where did ipt_unclean go in kernel 2.6.5 ?

where did ipt_unclean go in kernel 2.6.5 ?

[Madhav Diwan]

Hi Everyone,

I recently compiled and applied kernel 2.6.5 from kernel.org , building 
it as an rpm using `make rpm` on a RedHat 9 system. The build process 
went so smoothly i was astonished.

Of course there are always the little nagging things left to clean up.

Just curious but where did the unclean match target disappear to? I 
thought that was part of the base iptables target set.

I use firestarter to apply iptables rule sets to this upgraded machine 
and I see the following:


Apr  6 17:31:31 shreya1 firestarter: Zeroing all current rules: succeeded
Apr  6 17:31:31 shreya1 modprobe: FATAL: Module ipt_unclean not found.
Apr  6 17:31:32 shreya1 last message repeated 2 times
Apr  6 17:31:32 shreya1 firestarter: Applying Firestarter configuration 
succeeded

Was UNCLEAN dropped as a standard target? I don t see it anywhere in the 
standard kernel config in the 2.6 series.

patchomatic-ng was no help either.


By the way , as a side note, just which iptables patches DO apply to the 
kernel 2.6 series? its at version 2.6.5 now and severely needs some 
firewalling support. , for instance h323 and the failover connection 
tracking?

Sincerely

Madhav Diwan

Re: where did ipt_unclean go in kernel 2.6.5 ?

[Philip Craig]

Madhav Diwan wrote:
> Just curious but where did the unclean match target disappear to? I 
> thought that was part of the base iptables target set.

It was removed in 2.6.  See the following for the reasons:
http://lists.netfilter.org/pipermail/netfilter-devel/2003-August/012199.html

> patchomatic-ng was no help either.

It should eventually turn up in pom-ng, but nobody has cared enough about
it yet to get it working for 2.6.

> By the way , as a side note, just which iptables patches DO apply to the 
> kernel 2.6 series? its at version 2.6.5 now and severely needs some 
> firewalling support. , for instance h323 and the failover connection 
> tracking?

The patch-o-matic-ng/*/info files give the version requirements for each
patch.  Again, it's just a matter of someone needing them enough to fix
them for 2.6.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: where did ipt_unclean go in kernel 2.6.5 ?

[Dick St.Peters]

Philip Craig writes:
> Madhav Diwan wrote:
> > Just curious but where did the unclean match target disappear to? I 
> > thought that was part of the base iptables target set.
> 
> It was removed in 2.6.  See the following for the reasons:
> http://lists.netfilter.org/pipermail/netfilter-devel/2003-August/012199.html
> 
> > patchomatic-ng was no help either.
> 
> It should eventually turn up in pom-ng, but nobody has cared enough about
> it yet to get it working for 2.6.

The posted removal patch is easily reversed, with only one or two
hunks needing minor fiddling.  I've posted a restore patch for 2.6.3:
   ftp://ftp.netheaven.com/pub/outgoing/unclean-restore-2.6.3.patch

It applies to 2.6.4 with a little fuzz; I haven't tried 2.6.5 yet.

Anyone restoring the unclean match should understand the reasons for
its removal in the first place.  It can break things.  (Of course,
that can be said about all the rest of netfilter.)

--
Dick St.Peters, stpeters@NetHeaven.com 
Gatekeeper, NetHeaven, Saratoga Springs, NY