation “Introduction to Xtables-addons” from NFWS2008
- Writing Netfilter modules e-book