Is p-o-m still the correct thing to use?

Is p-o-m still the correct thing to use?

[Brian Mearns]

The latest version of POM seems to be from 2004, and I saw some 
references in the mailing list archive seeming to indicate that is' 
being deprecated, but is there anything to replace it?

I'd really like to patch in TARPITs, but the latest POM does not work 
with the latest iptable src ("doesn't look like a iptables source code 
directory to me.")


Thanks,
-Brian

---
There is no disclaimer. Do what you want.

Re: Is p-o-m still the correct thing to use?

[Andrew Schulman]

> The latest version of POM seems to be from 2004, and I saw some 
> references in the mailing list archive seeming to indicate that is' 
> being deprecated, but is there anything to replace it?

For POM-ng, if you look in the snapshot directory of the FTP server, you'll find
daily versions up to yesterday.  However, I recently tried to use on of those to
install the condition patch, and it failed for reasons that I wasn't able to
figure out in 30 mins. or so of research.

POM has now been superseded by xtables-addons
(http://jengelh.medozas.de/projects/xtables/).  Unfortunately the netfilter site
hasn't been updated yet to reflect this.  Discussion threads on that in this
forum within the last week:

  POM Xtables???
  patch-0-matic problems..?

At first I was annoyed at yet another big change in netfilter patching, but
xtables-addons is better because it doesn't require you to patch either your
kernel or iptables.

> I'd really like to patch in TARPITs, but the latest POM does not work 
> with the latest iptable src ("doesn't look like a iptables source code 
> directory to me.")

You have to run ./configure in your iptables source dir first.  Not sure if that
used to be the case-- I think it wasn't.

That gets to wny I always used to hate using POM.  It was unique and volatile--
about once a year someone would change something and my script would break and
I'd have to go back and figure it all out again.  Good riddance, I say.

Good luck,
Andrew.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Is p-o-m still the correct thing to use?

[Brian Mearns]

Thanks a lot for the help, Andrew. The iptables source I have doesn't 
have a configure script...oh, but it does have an autogen script. I 
guess I was probably supposed to use that first. But it's a moot point, 
apparently, because of xtables, so I will be switching to that.

Thanks,
-Brian

Andrew Schulman wrote:
>> The latest version of POM seems to be from 2004, and I saw some 
>> references in the mailing list archive seeming to indicate that is' 
>> being deprecated, but is there anything to replace it?
> 
> For POM-ng, if you look in the snapshot directory of the FTP server, you'll find
> daily versions up to yesterday.  However, I recently tried to use on of those to
> install the condition patch, and it failed for reasons that I wasn't able to
> figure out in 30 mins. or so of research.
> 
> POM has now been superseded by xtables-addons
> (http://jengelh.medozas.de/projects/xtables/).  Unfortunately the netfilter site
> hasn't been updated yet to reflect this.  Discussion threads on that in this
> forum within the last week:
> 
>   POM Xtables???
>   patch-0-matic problems..?
> 
> At first I was annoyed at yet another big change in netfilter patching, but
> xtables-addons is better because it doesn't require you to patch either your
> kernel or iptables.
> 
>> I'd really like to patch in TARPITs, but the latest POM does not work 
>> with the latest iptable src ("doesn't look like a iptables source code 
>> directory to me.")
> 
> You have to run ./configure in your iptables source dir first.  Not sure if that
> used to be the case-- I think it wasn't.
> 
> That gets to wny I always used to hate using POM.  It was unique and volatile--
> about once a year someone would change something and my script would break and
> I'd have to go back and figure it all out again.  Good riddance, I say.
> 
> Good luck,
> Andrew.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Is p-o-m still the correct thing to use?

[Jan Engelhardt]

On Tuesday 2008-07-29 06:25, Brian Mearns wrote:

> Thanks a lot for the help, Andrew. The iptables source I have
> doesn't have a configure script...oh, but it does have an autogen
> script. I guess I was probably supposed to use that first. But it's
> a moot point, apparently, because of xtables, so I will be
> switching to that.

Released tarballs should have configure; for autogen, you usually
need (even more) developer tools than you do without, like
autoconf, automake, and the other autowhatevers.

No moot point; iptables still is, as of today, the name of the
userspace package and control program.

Re: Is p-o-m still the correct thing to use?

[Brian Mearns]

Thanks for the help Jan and Andrew. I've got xtables (combined) and it 
built and installed fine. When I run iptables --version, it matches 
what's given in the versions file in the source distribution. My problem 
is that the TARPIT target doesn't seem to be recognized. When I try to 
add a rule with the TARPIT target, it says "iptables: No 
chain/target/match by that name". I've tried using rules that work 
otherwise, for instance, changing from DROP to TARPIT, and it still 
doesn't work, so it's not the rest of the rule that is the problem.

I found libxt_TARPIT.so in /usr/local/libexec/xtables/. Is it in the 
wrong spot or something? Also, my service runs from /sbin/iptables, but 
this is soft linked to /usr/local/sbin/iptables: could this be part of 
the problem? I did this so my package manager doesn't overwrite it any 
point, but maybe it was a bad idea?

