Where has NAT gone?

Where has NAT gone?

[netsol3]

Hi all
This is hopefully a quick question. Today I upgraded my system from Linux
Kernel 2.6.16.20 to 2.6.20.7 because I needed an updated NIC driver. Upon
running make menuconfig, I noticed that the options for NAT seem to have
vanished from the config menu. 

At first, I used my .config file from 2.6.16.20, but under such a method
there were no netfilter options available at all. So I removed the .config
file and ran make menuconfig from scratch - this time, I got netfilter
options, but no sign of NAT. I then hunted through the source tree and
found plenty of sections that still mention CONFIG_IP_NF_NAT, which ruled
out the possibility that NAT has been merged under a different section of
the kernel compilation. Then I edited the .config file by hand, and added
CONFIG_IP_NF_NAT=yes. After building the kernel (which didn't add any nat
functionality) I checked the .config file and found that the make process
had actually removed the NF data from the file.

I have enabled:
CONFIG PACKET NF CONNTRACK
CONFIG IP NF IPTABLES
CONFIG IP NF FILTER
CONFIG_IP_NF_NAT
CONFIG IP NF MATCH STATE

IPTables works fine. I have a firewall that works. It's just that as soon
as I try to refer to the 'nat' table, it tells me this is not possible as
it's not compiled into my kernel.

I'm not sure if this is the right place to ask but the kernel mailing list
was slow at responding so I thought I'd try here.

Any help would be greatly appreciated

Regards
Richard

------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz

Where has NAT gone?

[richard]

Hi all
This is hopefully a quick question. Today I upgraded my system from Linux
Kernel 2.6.16.20 to 2.6.20.7 because I needed an updated NIC driver. Upon
running make menuconfig, I noticed that the options for NAT seem to have
vanished from the config menu. 

At first, I used my .config file from 2.6.16.20, but under such a method
there were no netfilter options available at all. So I removed the .config
file and ran make menuconfig from scratch - this time, I got netfilter
options, but no sign of NAT. I then hunted through the source tree and
found plenty of sections that still mention CONFIG_IP_NF_NAT, which ruled
out the possibility that NAT has been merged under a different section of
the kernel compilation. Then I edited the .config file by hand, and added
CONFIG_IP_NF_NAT=yes. After building the kernel (which didn't add any nat
functionality) I checked the .config file and found that the make process
had actually removed the NF data from the file.

I have enabled:
CONFIG PACKET NF CONNTRACK
CONFIG IP NF IPTABLES
CONFIG IP NF FILTER
CONFIG_IP_NF_NAT
CONFIG IP NF MATCH STATE

IPTables works fine. I have a firewall that works. It's just that as soon
as I try to refer to the 'nat' table, it tells me this is not possible as
it's not compiled into my kernel.

I'm not sure if this is the right place to ask but the kernel mailing list
was slow at responding so I thought I'd try here.

Any help would be greatly appreciated

Regards
Richard

------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz

Re: Where has NAT gone?

[Jan Engelhardt]

On Apr 17 2007 08:12, richard@net-solutions.net.nz wrote:
>Hi all
>This is hopefully a quick question. Today I upgraded my system from Linux
>Kernel 2.6.16.20 to 2.6.20.7 because I needed an updated NIC driver. Upon
>running make menuconfig, I noticed that the options for NAT seem to have
>vanished from the config menu. 

Many CONFIG_IP_NF changed to CONFIG_NF; from the old
"Layer3-dependent" to "layer3-independent". Check it out using menuconfig.


Jan
-- 

Re: Where has NAT gone?

[Torsten Luettgert]

On Tue, 2007-04-17 at 08:12 +0000, richard@net-solutions.net.nz wrote:
> Today I upgraded my system from Linux
> Kernel 2.6.16.20 to 2.6.20.7 because I needed an updated NIC driver. Upon
> running make menuconfig, I noticed that the options for NAT seem to have
> vanished from the config menu. 
...
> I'm not sure if this is the right place to ask but the kernel mailing list
> was slow at responding so I thought I'd try here.

Exactly the right place to ask, don't worry.

