On Wed, 2007-02-07 at 11:33 -0600, Randy McMurchy wrote: > Andrew Beverley wrote these words on 02/07/07 11:19 CST: > > >> For example, one test looks for $KERNEL_DIR/net, while other tests > >> look for $KERNEL_DIR/include/linux/... > >> > >> Which means in order to work, there would have to be a /usr/net > >> dir, which will never happen in a sanitized header installation. > > > > Hmmm, what's the 'official' solution then that iptables should be using? > > If iptables needs those particular headers should they be included in > > the iptables source? > > Dunno. Cross-LFS and Paldo don't do anything different than us building > Iptables. I suppose that we could look at other distro's and what they > are doing.
Just checked on my SLED laptop and neither connbytes nor netlink are included, but then I assume there's no requirement on a desktop. > It sure would be nice if we could identify what those extra modules > and extensions *do*, and why almost everyone else's Iptables installation > seems okay without them (at least there's been no reports of breakage > or folks needing them). I guess they're fairly specialist. You wouldn't use them in a 'bog-standard' firewall. I use them for some advanced traffic shaping (such as MARKing large downloads) but I'm not sure what other people use them for. I think they're awesome tools and might be used more, but setting up decent traffic shaping is pretty hard work (not just lots of patching but also difficult rules to write). Just as an example, I have a 1 Mbit connection shared between 70 users. The comments I've had are that it's 'very fast'. I know other people who struggle sharing that size connection with 10 people! Just goes to show that throwing bandwidth at a problem is not always the solution. Andy -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