Any help would be great.

Thanks,
-Brian

Jan Engelhardt wrote:
> On Tuesday 2008-07-29 06:25, Brian Mearns wrote:
> 
>> Thanks a lot for the help, Andrew. The iptables source I have
>> doesn't have a configure script...oh, but it does have an autogen
>> script. I guess I was probably supposed to use that first. But it's
>> a moot point, apparently, because of xtables, so I will be
>> switching to that.
> 
> Released tarballs should have configure; for autogen, you usually
> need (even more) developer tools than you do without, like
> autoconf, automake, and the other autowhatevers.
> 
> No moot point; iptables still is, as of today, the name of the
> userspace package and control program.

Re: Is p-o-m still the correct thing to use?

[Jan Engelhardt]

On Thursday 2008-08-28 20:37, Brian Mearns wrote:

> Thanks for the help Jan and Andrew. I've got xtables (combined) and
> it built and installed fine. When I run iptables --version, it
> matches what's given in the versions file in the source
> distribution. My problem is that the TARPIT target doesn't seem to
> be recognized. When I try to add a rule with the TARPIT target, it
> says "iptables: No chain/target/match by that name". I've tried
> using rules that work otherwise, for instance, changing from DROP
> to TARPIT, and it still doesn't work, so it's not the rest of the
> rule that is the problem.
>
> I found libxt_TARPIT.so in /usr/local/libexec/xtables/. Is it in
> the wrong spot or something?

If you used -combined, there is no problem, as the same prefix (see
below) is passed to both the bundle's components ./configure. You may
need to run `depmod -a` after make install.

I added a patch that will always do this now.

> Also, my service runs from
> /sbin/iptables, but this is soft linked to
> /usr/local/sbin/iptables: could this be part of the problem?

If the .so files got installed into /usr/local/libexec/xtables, the
program files got into /usr/local/sbin (since the default is
./configure --prefix=/usr/local when no prefix is given), hence
/usr/local/sbin/iptables includes the new binary, and if
/sbin/iptables is a softlink, well congrats, you have it all
installed.

Re: Is p-o-m still the correct thing to use?

[Brian Mearns]

Thanks Jan, responses below:

On Fri, Aug 29, 2008 at 7:53 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
<snip>
>> I found libxt_TARPIT.so in /usr/local/libexec/xtables/. Is it in
>> the wrong spot or something?
>
> If you used -combined, there is no problem, as the same prefix (see
> below) is passed to both the bundle's components ./configure. You may
> need to run `depmod -a` after make install.
>
> I added a patch that will always do this now.
>

Sorry, I tried looking through the man page for depmod, but it's not
very clear to me: what will that do for me, and does it matter where I
run it from?

Thanks,
-Brian

Re: Is p-o-m still the correct thing to use?

[Brian Mearns]

No, I don't have any TARPIT modules in either folder. Does that means
I have to patch the kernel? because I thought xtables didn't require
that. Or is there a way to just copy it in?

Thanks,
-Brian

ArcosCom Linux User wrote:
>
> Has you the kernel module for TARPIT (look for it into kernel modules,
> usually into /lib/modules/$(uname -r)/kernel/net/netfilter or
> .../net/ipv4/netfilter).
>
> Or perhaps the problem was that you have the "ipt" version and the "xt"
> version and there is a problem with them at the same time.
>
> Regards
>
> El Vie, 29 de Agosto de 2008, 2:37, Brian Mearns escribió:
>>
>> Thanks for the help Jan and Andrew. I've got xtables (combined) and it
>> built and installed fine. When I run iptables --version, it matches
>> what's given in the versions file in the source distribution. My problem
>> is that the TARPIT target doesn't seem to be recognized. When I try to
>> add a rule with the TARPIT target, it says "iptables: No
>> chain/target/match by that name". I've tried using rules that work
>> otherwise, for instance, changing from DROP to TARPIT, and it still
>> doesn't work, so it's not the rest of the rule that is the problem.
>>
>> I found libxt_TARPIT.so in /usr/local/libexec/xtables/. Is it in the
>> wrong spot or something? Also, my service runs from /sbin/iptables, but
>> this is soft linked to /usr/local/sbin/iptables: could this be part of
>> the problem? I did this so my package manager doesn't overwrite it any
>> point, but maybe it was a bad idea?
>>
>> Any help would be great.
>>
>> Thanks,
>> -Brian
>>
>> Jan Engelhardt wrote:
>>>
>>> On Tuesday 2008-07-29 06:25, Brian Mearns wrote:
>>>
>>>> Thanks a lot for the help, Andrew. The iptables source I have
>>>> doesn't have a configure script...oh, but it does have an autogen
>>>> script. I guess I was probably supposed to use that first. But it's
>>>> a moot point, apparently, because of xtables, so I will be
>>>> switching to that.
>>>
>>> Released tarballs should have configure; for autogen, you usually
>>> need (even more) developer tools than you do without, like
>>> autoconf, automake, and the other autowhatevers.
>>>
>>> No moot point; iptables still is, as of today, the name of the
>>> userspace package and control program.
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>