What you're probably missing is conntrack, which moved to

Networking ->
Networking options ->
Network packet filtering framework (Netfilter) ->
Core Netfilter Configuration

There, enable "Netfilter connection tracking support"
(CONFIG_NF_CONNTRACK_ENABLED) and "Netfilter Xtables support"
(CONFIG_NETFILTER_XTABLES).

Then, one menu up and into "IP: Netfilter Configuration",
enable

IPv4 connection tracking support (CONFIG_NF_CONNTRACK_IPV4)
IP tables support (CONFIG_IP_NF_IPTABLES)
Full NAT (CONFIG_NF_NAT)

and optionally MASQUERADE / REDIRECT.

I understand those config options were moved because they are
actually not IPv4 specific ("iptables") but more general,
IPv4 / IPv6 / ARP ("xtables").
The binary for setting the rules is still called "iptables", though.

Hth,
Torsten

Re: Where has NAT gone?

[Pascal Hambourg]

Hello,

Torsten Luettgert a écrit :
> 
> What you're probably missing is conntrack, which moved to
> 
> Networking ->
> Networking options ->
> Network packet filtering framework (Netfilter) ->
> Core Netfilter Configuration
> 
> There, enable "Netfilter connection tracking support"
> (CONFIG_NF_CONNTRACK_ENABLED) and "Netfilter Xtables support"
> (CONFIG_NETFILTER_XTABLES).
> 
> Then, one menu up and into "IP: Netfilter Configuration",
> enable
> 
> IPv4 connection tracking support (CONFIG_NF_CONNTRACK_IPV4)
> IP tables support (CONFIG_IP_NF_IPTABLES)
> Full NAT (CONFIG_NF_NAT)

Note that although it is now the default since 2.6.20, you can still 
disable the new layer 3-independent connection tracking in the "Core 
Netfilter Configuration" menu and enable the old IPv4-only connection 
tracking (CONFIG_IP_NF_CONNTRACK) and NAT (CONFIG_IP_NF_NAT) in the "IP: 
Netfilter Configuration" menu. But you lose the IPv6 connection tracking.

> I understand those config options were moved because they are
> actually not IPv4 specific ("iptables") but more general,
> IPv4 / IPv6 / ARP ("xtables").

Yes, but AFAIK xtables has little to do (if anything) with the layer 
3-independant connection tracking.

> The binary for setting the rules is still called "iptables", though.

Because that's the dedicated userspace tool to manage the IPv4 rules. 
There are similar dedicated tools to manage IPv6 and ARP rules, 
respectively ip6tables and arptables.

Re: Where has NAT gone?

[richard]

> On Tue, 2007-04-17 at 08:12 +0000, richard@net-solutions.net.nz wrote:
> > Today I upgraded my system from Linux
> > Kernel 2.6.16.20 to 2.6.20.7 because I needed an updated NIC driver. Upon
> > running make menuconfig, I noticed that the options for NAT seem to have
> > vanished from the config menu. 
> ....
> > I'm not sure if this is the right place to ask but the kernel mailing list
> > was slow at responding so I thought I'd try here.
> 
> Exactly the right place to ask, don't worry.
> 
> What you're probably missing is conntrack, which moved to
> 
> Networking ->
> Networking options ->
> Network packet filtering framework (Netfilter) ->
> Core Netfilter Configuration
> 
> There, enable "Netfilter connection tracking support"
> (CONFIG_NF_CONNTRACK_ENABLED) and "Netfilter Xtables support"
> (CONFIG_NETFILTER_XTABLES).
> 
> Then, one menu up and into "IP: Netfilter Configuration",
> enable
> 
> IPv4 connection tracking support (CONFIG_NF_CONNTRACK_IPV4)
> IP tables support (CONFIG_IP_NF_IPTABLES)
> Full NAT (CONFIG_NF_NAT)
> 
> and optionally MASQUERADE / REDIRECT.
> 
> I understand those config options were moved because they are
> actually not IPv4 specific ("iptables") but more general,
> IPv4 / IPv6 / ARP ("xtables").
> The binary for setting the rules is still called "iptables", though.
> 
> Hth,
> Torsten
> 

Thanks Torsten, that was very helpful. Glad I found the right place first
time round!

Regards
Richard

------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz