Re: comments on CML 1.1.0

From: Harald Welte (laforge@gnumonks.org)
Date: Mon Apr 16 2001 - 20:31:59 EST


On Sat, Apr 14, 2001 at 03:51:53PM -0400, Eric S. Raymond wrote:
> jeff millar <jeff@wa1hco.mv.com>:
> > Selecting IP_NF_COMPAT_IPCHAINS turns off IP_NF_CONNTRACK and friends. But,
> > I think CML1, allowed both support to the new iptables and compatibility
> > modes to allow old ipchains scripts to work with the new kernel.
>
> Would somebody who knows what these dependencies are please send me a rule
> patch?

Ok, as I am one of the netfilter people, and I've already cleaned up this
issue after Linus' switch to the 'new-style' Makefiles somewhen in 2.4.0-textXX
I might be suitable for this job.

Unfortunately I don't know too much about CML2, so I cannot provide you with
a straightforward ruleset, only with a description:

Basically there are the following dependencies:

1. you compile connection tracking as module
        a) iptables compiled as module
                - you can compile ANY or BOTH of ipchains, ipfwadm as
                  module ONLY (not static)
        b) iptables compiled static
                - NO possibility of compiling ipchains or ipfwadm at all,
                  either as module or static
        c) iptables NOT compiled at all
                - you can compile ONE OF ipchains, ipfwadm statically
                - you can compile BOTH of them as modules

2. you compile connection tracking statically into the kernel
        - NO possibility of compiling ipchains or ipfwadm at all,
          either module or static
        - iptables can be compiled modular or static

there's another interesting dependency, I'll describe the problem first:

Netfilter has modules called connection tracking and nat helpers. For
most protocols, they will appear in pairs (as opposed to only one module
called ip_masq_XXX in 2.2.x). They are performing independent functionality,
and you will never need the NAT helper on a non-nat box.

1. connection tracking (CONFIG_IP_NF_CONNTRACK) is on (M or Y)
   Full NAT (CONFIG_IP_NF_NAT) off
        - if CONFIG_IP_NF_FTP is OFF, none of ip_conntrack_ftp.c/ip_nat_ftp.c
          are compiled
        - if CONFIG_IP_NF_FTP is ON (M or Y), ip_conntrcak_ftp.c is compiled
          (as module or statically, as apropriate)
2. connection tracking is on (M or Y), Full NAT is on (M or Y)
        - if CONFIG_IP_NF_FTP is OFF, none of ip_conntrack_ftp.c/ip_nat_ftp.c
          are compiled
        - if CONFIG_IP_NF_FTP is ON (M or Y), both ip_conntrack_ftp.c AND
          ip_nat_ftp.c are compiled (module or static, as user wishes)

I'm asking myself if we now should be proud of having the most complicated
dependencies of the whole kernel ;)

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org                http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Apr 23 2001 - 21:00:21 EST