Re: Problems with NAT/Masq and ipip on 2.4.[34]

From: Andi Kleen (
Date: Sat Apr 28 2001 - 09:29:27 EST

On Sat, Apr 28, 2001 at 08:14:18AM +0200, Phil Karn wrote:
> If I configure policy routing on and netfilter off, I can establish my
> existing policy tables that deal with my rather complex ipip tunnel &
> NAT configuration. Everything works as it did under 2.2.19 *except*
> that policy entries calling for masquerading no longer work.

Such a policy rule is not really masquerading, just a very simple
stateless NAT. It'll probably not do what you want because it has no
protocol translation support for ftp etc.

Masquerading has always been a different subsystem, controlled by the
firewall. In 2.4 masquerading still exists as a compatibility module, but
requires netfilter connection tracking.

In 2.4 there also is a more generic new NAT subsystem that among other
things supports old masquerading.

> I tried a kernel with netfilter turned on, but I was then no longer
> able to load the ipip.o module that I use for tunneling. I get two
> unresolved symbols from insmod: nf_hooks and nf_hooks_slow. Yet both
> symbols *are* mentioned in / Weird. This persisted even
> after a 'make clean' and remake.

Looks like you didn't turn on CONFIG_NETFILTER in the main kernel.
Without it masquerading will not work though.


To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to

This archive was generated by hypermail 2b29 : Mon Apr 30 2001 - 21:00:29 EST