Dash Four wrote: >> Here's a patch. >> > OK, this worked (well, sort of!), but not the way I expected it. > > Although all the annoying messages are now gone (thank god!), I still > have some of the modules loaded, like nf_conntrack_ftp (and various > other nf_conntrack_* kernel modules), as well as nf_nat_ftp etc. > Further investigation revealed that there are hard-coded "loadmodule" > statements in the "helpers" file, which I think is responsible for this. > > If I remove these lines (I commented them out), then everything is > clear. So, is there any way to "synchronise" both things as the way I > see it, one doesn't make sense without the other? In other words, if I > have chosen not to have the tftp helper, what is the sense in loading > nf_conntrack_tftp for example? > > Also, in that "helpers" file I see quite a few ipset modules > (ip_set_iphash, ip_set_ipmap etc) - these are not helpers and, anyway, > they appear to be in "modules.ipset" so I think it is safe to delete > them from there. While I am at it, one further question: am I right in > assuming that if iptables match/target kernel module is needed in a > specific rule, then that kernel module is loaded automatically by > iptables anyway, so do we need any of the "modules.xtables" or > "modules.extensions"? On a completely unrelated note to this discussion, I've just found a bug, which, I think is quite major:
accounting ~~~~~~~~~~ SECTION INPUT NFACCT(test) - +test-set produces -A accountin -m nfacct --nfacct-name test -m set --match-set test src The above rule will *not* work as expected, simply because the nfacct match always returns true (i.e. always "matches") and since we all know that iptables matches are evaluated from left to right, packets/bytes will *always* be counted regardless since the set match follows after that nfacct match. The right thing to do is to have the nfacct match *last* regardless of what else is specified. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
