iptables

Rocco Stanzione grasshopper at linuxkungfu.org
Sat Sep 23 01:40:27 BST 2006


On Friday 22 September 2006 1:08 pm, Matt Zimmerman wrote:
> On Tue, Sep 19, 2006 at 09:56:58AM -0500, Rocco Stanzione wrote:
[snip]
> > If we simply grabbed a current iptables tarball from netfilter.org and
> > said "KERNEL_DIR=/path/to/linux/headers make;make install", we would get
> > every single feature we're currently getting from our patch-o-matic build
> > process, plus several more (string, policy and dccp for ipv4 and state,
> > policy and connmark for ipv6), and we'd have a significantly smaller
> > source package, since we don't have to include the (ancient) chunk of
> > kernel source that's currently included, or the patch-o-matic patches.
>
> This sounds fairly compelling.  Perhaps it would be a good idea to prepare
> a patch against the current package demonstrating this, and publish test
> packages for others to try.

It would be an awful lot easier (at least for me) to create a new package from 
scratch.  I don't know if you've looked at the current source package, but 
it's so different from anything else I've seen that I wouldn't know where to 
start modifying it.  Upstream, it's really to the point where pretty much the 
most straightforward imaginable build process is probably the right one.  Set 
KERNEL_DIR, make, make install.

> > I would like to part ways with Debian on the iptables package in the
> > interest of simplifying the build process and moving forward with some of
> > the new, very nice features available in modern kernels and userland
> > tools.  This would also allow us to close at least half the bugs filed
> > against the package.  Is there someone specific I should talk to about
> > this?  Should it be expressed as a spec or a bug report, or am I on the
> > right track?
>
> A good step would be to start a dialog with the Debian maintainer (CC'd),
> since exactly the same issues apply there.

Good call.  I'd like his opinion on this as well.  Just a by-the-way, I think 
the next step (after modernizing iptables) would be to start packaging some 
of the new userspace utilities from netfilter.org, such as conntrack (and its 
dependencies), which allows an administrator to manipulate the connection 
tracking table directly, the impossibility of which has long been a 
frustration for some of us firewall guys.

Rocco



More information about the ubuntu-devel mailing list