On 04/18/2013 01:22 PM, Dash Four wrote: > >> Here's a patch. >> > OK, this worked (well, sort of!), but not the way I expected it. > > Although all the annoying messages are now gone (thank god!), I still > have some of the modules loaded, like nf_conntrack_ftp (and various > other nf_conntrack_* kernel modules), as well as nf_nat_ftp etc. Further > investigation revealed that there are hard-coded "loadmodule" statements > in the "helpers" file, which I think is responsible for this.
Yes. > > If I remove these lines (I commented them out), then everything is > clear. So, is there any way to "synchronise" both things as the way I > see it, one doesn't make sense without the other? In other words, if I > have chosen not to have the tftp helper, what is the sense in loading > nf_conntrack_tftp for example? The modules files are also read by the CLI and by the shorecap programs; so that can't have ?if .... ?endif like other Shorewall configuration files. But you can certainly copy helpers to /etc/shorewall/ and modify it in any way that you see fit. > > Also, in that "helpers" file I see quite a few ipset modules > (ip_set_iphash, ip_set_ipmap etc) - these are not helpers and, anyway, > they appear to be in "modules.ipset" so I think it is safe to delete > them from there. Yes -- that's certainly a bug. I've removed them for the next Beta. > While I am at it, one further question: am I right in > assuming that if iptables match/target kernel module is needed in a > specific rule, then that kernel module is loaded automatically by > iptables anyway, so do we need any of the "modules.xtables" or > "modules.extensions"? They are loaded by Shorewall only if LOAD_HELPERS_ONLY=No. If LOAD_HELPERS_ONLY=Yes, only the helpers file is loaded. They will be loaded if the kernel is configured for module autoloading. That is rare in embedded systems but is the norm for desktop and server distributions. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
