Packaging optional netfilter modules

Kenneth Porter shiva at sewingwitch.com
Sun Sep 12 20:33:41 UTC 2004


I wanted to try the experimental TARPIT module from netfilter, and because 
it's experimental, neither the upstream kernel team nor Red Hat will 
incorporate this into the stock kernel. This is of course perfectly 
reasonable.

But since netfilter modules are kernel modules, it seems like it should be 
straightforward to package them as free-standing packages. Has anyone tried 
to do this? What success have you had?

Another factor is that the kernel module will need matching machinery in 
the iptables userspace program to select the module and parse its options. 
(eg. for TARPIT, it would parse the "-j TARPIT" command.) I believe 
currently this requires a recompile of the utility. Has any work been done 
to make this more modular, with runtime selection of additional parsing 
routines? That would allow the userspace parsing piece to be supplied in 
the kernel module package to be dropped in a suitable directory for use at 
runtime.





More information about the devel mailing list