On Tue, Apr 09, 2002 at 03:34:15PM +0200, Herv� Eychenne wrote:
> Hi !
>
> There's already a lot of modules, and it seems like there will be
> more and more in future.
>
> - some netfilter modules belong to the upstream kernel or iptables
> distribution
true. However, most of the common modules are scheduled to become part
of the kernel at the time we've declared them stable and they don't
interact with other plans.
> - some netfilter modules can be installed through patch-o-matic
all of the modules not part of the kernel can be installed through
patch-o-matic
> - netfilter modules can be kernel modules or compiled in the kernel
true. It's just like (almost) everything else in the kernel
> - everyone is not using the same iptables or kernel versions, which
> provide different modules
true.
> - netfilter module options can change with time
generally not true. There have been very few (two?) cases where this
happened - and we made sure that it is forward- and backwards-compatible
(i.e. you can use old kernel with new iptables and vice-versa).
> All those reasons make it difficult to know what matches or targets
> are available on the current system, which confuses users and oblige
> "generic" scripts to use only a minimal subset of existing netfilter
> functionnalities.
Go to your kernel source directoty and parse .config - it should tell you
which matches/targets have been compiled in or compiled as modules
cat /usr/src/linux/.config | egrep '^CONFIG_IP_NF_MATCH|^CONFIG_IP_NF_TARGET'
> What's why I suggest a mechanism which would provide the list of
> currently available matches and targets, with their API (regarding options)
> versions. /proc seems to be a good candidate.
Well, we could only list the currently loaded matches/targets, which can
be read out by parsing 'lsmod' anyway. (assuming that all matches/targets
are modules).
But having something like /proc/net/ipv4/netfilter/{match,target}_names
would be a nice contribution, and definitely be welcome :)
The kernel modules don't know anything about commandline-options of
iptables - and this is by design, since this doesn't belong into the kernel.
> RV
--
Live long and prosper
- Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
