On Mon, Aug 18, 2003 at 11:02:12AM +0200, Marcel Pol wrote: > On Fri, 15 Aug 2003 22:07:39 +0200 > Olav Vitters <[EMAIL PROTECTED]> wrote: > > > Most iptables functions work with a 2.6.x kernel. Some (REDIRECT, > > MASQUERADE) do not. To fix this, 2.6.x kernels must have an iptables > > which was compiled against a 2.6.x kernel. Iptables 1.2.8 does not > > compile when /usr/src/linux points to a 2.6.x kernel. I've had to use > > iptables from CVS (20030813) to make it compile and had to remove the > > experimental stuff from the spec file. > > You shouldn't use a 2.6 kernel for a production firewall at this time. A few > releases ago there were about 100 security patches waiting to be ported from > 2.4 to 2.6.
I know, this is on my personal machine (Cooker, 2.6.x, etc). The firewall is an extra layer of protection (others include binding to 127.0.0.1 and disabling unneeded daemons). > An option is to make a iptables_kernel_2.6 package in contrib, so people who > still want to use it on 2.6 can do that. Would that make you happy? > It will not be installable next to the 2.4 iptables because of file conflicts, > but if you can live with that.... I wanted this documented for when Mandrake includes a 2.6.x in Cooker (next to 2.4). The contrib package sounds like a nice solution until Cooker includes 2.6. At that time, something which chooses at runtime between iptables-24 and iptables-26 would be needed (like the modutils/ module-init-tools/autoconf/etc). This allows easy switching between the kernels. -- Regards, Olav