* condition patch with kernel 2.6.16
@ 2006-04-24 15:40 Andrew Schulman
2006-04-24 16:23 ` Massimiliano Hofer
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Schulman @ 2006-04-24 15:40 UTC (permalink / raw)
To: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r
I've been successfully using the condition patch with 2.6-series kernels, up
through kernel 2.6.15. It was simple to make it work: I just removed the
line 'Requires: linux < 2.6.0' from the condition/info file, and then the
patch applied and worked just fine.
Now I'm trying to do the same with kernel 2.6.16, and the patch fails:
# ./runme --kernel-path=/usr/src/linux
--iptables-path=/usr/src/netfilter/iptables-1.3.1 --batch condition
<snip>
unable to find ladd slot in src /tmp/pom-6145/net/ipv6/netfilter/Makefile
(./patchlets/condition/linux/./net/ipv6/netfilter/Makefile.ladd)
Obviously something has changed, but I don't know what. Can someone suggest
a fix?
The condition patch seems like a very important and useful one, and simple
in principle. 2.6 kernels have been in production use for well over a year.
Is "condition" ever going to be definitively ported to 2.6?
Thanks,
Andrew.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: condition patch with kernel 2.6.16
2006-04-24 15:40 condition patch with kernel 2.6.16 Andrew Schulman
@ 2006-04-24 16:23 ` Massimiliano Hofer
2006-04-24 16:38 ` Andrew Schulman
0 siblings, 1 reply; 3+ messages in thread
From: Massimiliano Hofer @ 2006-04-24 16:23 UTC (permalink / raw)
To: netfilter; +Cc: Andrew Schulman
On Monday 24 April 2006 5:40 pm, Andrew Schulman wrote:
> I've been successfully using the condition patch with 2.6-series kernels,
> up through kernel 2.6.15. It was simple to make it work: I just removed
> the line 'Requires: linux < 2.6.0' from the condition/info file, and then
> the patch applied and worked just fine.
I did too and it worked, but on closer inspection of the code I saw that it
worked by chance.
> Now I'm trying to do the same with kernel 2.6.16, and the patch fails:
>
> # ./runme --kernel-path=/usr/src/linux
> --iptables-path=/usr/src/netfilter/iptables-1.3.1 --batch condition
2.6.16 needs some minor changes on a few function declarations, anyway I just
finished a more extensive rework of the code so that it's really supposed to
work for 2.6. Stephane (the original author) told me he never had the time to
update it and was glad to hand it down to some else.
> The condition patch seems like a very important and useful one, and simple
> in principle. 2.6 kernels have been in production use for well over a
> year. Is "condition" ever going to be definitively ported to 2.6?
There are different views on its usufulness. I agree with you, but other
people think that influencing packet filtering from /proc is a hack.
I can see their argument, but think the alternatives are worse.
Anyway this is mostly subjective, so I don't want to start a flame war or
blame anyone. I'll set up a repository in a few days and it will be linked as
an external project.
Meanwhile I'll send a copy of my latest patch to you privately. You are
encouraged to test it.
--
Saluti,
Massimiliano Hofer
Nucleus
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: condition patch with kernel 2.6.16
2006-04-24 16:23 ` Massimiliano Hofer
@ 2006-04-24 16:38 ` Andrew Schulman
0 siblings, 0 replies; 3+ messages in thread
From: Andrew Schulman @ 2006-04-24 16:38 UTC (permalink / raw)
To: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r
> On Monday 24 April 2006 5:40 pm, Andrew Schulman wrote:
>
> > I've been successfully using the condition patch with 2.6-series kernels,
> > up through kernel 2.6.15. It was simple to make it work: I just removed
> > the line 'Requires: linux < 2.6.0' from the condition/info file, and then
> > the patch applied and worked just fine.
>
> I did too and it worked, but on closer inspection of the code I saw that it
> worked by chance.
OK, that's good to know.
> > Now I'm trying to do the same with kernel 2.6.16, and the patch fails:
> >
> > # ./runme --kernel-path=/usr/src/linux
> > --iptables-path=/usr/src/netfilter/iptables-1.3.1 --batch condition
>
> 2.6.16 needs some minor changes on a few function declarations, anyway I just
> finished a more extensive rework of the code so that it's really supposed to
> work for 2.6. Stephane (the original author) told me he never had the time to
> update it and was glad to hand it down to some else.
OK, that's very good. I'll be glad to test it. I need to upgrade to kernel
2.6.16 to try to solve some other problems, and right now the condition
patch is holding me back. I could rewrite my firewall without it, but I'd
rather just have a working condition patch.
> > The condition patch seems like a very important and useful one, and simple
> > in principle. 2.6 kernels have been in production use for well over a
> > year. Is "condition" ever going to be definitively ported to 2.6?
>
> There are different views on its usufulness. I agree with you, but other
> people think that influencing packet filtering from /proc is a hack.
> I can see their argument, but think the alternatives are worse.
Well I wasn't aware of that argument. I think the condition functionality
is sensible and useful. When a condition value changes, I have a choice of
either (1) cleaning out and rebuilding my whole firewall; (2) finding and
changing the specific affected iptables rules; or (3) changing a value in
/proc/net/ipt_condition. Of these I find (3) to be the most convenient and
natural.
Thanks, Andrew.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-04-24 16:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-24 15:40 condition patch with kernel 2.6.16 Andrew Schulman
2006-04-24 16:23 ` Massimiliano Hofer
2006-04-24 16:38 ` Andrew Schulman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox