2.6.20 iptables nat Problem? - Networking

This is a discussion on 2.6.20 iptables nat Problem? - Networking ; Is anyone aware of the change that causes this problem ... I'm researching but I thought I'd ask in case its a common "issue". I just compiled the new 2.6.20 kernel, doing an oldconfig with my old 2.6.19 settings. On ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: 2.6.20 iptables nat Problem?

  1. 2.6.20 iptables nat Problem?


    Is anyone aware of the change that causes this problem ... I'm
    researching but I thought I'd ask in case its a common "issue".

    I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
    2.6.19 settings.

    On reboot the NAT module isn't available and all my iptables commands
    fail and my intranet isn't working.

    Any one have a similar experience? Any solutions?

    Thanks in advance.
    --
    ------------------------------------------------
    http://www3.sympatico.ca/dmitton
    SPAM Reduction: Remove "x." from my domain.
    ------------------------------------------------

    --
    Posted via a free Usenet account from http://www.teranews.com


  2. Re: 2.6.20 iptables nat Problem?

    On Sun, 04 Feb 2007 23:13:26 -0500, Doug Mitton wrote:

    >
    >Is anyone aware of the change that causes this problem ... I'm
    >researching but I thought I'd ask in case its a common "issue".
    >
    >I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
    >2.6.19 settings.
    >
    >On reboot the NAT module isn't available and all my iptables commands
    >fail and my intranet isn't working.
    >
    >Any one have a similar experience? Any solutions?


    Pay attention to the netfilter settings, I think there were some
    gratuitous option name changes.

    Grant.
    --
    http://bugsplatter.mine.nu/

  3. Re: 2.6.20 iptables nat Problem?

    Grant wrote:

    >On Sun, 04 Feb 2007 23:13:26 -0500, Doug Mitton wrote:
    >
    >>Is anyone aware of the change that causes this problem ... I'm
    >>researching but I thought I'd ask in case its a common "issue".
    >>
    >>I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
    >>2.6.19 settings.
    >>
    >>On reboot the NAT module isn't available and all my iptables commands
    >>fail and my intranet isn't working.
    >>
    >>Any one have a similar experience? Any solutions?

    >
    >Pay attention to the netfilter settings, I think there were some
    >gratuitous option name changes.
    >
    >Grant.


    What a strange change to be making ... I think I've found all the
    hidden options, at least my .config looks like the recommended from
    the UseNet posts I can find.

    I'm just recompiling now, I'll see how it goes.

    Thanks for the pointer. It took many attempts to get the correct
    search stanza for a coherent result. Its surprising how few posts
    I've seen on this.

    --
    ------------------------------------------------
    http://www3.sympatico.ca/dmitton
    SPAM Reduction: Remove "x." from my domain.
    ------------------------------------------------

    --
    Posted via a free Usenet account from http://www.teranews.com


  4. Re: 2.6.20 iptables nat Problem?

    Doug Mitton wrote:

    >Grant wrote:
    >
    >>On Sun, 04 Feb 2007 23:13:26 -0500, Doug Mitton wrote:
    >>
    >>>Is anyone aware of the change that causes this problem ... I'm
    >>>researching but I thought I'd ask in case its a common "issue".
    >>>
    >>>I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
    >>>2.6.19 settings.
    >>>
    >>>On reboot the NAT module isn't available and all my iptables commands
    >>>fail and my intranet isn't working.
    >>>
    >>>Any one have a similar experience? Any solutions?

    >>
    >>Pay attention to the netfilter settings, I think there were some
    >>gratuitous option name changes.
    >>
    >>Grant.

    >
    >What a strange change to be making ... I think I've found all the
    >hidden options, at least my .config looks like the recommended from
    >the UseNet posts I can find.
    >
    >I'm just recompiling now, I'll see how it goes.
    >
    >Thanks for the pointer. It took many attempts to get the correct
    >search stanza for a coherent result. Its surprising how few posts
    >I've seen on this.


    Well, the new configuration worked. It took some poking around but I
    finally made the .config look like the one posted here:

    http://groups.google.com/group/fa.li...c96d11c364c850

    Go back about 4 responses in this thread (to Sun, Jan 21, 2007 at
    11:48:07AM -0500)

    Hope this helps someone else!

    --
    ------------------------------------------------
    http://www3.sympatico.ca/dmitton
    SPAM Reduction: Remove "x." from my domain.
    ------------------------------------------------

    --
    Posted via a free Usenet account from http://www.teranews.com


  5. Re: 2.6.20 iptables nat Problem?

    Hello,

    Grant a écrit :
    >
    > Pay attention to the netfilter settings, I think there were some
    > gratuitous option name changes.


    "Gratuitous" ?
    Linux 2.6.20 offers two mutually-exclusive connection tracking and NAT
    frameworks :
    - the old legacy IPv4-only ip_conntrack/ip_nat ;
    - the new layer 3 independant nf_conntrack/nf_nat, which supports IPv6.

    So I guess separate option names are needed for each framework.

    The new nf_conntrack framework was introduced in Linux 2.6.15 but may
    have remained rather unnoticed because it lacked support for NAT and
    connection tracking for many "special" protocols (PPTP, H.323, IRC DCC,
    SIP...) until Linux 2.6.20, so the old ip_conntrack was still the
    default. Now the new nf_conntrack/nf_nat framework is "complete", it
    will eventually replace the old ip_conntrack.

  6. Re: 2.6.20 iptables nat Problem?

    Pascal Hambourg wrote:

    >Hello,
    >
    >Grant a écrit :
    >>
    >> Pay attention to the netfilter settings, I think there were some
    >> gratuitous option name changes.

    >
    >"Gratuitous" ?
    >Linux 2.6.20 offers two mutually-exclusive connection tracking and NAT
    >frameworks :
    >- the old legacy IPv4-only ip_conntrack/ip_nat ;
    >- the new layer 3 independant nf_conntrack/nf_nat, which supports IPv6.
    >
    >So I guess separate option names are needed for each framework.
    >
    >The new nf_conntrack framework was introduced in Linux 2.6.15 but may
    >have remained rather unnoticed because it lacked support for NAT and
    >connection tracking for many "special" protocols (PPTP, H.323, IRC DCC,
    >SIP...) until Linux 2.6.20, so the old ip_conntrack was still the
    >default. Now the new nf_conntrack/nf_nat framework is "complete", it
    >will eventually replace the old ip_conntrack.


    There are some days I wish we could go back to the "old" stable vs
    development code streams. A change like this one could mean some BIG
    configuration changes to an installed system.

    I've always tried to keep updated to the current stable kernel but
    this is making it a little more difficult if you're not a developer
    .... and up-to-date on the changes.

    Thanks for the explanation.

    --
    ------------------------------------------------
    http://www3.sympatico.ca/dmitton
    SPAM Reduction: Remove "x." from my domain.
    ------------------------------------------------

    --
    Posted via a free Usenet account from http://www.teranews.com


  7. Re: 2.6.20 iptables nat Problem?

    Pascal Hambourg wrote:

    >Hello,
    >
    >Grant a écrit :
    >>
    >> Pay attention to the netfilter settings, I think there were some
    >> gratuitous option name changes.

    >
    >"Gratuitous" ?
    >Linux 2.6.20 offers two mutually-exclusive connection tracking and NAT
    >frameworks :
    >- the old legacy IPv4-only ip_conntrack/ip_nat ;
    >- the new layer 3 independant nf_conntrack/nf_nat, which supports IPv6.
    >
    >So I guess separate option names are needed for each framework.
    >
    >The new nf_conntrack framework was introduced in Linux 2.6.15 but may
    >have remained rather unnoticed because it lacked support for NAT and
    >connection tracking for many "special" protocols (PPTP, H.323, IRC DCC,
    >SIP...) until Linux 2.6.20, so the old ip_conntrack was still the
    >default. Now the new nf_conntrack/nf_nat framework is "complete", it
    >will eventually replace the old ip_conntrack.


    Do you know of any "official" URL's that discuss this change and what
    changes must be made to firewall rules to use the new framework?

    I want to start migrating my scripts to the new system.

    Thanks!
    --
    ------------------------------------------------
    http://www3.sympatico.ca/dmitton
    SPAM Reduction: Remove "x." from my domain.
    ------------------------------------------------

    --
    Posted via a free Usenet account from http://www.teranews.com


  8. Re: 2.6.20 iptables nat Problem?

    Doug Mitton a écrit :
    >
    > Do you know of any "official" URL's that discuss this change and what
    > changes must be made to firewall rules to use the new framework?


    No, and AFAIK there are no userland changes. Some module names change
    (for instance ip_contrack_xx becomes nf_conntrack_xx) but aliases with
    the old names have been defined, so the transition to nf_conntrack
    should be transparent for most iptables rulesets.

+ Reply to Thread