[Tfug] ip_tables kernel code no longer possible to build into the kernel?

Robert Hunter hunter at tfug.org
Tue May 23 22:50:39 MST 2006


> make oldconfig is not letting me build iptables support (code that
> runs as part of the kernel, sometimes called a module) into the
> kernel.
> make oldconfig is not letting me build iptables support (code that
> runs as part of the kernel, sometimes called a module) into the
> kernel.

It's possible that in your kernel configuration a dependency for
IP_NF_IPTABLES is configured as a module, which would explain why you
only have the option of building this feature as a module.  Let's do
some grepping in the Linux source tree to see what it depends on.

<shell interaction>
$grep -r IP_NF_IPTABLES net
net/ipv4/netfilter/Kconfig:config IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:       depends on IP_NF_IPTABLES && XFRM
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES!=n &&
IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES!=n &&
IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES!=n &&
IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES!=n &&
IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Kconfig:     depends on IP_NF_IPTABLES
net/ipv4/netfilter/Makefile:obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
net/sched/Kconfig:        depends on NET_CLS_ACT && NETFILTER &&
IP_NF_IPTABLES
</shell interaction>

The first line is the only one that is not a dependency on
IP_NF_IPTABLES.  Let's look at it  closer.

<shell interaction>
$grep -C 10 'config IP_NF_IPTABLES'  net/ipv4/netfilter/Kconfig
       help
         Netfilter has the ability to queue packets to user space: the
         netlink device can be used to access them using this driver.

         This option enables the old IPv4-only "ip_queue" implementation
         which has been obsoleted by the new "nfnetlink_queue" code (see
         CONFIG_NETFILTER_NETLINK_QUEUE).

         To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_IPTABLES
       tristate "IP tables support (required for filtering/masq/NAT)"
       depends on NETFILTER_XTABLES
       help
         iptables is a general, extensible packet identification framework.
         The packet filtering and full NAT (masquerading, port forwarding,
         etc) subsystems now use this: say `Y' or `M' here if you want to use
         either of those.

         To compile it as a module, choose M here.  If unsure, say N.
</shell interaction>

>From this we can see that it depends on NETFILTER_XTABLES.  Now we can
go check the config to see if NETFILTER_XTABLES is configured
statically or as a module.  If we have the same problem ( i.e. only
has a module option ) then we could repeat the process.  You could
probably write a script to help with this if you really wanted to.

As to why you need this kernel feature compiled statically, I can only
guess.  If you were trying to despense with initrd ( i.e. you are
dealing with something that is required during the boot process ),
then it makes sense to compile it directly into the kernel.  In this
case, I would guess that a kernel module would work equally well.



-- 
Rob



More information about the tfug mailing list