layer7 (l7-filter) compatible with f8 kernel?

Tod Merley todbot88 at gmail.com
Thu Dec 6 07:39:56 UTC 2007 

On Dec 5, 2007 7:02 PM, Neal Becker <ndbecker2 at gmail.com> wrote:
> Anyone know if the f8 kernel (kernel-2.6.23.8-63) is compatible with
> l7-filter-userspace?  Doesn't seem to work:
>
> sudo /sbin/modprobe -v ip_conntrack_netlink
> insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/ipv4/netfilter/nf_nat.ko
> insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/netfilter/nf_conntrack_netlink.ko
> [nbecker at nbecker1 l7-filter-userspace-v0.4]$ /usr/bin/l7-filter --help
>
>                       ***WARNING***
> The ip_conntrack_netlink module does not appear to be loaded.
> Unless you have it compiled into your kernel, please load it
> and run l7-filter again.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

Hi Neal Becker!

Thanks for widening my education.  I am no expert but love looking at
this new network stuff!

From: http://l7-filter.sourceforge.net/HOWTO-userspace

I see (note the part about "Linux 2.6.20 and newer"):
------------------------------------------------------
Kernel

For Linux 2.6.19.7 and older, you simply need to have connection
tracking and the connection tracking netlink interface enabled. I
think that this is the default in most cases. (XXX what is the oldest
version of Linux that has these capabilities? 2.6.14, I think. Needs
testing.)

For Linux 2.6.20 and newer, Netfilter has new "Layer 3 Independent
Connection tracking" which l7-filter is not yet compatible with
(mostly due to lack of library support from libnetfilter_conntrack).
While the old layer 3 dependent connection tracking is still
available, it is not selected by default, so you will probably need to
recompile your kernel with it. In the Linux kernel config, go to
Networking → Networking options → Network packet filtering framework
(Netfilter) → Core Netfilter Configuration. Under "Netfilter
connection tracking support", select "Layer 3 Dependent Connection
tracking (OBSOLETE)". Then go to Networking → Networking options →
Network packet filtering framework → IP: Netfilter Configuration" and
enable "Connection tracking netlink interface" (and probably most of
the rest of the stuff on that page). This is a pain in the ass, sorry!

Either way, you need the module ip_conntrack_netlink or the same code
compiled into your kernel.
----------------------------------------------
Which seems pertinent.

Have Fun!

Tod

More information about the users mailing list