I wanted to try the experimental TARPIT module from netfilter, and because it's experimental, neither the upstream kernel team nor Red Hat will incorporate this into the stock kernel. This is of course perfectly reasonable.
But since netfilter modules are kernel modules, it seems like it should be straightforward to package them as free-standing packages. Has anyone tried to do this? What success have you had?
Another factor is that the kernel module will need matching machinery in the iptables userspace program to select the module and parse its options. (eg. for TARPIT, it would parse the "-j TARPIT" command.) I believe currently this requires a recompile of the utility. Has any work been done to make this more modular, with runtime selection of additional parsing routines? That would allow the userspace parsing piece to be supplied in the kernel module package to be dropped in a suitable directory for use at runtime.
On Sunday 12 September 2004 15:33, Kenneth Porter wrote:
I wanted to try the experimental TARPIT module from netfilter, and because it's experimental, neither the upstream kernel team nor Red Hat will incorporate this into the stock kernel. This is of course perfectly reasonable.
But since netfilter modules are kernel modules, it seems like it should be straightforward to package them as free-standing packages. Has anyone tried to do this? What success have you had?
Would this be close to what you're looking for?
http://labrea.sourceforge.net/
Regards, Mike Klinke
On Sun, 12 Sep 2004 13:33:41 -0700, Kenneth Porter wrote:
I wanted to try the experimental TARPIT module from netfilter, and because it's experimental, neither the upstream kernel team nor Red Hat will incorporate this into the stock kernel. This is of course perfectly reasonable.
But since netfilter modules are kernel modules, it seems like it should be straightforward to package them as free-standing packages. Has anyone tried to do this? What success have you had?
Another factor is that the kernel module will need matching machinery in the iptables userspace program to select the module and parse its options. (eg. for TARPIT, it would parse the "-j TARPIT" command.) I believe currently this requires a recompile of the utility. Has any work been done to make this more modular, with runtime selection of additional parsing routines? That would allow the userspace parsing piece to be supplied in the kernel module package to be dropped in a suitable directory for use at runtime.
Last time I looked at it, the iptables userspace tarball used hidden scripts to examine the kernel source code tree for what's available. That was with kernel 2.4.x and FC1, though.
On Sun, Sep 12, 2004 at 01:33:41PM -0700, Kenneth Porter wrote:
I wanted to try the experimental TARPIT module from netfilter, and because it's experimental, neither the upstream kernel team nor Red Hat will incorporate this into the stock kernel. This is of course perfectly reasonable.
But since netfilter modules are kernel modules, it seems like it should be straightforward to package them as free-standing packages. Has anyone tried to do this? What success have you had?
Another factor is that the kernel module will need matching machinery in the iptables userspace program to select the module and parse its options. (eg. for TARPIT, it would parse the "-j TARPIT" command.) I believe currently this requires a recompile of the utility. Has any work been done to make this more modular, with runtime selection of additional parsing routines? That would allow the userspace parsing piece to be supplied in the kernel module package to be dropped in a suitable directory for use at runtime.
It's also modular, using shared libraries (/lib/iptables/*.so).